Penetration Testing mailing list archives
Re: Pentesting a Web Applicaton
From: "Hylton Conacher (ZR1HPC)" <hylton () conacher co za>
Date: Mon, 04 Jun 2007 12:19:03 +0200
Stong, Ian C CTR DISA GIG-CS wrote:
Just for clarification - I have backups of the configs and could reset the device and reload the config but as soon as you do that it also restores the password. In addition you can't change the password without knowing the old password.
I would suggest looking at the backup files, after making a copy of them, and seeing if you can obtain a clear text password or even password hash. With the password hash I am almost sure you could run it through a set of rainbow tables and also through another method to obtain the real password, which in this case should be both the same obtained from the rainbow tables and other app. Take an evening, reset the device, try the cracked password. If it works you have lost nothing and can reset the password. If it doesn't work you have also lost nothing but you have gained the knowledge that the cracked password is one that doesn't work. Another thing to try is accessing the device from the cmd line via the IP I am sure you have. Try and see if there is anything in the cmd line help regarding lost passwords ie C;\> 'commandtoconnecttodevice -h' sans quotes. Try the 1st cracked password too as maybe the web interface has a different passwd.
And it's not actually the model listed and it's not a work device. Didn't want to give away the actual model number, IP address and code version, etc in case someone got bored and tried to hack away at it externally :)
Now who would do something like that? :) Let us know the outcome. Hylton ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------
Current thread:
- Re: Pentesting a Web Applicaton Haroon Meer (Jun 01)
- <Possible follow-ups>
- RE: Pentesting a Web Applicaton Stong, Ian C CTR DISA GIG-CS (Jun 01)
- Message not available
- RE: Pentesting a Web Applicaton Peter Wood (Jun 01)
- Message not available
- Re: Pentesting a Web Applicaton Jamie Riden (Jun 01)
- Re: Pentesting a Web Applicaton sherwyn . williams (Jun 01)
- Re: RE: Pentesting a Web Applicaton ebk_lists (Jun 01)
- RE: RE: Pentesting a Web Applicaton Stong, Ian C CTR DISA GIG-CS (Jun 01)
- Re: RE: Pentesting a Web Applicaton Jamie Riden (Jun 01)
- Re: RE: Pentesting a Web Applicaton sherwyn . williams (Jun 01)
- RE: RE: Pentesting a Web Applicaton Alex Balayan (Jun 11)
- RE: RE: Pentesting a Web Applicaton Stong, Ian C CTR DISA GIG-CS (Jun 01)
- Re: Pentesting a Web Applicaton Hylton Conacher (ZR1HPC) (Jun 04)