Penetration Testing mailing list archives
penetrating web-based authentication if you know one of the usernames
From: Ølstad, Roger <Roger.Olstad () pax priv no>
Date: Wed, 18 May 2005 14:05:07 +0200
Hi! I have this web-based service/directory which offers users access through a username/password-authentication process. I am wondering what if some of the usernames are compromised, and I actually don't want to change the username? Are there any tools able to run some kind of bruteforce-attack or something, against my web-authentication? Other alternatives? Do I really have to consider my whole system as compromised just because a username may be lost? In addition, does anyone know of any tool that can help me audit the web-server regarding to passwordpolicy, passwordstrength etc. I appreciate all relevant answers :-) Very best R -----Original Message----- From: Erik Kamerling [mailto:ekamerling () snaplen com] Sent: 17. mai 2005 16:13 To: pen-test () securityfocus com Subject: Re: Cisco VPN Concentrator GUI My original response never made it so here it is again. On Sunday 15 May 2005 23:09, kaps lock wrote:
i cant find any vulenrabilites on the net ....to explain to the person....only thing i can think of is brute forcing the username pasword field...which is again a challenge for web vpn..any ideas?? thanks
Hi Kaps Lock, You might want to impart info to your client regarding the common sense security measure of limiting access to the HTTPS interface on the concentrator to only trusted management hosts or internal networks. Enabling uncontrolled public side HTTP(S) management of a VPN concentrator gives out way more info re: their VPN than most people would want IMHO. I don't believe HTTP(S) is enabled by default (at least on a public interface) on a 3000 series concentrator so someone turned it on most likely. 3000 series concentrators are vulnerable to a SSL attack prior to version 4.1.7.A so you might want to point this out to them. The attacker does not need to authenticate and can effectively reload the device or make it drop user connections. Here is the advisory -> http://www.cisco.com/warp/public/707/cisco-sa-20050330-vpn3k.shtml And a more general view on 3000 vulnerabilities -> http://www.cisco.com/warp/public/707/vpn3k-multiple-vuln-pub.shtml Best Wishes, Erik Kamerling
Current thread:
- penetrating web-based authentication if you know one of the usernames Ølstad , Roger (May 18)
- Re: penetrating web-based authentication if you know one of the usernames L. Walker (May 18)
- Re: penetrating web-based authentication if you know one of the usernames Ole Martin Dahl (May 18)
- Re: penetrating web-based authentication if you know one of the usernames Pablo Fernández (May 18)
- <Possible follow-ups>
- RE: penetrating web-based authentication if you know one of the usernames Scovetta, Michael V (May 18)