What about sites that require basic authentication? Basic authentication
simply means that you have to provide a username and password to enter a
site. Note that some sites might have usernames and passwords at application
level - at "site" level - e.g. you must provide a username and password in a
HTML based form. This is not basic authentication. With basic
authentication, a extra window will be popped up in your browser and you
will be prompted for a username and password. As is the case with telnet,
the first step would be a get a valid username. Some implementations of
basic authentication will tell you if you are using a valid username. Let us
look at how Firewall-1 implements basic authentication. I go to the site
http://196.xxx.151.241. At the BA (basic authentication) prompt I enter a
username "test" and password "test". The server tells us that there is some
problem, and responds like this:
Error 401
FW-1 at gateway: Unauthorized to access the document.
Authorization is needed for FW-1.
The authentication required by FW-1 for test is: unknown.
Reason for failure of last attempt: unknown user
Note that is says "unknown user" - the username "test" is thus not valid. If
we try it with user "craig" however (we know that craig is a valid user) the
response looks like this:
Error 401
FW-1 at gateway: Unauthorized to access the document.
Authorization is needed for FW-1.
The authentication required by FW-1 for craig is: FW-1 password.
Last message to user: FireWall-1 password:
Aha! Note that we don't see any "unknown" user response. How about other
server - Apache and IIS? If we use an invalid user at the Apache BA prompt
we get a response that says either the username or password is incorrect.
IIS does the same thing. For these servers we need to guess usernames. On
IIS "administrator" won't be a bad guess.
How do we go about to brute force sites that use BA? Whiskerhas the
functionality to brute force attack BA sites. How do we do this? Let us set
up whiske rto brute force attack the site http://196.xxx.151.241 with
username "craig". We build a file called "passwords" containing some common
passwords and execute whisker as follows:
# perl whisker.pl -a craig -L / -P passwords -h 196.xxx.151.241
Let us have a quick look at the different switches. -a specifies the
username, -L / says that we want to get to the main site - if the server
protects a specific URL we would added it after the /. -P tells whisker that
we use the file "passwords" as password file (wow!). Please note - we had to
make some minor changes to whisker.pl for this to work. Line 28 should read
like this:
getopts("P:fs:n:vdh:l:H:Vu:iI:A:S:EF:p:M:UL:a:W", \%args);}
Line 1185 should read like this:
if($R!~m#^HTTP/[0-9.]{3} 40#){
When whisker find a valid username and password combination it responds like
this: = Valid auth combo 'craig:xxx' on following URL:
= http://196.xxx.151.241
The idea would now be to run whisker with the correct username and password
against the site:
# perl whisker.pl -a craig:testing -h 196.xxx.151.241
If you have an "133t" exploit you wish to run against a site that makes use
of BA, and you do have the correct username and password - you still need to
modify the 'sploit in order to use it with BA. The easiest way of doing this
is to sniff the actual output of whisker, and look for the "Authentication:
Basic" part. Add that then to your 'sploit. The more 'l33t' way is obviously
to base64 encode the username:password, put "Basic" in front of it...
simply means that you have to provide a username and password to enter a
site. Note that some sites might have usernames and passwords at application
level - at "site" level - e.g. you must provide a username and password in a
HTML based form. This is not basic authentication. With basic
authentication, a extra window will be popped up in your browser and you
will be prompted for a username and password. As is the case with telnet,
the first step would be a get a valid username. Some implementations of
basic authentication will tell you if you are using a valid username. Let us
look at how Firewall-1 implements basic authentication. I go to the site
http://196.xxx.151.241. At the BA (basic authentication) prompt I enter a
username "test" and password "test". The server tells us that there is some
problem, and responds like this:
Error 401
FW-1 at gateway: Unauthorized to access the document.
Authorization is needed for FW-1.
The authentication required by FW-1 for test is: unknown.
Reason for failure of last attempt: unknown user
Note that is says "unknown user" - the username "test" is thus not valid. If
we try it with user "craig" however (we know that craig is a valid user) the
response looks like this:
Error 401
FW-1 at gateway: Unauthorized to access the document.
Authorization is needed for FW-1.
The authentication required by FW-1 for craig is: FW-1 password.
Last message to user: FireWall-1 password:
Aha! Note that we don't see any "unknown" user response. How about other
server - Apache and IIS? If we use an invalid user at the Apache BA prompt
we get a response that says either the username or password is incorrect.
IIS does the same thing. For these servers we need to guess usernames. On
IIS "administrator" won't be a bad guess.
How do we go about to brute force sites that use BA? Whiskerhas the
functionality to brute force attack BA sites. How do we do this? Let us set
up whiske rto brute force attack the site http://196.xxx.151.241 with
username "craig". We build a file called "passwords" containing some common
passwords and execute whisker as follows:
# perl whisker.pl -a craig -L / -P passwords -h 196.xxx.151.241
Let us have a quick look at the different switches. -a specifies the
username, -L / says that we want to get to the main site - if the server
protects a specific URL we would added it after the /. -P tells whisker that
we use the file "passwords" as password file (wow!). Please note - we had to
make some minor changes to whisker.pl for this to work. Line 28 should read
like this:
getopts("P:fs:n:vdh:l:H:Vu:iI:A:S:EF:p:M:UL:a:W", \%args);}
Line 1185 should read like this:
if($R!~m#^HTTP/[0-9.]{3} 40#){
When whisker find a valid username and password combination it responds like
this: = Valid auth combo 'craig:xxx' on following URL:
= http://196.xxx.151.241
The idea would now be to run whisker with the correct username and password
against the site:
# perl whisker.pl -a craig:testing -h 196.xxx.151.241
If you have an "133t" exploit you wish to run against a site that makes use
of BA, and you do have the correct username and password - you still need to
modify the 'sploit in order to use it with BA. The easiest way of doing this
is to sniff the actual output of whisker, and look for the "Authentication:
Basic" part. Add that then to your 'sploit. The more 'l33t' way is obviously
to base64 encode the username:password, put "Basic" in front of it...
No comments:
Post a Comment