No base language's class libraries are a match for the rich programing API that the GPL code base provides in this area, be it libwhisker, WHArsenal, SPIKE Proxy, or any of the many other tools. You probably could use the C#'s WebClient.Credentials Property to set your credentials, then do some basic Whisker 1.0-style effort to build a tiny scanner. However, I think that to do a professional job, you're going to want to have a bit more control and a bit more stick behind your spearhead, in the form of advanced features. The ability to write custom checks with VulnXML, for example. So I suggest one of three things: 1. Use APS with SPIKE Proxy (or some other application assessment tool that can itself bounce through another proxy) APS is pure python and GPL, so if I get a lot more requests for this functionality (feel free to bug me at daveat_private), I'll merge his code with SPIKE Proxy's core. (To bounce SPIKE Proxy though another proxy, download version 1.4.4, and use the -h and -H parameters to spkproxy.py) 2. Check out SPIKE 2.7, which includes NTLM buffer overflow tools and brute forcers. (E.G, you can sniff a request that you want to fuzz, then use SPIKE's much more fast and powerful fuzzing framework to find overflows, format string bugs, SQL injection and the like - all through NTLM authenticated requests). It also includes a transparent HTTP[S] proxy (webmitm). 3. You can e-mail me and I'll send you the current SP 1.4.5 Beta, which includes an ordering fix (so GET /a?a=b&c=d always is a=b&c=d and not c=d&a=b) and a mod I whipped up this morning that lets you browse NTLM pages through the proxy by passing the authentication back and forth a bit. However, rewrite request and scanning functionality still don't know about NTLM, and so that functionality won't be effective against NTLM servers. For the record, the bug was not in SPIKE Proxy's handling of Connection: Keep-Alive, but actually IE doesn't bother to respond to WWW-Authenticate when it is set up to use a Proxy. So I changed WWW-Authenticate to Proxy-Authenticate: and Proxy-Authorization to Authorization and it worked. Integrating APS would have been a more final solution, but that's slightly more than a few minutes' work. Dave Aitel Immunity, Inc. http://www.immunitysec.com/ On Wed, 6 Nov 2002 12:21:46 -1000 "Jason Coombs" <jasoncat_private> wrote: > it might be easier for you to code your own scanner real quick using > Microsoft .NET -- the class library provides several very simple > network communications classes that do what you want. > > Jason Coombs > jasoncat_private > > -----Original Message----- > From: Haroon Meer [mailto:haroonat_private] > Sent: Wednesday, November 06, 2002 10:44 AM > To: cc_mofoat_private > Cc: pen-testat_private; webappsecat_private > Subject: Re: IIS 5.0 with Integrated Window Authentication > > > hi. > > use APS (NTLM Authorization Proxy Server) > (http://freshmeat.net/projects/ntlmaps/?topic_id=20%2C87%2C250%2C43%2 > C151) to handle the auth, and ur scanner of choice behind it.. > > ====================================================================== > Haroon Meer MH > SensePost Information Security +27 83786 6637 > PGP : http://www.sensepost.com/pgp/haroon.txt haroonat_private > ====================================================================== > > On Wed, 6 Nov 2002 cc_mofoat_private wrote: > > > > > I'm doing a security review and penetration test of a site running > > on IIS > with Integrated Windows Authentication. Anyone know of an IIS Scanner > that can do an IWA exchange before scanning? > > > > The SPIKE proxy looks promising, but it appears the NTLM support is > > not > quite "there" yet for this purpose. The goofy three-message exchange > that sets up the NTLM security doesn't seem to make it through the > proxy, which leads me to believe that any tool that will work for this > must have intentionally added support for IWA. > > > > > > > > > > > > Get your free encrypted email at https://www.hushmail.com > > ------------ Output from gpg ------------ > > gpg: Signature made Wed Nov 6 22:15:16 2002 SAST using DSA key ID > 21BE2B65 > > gpg: Can't check signature: public key not found > > > > > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Nov 07 2002 - 19:19:05 PST