The Realm is of use to the client only. It tells the client that, once authenticated, if you request anything within that realm then supply credentials. Here's a bit of code I hacked together to write out a Basic auth string. Hack it around a bit more and plug it into whatever your doing David Litchfield http://www.ngssoftware.com/ #include <stdio.h> char base64up[800]="Authorization: Basic "; int main(int argc, char *argv[]) { char userid[256]=""; char password[256]=""; char string[512]="mne"; char tmp[8]="mne"; int count =0,bc=0; unsigned int holder; unsigned int one=0, two=0, thr=0; int len=0; char ibase64up[800]=""; if(argc !=3) return printf("%s username password\n",argv[0]); strncpy(userid,argv[1],250); strncpy(password,argv[2],250); strcpy(string,userid); strcat(string,":"); strcat(string,password); len = strlen(string); while(bc < len) { tmp[0]=string[bc]; bc++; tmp[1]=string[bc]; bc++; tmp[2]=string[bc]; bc++; one = tmp[0] * 65536; two = tmp[1] * 256; thr = tmp[2]; holder = one + two + thr; tmp[0] = holder >> 18; one = holder << 14; tmp[1] = one >> 26; one = holder << 20; tmp[2] = one >> 26; one = holder << 26; tmp[3]= one >> 26; printf("%d %d %d %d\n",tmp[0],tmp[1],tmp[2],tmp[3]); count = 0; while(count < 4) { if(tmp[count] == 0) tmp[count]='A'; else if(tmp[count] == 1) tmp[count] ='B'; else if(tmp[count] == 2) tmp[count] ='C'; else if(tmp[count] == 3) tmp[count] ='D'; else if(tmp[count] == 4) tmp[count] ='E'; else if(tmp[count] == 5) tmp[count] ='F'; else if(tmp[count] == 6) tmp[count] ='G'; else if(tmp[count] == 7) tmp[count] ='H'; else if(tmp[count] == 8) tmp[count] ='I'; else if(tmp[count] == 9) tmp[count] ='J'; else if(tmp[count] == 10) tmp[count] ='K'; else if(tmp[count] == 11) tmp[count] ='L'; else if(tmp[count] == 12) tmp[count] ='M'; else if(tmp[count] == 13) tmp[count] ='N'; else if(tmp[count] == 14) tmp[count] ='O'; else if(tmp[count] == 15) tmp[count] ='P'; else if(tmp[count] == 16) tmp[count] ='Q'; else if(tmp[count] == 17) tmp[count] ='R'; else if(tmp[count] == 18) tmp[count] ='S'; else if(tmp[count] == 19) tmp[count] ='T'; else if(tmp[count] == 20) tmp[count] ='U'; else if(tmp[count] == 21) tmp[count] ='V'; else if(tmp[count] == 22) tmp[count] ='W'; else if(tmp[count] == 23) tmp[count] ='X'; else if(tmp[count] == 24) tmp[count] ='Y'; else if(tmp[count] == 25) tmp[count] ='Z'; else if(tmp[count] == 26) tmp[count] ='a'; else if(tmp[count] == 27) tmp[count] ='b'; else if(tmp[count] == 28) tmp[count] ='c'; else if(tmp[count] == 29) tmp[count] ='d'; else if(tmp[count] == 30) tmp[count] ='e'; else if(tmp[count] == 31) tmp[count] ='f'; else if(tmp[count] == 32) tmp[count] ='g'; else if(tmp[count] == 33) tmp[count] ='h'; else if(tmp[count] == 34) tmp[count] ='i'; else if(tmp[count] == 35) tmp[count] ='j'; else if(tmp[count] == 36) tmp[count] ='k'; else if(tmp[count] == 37) tmp[count] ='l'; else if(tmp[count] == 38) tmp[count] ='m'; else if(tmp[count] == 39) tmp[count] ='n'; else if(tmp[count] == 40) tmp[count] ='o'; else if(tmp[count] == 41) tmp[count] ='p'; else if(tmp[count] == 42) tmp[count] ='q'; else if(tmp[count] == 43) tmp[count] ='r'; else if(tmp[count] == 44) tmp[count] ='s'; else if(tmp[count] == 45) tmp[count] ='t'; else if(tmp[count] == 46) tmp[count] ='u'; else if(tmp[count] == 47) tmp[count] ='v'; else if(tmp[count] == 48) tmp[count] ='w'; else if(tmp[count] == 49) tmp[count] ='x'; else if(tmp[count] == 50) tmp[count] ='y'; else if(tmp[count] == 51) tmp[count] ='z'; else if(tmp[count] == 52) tmp[count] ='0'; else if(tmp[count] == 53) tmp[count] ='1'; else if(tmp[count] == 54) tmp[count] ='2'; else if(tmp[count] == 55) tmp[count] ='3'; else if(tmp[count] == 56) tmp[count] ='4'; else if(tmp[count] == 57) tmp[count] ='5'; else if(tmp[count] == 58) tmp[count] ='6'; else if(tmp[count] == 59) tmp[count] ='7'; else if(tmp[count] == 60) tmp[count] ='8'; else if(tmp[count] == 61) tmp[count] ='9'; else if(tmp[count] == 62) tmp[count] ='+'; else if(tmp[count] == 63) tmp[count] ='/'; else printf("ERROR"); count ++; } printf("%s\n",tmp); tmp[4]=0x00; strcat(ibase64up,tmp); } strncat(base64up,ibase64up,796); printf("\n%s",base64up); return 0; } ----- Original Message ----- From: <John_Leitchat_private> To: <vladimirat_private>; <John_Leitchat_private> Cc: <pen-testat_private> Sent: Thursday, May 30, 2002 9:53 AM Subject: RE: PEN Testing a everchanging realm in apache > Hi, > > Thanks for that but the ever changing realm is as follows..... > > When a connection is established to the server and you are presented with a > login prompt the realm is different everytime. Its almost like the server > has / is using /dev/random to assign the realm so its never the same. > > -----Original Message----- > From: Vladimir Parkhaev [mailto:vladimirat_private] > Sent: 29 May 2002 23:11 > To: John_Leitchat_private > Cc: pen-testat_private > Subject: Re: PEN Testing a everchanging realm in > apache > > Quoting John_Leitchat_private (John_Leitchat_private): > > Using the latest apache / ssl. > > > > I need to find a way of brute forcing the auth but........ > the web server > > has an ever changing realm. > > > > Is this possible or shall I look elsewhere ? > > > > Regards > > > > I am not sure what do you mean by "ever changing realm", but > you can adapt the following > perl code to brute force your way in. You need to install > Crypt::SSLeay module, > dictionary, a loop and ... pretty much it... > > > > #!/usr/bin/perl -w > use LWP::UserAgent; > > my $ua = LWP::UserAgent->new; > my $req = HTTP::Request->new(POST => > 'https://server.domain.com/'); > $req->authorization_basic('foo', 'bar'); > $res = $ua->request($req); > ($res->is_success)? print $res->content, "\n" : print > $res->status_line, "\n"; > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus Security Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu May 30 2002 - 10:48:53 PDT