RE: Dictionary and brute forcing web authentication?

[<latte () hushmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Why wouldn't you just implement some time-out or lock-out system.
Surely that is the easiest and most effective ?


- -----Original Message-----
From: RSnake [mailto:rsnake () shocking com]
Sent: Monday, 15 September 2003 1:48 AM
To: Chris Varenhorst
Cc: webappsec () securityfocus com
Subject: Re: Dictionary and brute forcing web authentication?



        I wrote a paper on this topic and presented at BlackHat on this
specific topic, but from the other perspective... trying to secure a
machine
under brute force HTTP attack.  It's a three part paper, and pretty in-

depth,
but it should answer your questions.

http://www.securityfocus.com/infocus/1368
http://www.securityfocus.com/infocus/1369
http://www.securityfocus.com/infocus/1370

        The short of it is there are two basic ways to brute force.  Searching
for 200 or 401 return headers, and searching for strings on the page
that is
returned.  WWWhack and Whisker both can perform these functions.  Read
the
paper for more details.

On Sat, 13 Sep 2003, Chris Varenhorst wrote:

| Date: Sat, 13 Sep 2003 15:47:27 -0500
| From: Chris Varenhorst <hiyachris86 () hotmail com>
| To: webappsec () securityfocus com
| Subject: Re: Dictionary and brute forcing web authentication?
|
| Is it possible to just specify the failure string as a string from
the login
| page?  The <title> tag works well especially since its likely that
the login
| page, says something about how this is the login page in the title.
 And as
| far as the password "popups" you mentioning happening in IE, you're
right
| those most likely are NOT http application web authentication but http
401
| authentications which are part of the HTTP protocol.  I'm sure the
query
| string "http authentication 401 brute force" in a Google and a little
bit of
| time will find something to brute force those...
|
| >From: "Mark G. Spencer" <mspencer () evidentdata com>
| >To: <webappsec () securityfocus com>
| >Subject: Dictionary and brute forcing web authentication?
| >Date: Fri, 12 Sep 2003 12:55:41 -0700
| >MIME-Version: 1.0
| >Received: from outgoing2.securityfocus.com ([205.206.231.26]) by
| >mc2-f28.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Fri, 12
Sep 2003
| >16:52:24 -0700
| >Received: from lists.securityfocus.com (lists.securityfocus.com
| >[205.206.231.19])by outgoing2.securityfocus.com (Postfix) with QMQPid
| >527E68F69D; Fri, 12 Sep 2003 09:23:33 -0600 (MDT)
| >Received: (qmail 15276 invoked from network); 12 Sep 2003 13:46:49
- -0000
| >X-Message-Info: JGTYoYF78jG7o8ez+s5QPGrLBkNiZwpc
| >Mailing-List: contact webappsec-help () securityfocus com; run by ezmlm
| >Precedence: bulk
| >List-Id: <webappsec.list-id.securityfocus.com>
| >List-Post: <mailto:webappsec () securityfocus com>
| >List-Help: <mailto:webappsec-help () securityfocus com>
| >List-Unsubscribe: <mailto:webappsec-unsubscribe () securityfocus com>
| >List-Subscribe: <mailto:webappsec-subscribe () securityfocus com>
| >Delivered-To: mailing list webappsec () securityfocus com
| >Delivered-To: moderator for webappsec () securityfocus com
| >Message-ID: <007101c37967$d88df440$800101df () edi evidentdata com>
| >X-Priority: 3 (Normal)
| >X-MSMail-Priority: Normal
| >X-Mailer: Microsoft Outlook, Build 10.0.4510
| >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| >Importance: Normal
| >Return-Path:
| >webappsec-return-3106-hiyachris86=hotmail.com () securityfocus com
| >X-OriginalArrivalTime: 12 Sep 2003 23:52:24.0696 (UTC)
| >FILETIME=[EA1F9F80:01C37988]
| >
| >I'm looking for advice on dictionary and brute forcing web authentication.
| >Most of the websites I have access to at work have various kinds of
forms
| >based authentication.  I've been playing with a plugin for Sleuth
| >(httpbrute_plugin.zip) and am having difficulty.
| >
| >At a minimum I need to give the plugin the user and password fields
from
| >the
| >source of the webpage so it knows where to perform the dictionary
attack.
| >I
| >also need a failure string so the plugin knows when it has failed
(and if
| >it
| >hasn't failed, theoretically succeeded), but herein lies the problem.
 I'm
| >looking at a page called "securedefault.asp" .. When I enter a bogus
| >username and password, the login screen just displays again .. No
special
| >failure message.
| >
| >Any ideas how to handle this?
| >
| >Also .. I noticed on some websites that as soon as you go to them,

 a user
| >and password box pops up.  I am not able to view source on these,
either in
| >IE or Sleuth.  In IE the user and password box opens immediately,
and in
| >Sleuth I get a Windows username and password box.  I'm assuming these
are
| >*not* basic http authentication?  Any advice on how to dictionary
attack
| >these things?
| >
| >Thanks!
| >
| >Mark
| >
|
| _________________________________________________________________
| Get 10MB of e-mail storage! Sign up for Hotmail Extra Storage.
| http://join.msn.com/?PAGE=features/es
|

- -R

The information in this email is confidential and may be legally
privileged.  It is intended solely for the addressee.  Access to
this email by anyone else is unauthorized.  If you are not the
intended recipient, any disclosure, copying, distribution or any
action taken or omitted to be taken in reliance on it is
expressly prohibited and may be unlawful.

-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3

wkYEARECAAYFAj9mRfUACgkQcEWG8I/LRdkouQCfTdIGy3kFf9xJhJKpIHyMWolUWb8A
nAxtoqWo876tuWIKBiWZkMNRUCFo
=OOGQ
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427