Thinking a little more down this road... Take the site where NT auth is allowed along with anonymous (the default IIS settings IIRC). Say also that there are zillions of web-servers that are members of domains. Say also, that many of these have account lockout policies in place. How trivial would it be, given you've obtained a list of login names, to DoS the network by brute-forcing the passwords on say... IUSR_Machinename, and any valid domain logins you may have? Just perpetually loop through the login process sending "foo" at each user account ten times and move on to the next. The question that comes to mind is... if a particular directory or site supports NT auth, but there are no ACLs in place, can you hand-craft a form, or post operation that sends an authentication string that would then be handled by the SAM? <snip> > The facts : > * "Basic authentication" is widely used by IIS on Internet > (IIS 4 and 5) > * NTFS permissions and user rights are granted to > administrators (and other > users that never connect through Internet) in 95% of the time > > The problem : > A simple brute force attack to such servers may retreive administrator > password which can be used in another exploit. > <snip>
This archive was generated by hypermail 2b30 : Wed Mar 06 2002 - 09:31:31 PST