RE: Dictionary and brute forcing web authentication?

["Calderon, Juan C (EM, DDEMESIS)" <Juan.Calderon () ge com>]

Browsers like Netscape will show a popup for windows authentication,
although they are not able to autheticate using this method.  Even if
you enter correct credentials you will see this popup again and again.

cheers :)

-----Original Message-----
From: Sarbjit Singh Gill [mailto:ssgill () gilltechnologies com]
Sent: Monday, September 15, 2003 9:56 AM
To: webappsec () securityfocus com
Subject: RE: Dictionary and brute forcing web authentication?


Greetings,

If I am not mistaken, Windows Intergated does not have a popup. IE
merely
takes your currently logged on crediantials and passes them to the IIS
server. Only BASIC and DIGEST would have pop up from the IIS server.

Please advice if I am wrong ?

Gill


-----Original Message-----
From: Calderon, Juan C (EM, DDEMESIS) [mailto:Juan.Calderon () ge com] 
Sent: Monday, September 15, 2003 12:07 AM
To: webappsec () securityfocus com
Subject: RE: Dictionary and brute forcing web authentication?

Those popup windows appear when *basic*, *windows integrated* or
*Digest* authentication is used. Perhaps, you are getting a *Integrated
windows* or *Digest* authentication popup (which only works on IE
clients
accessing IIS servers) watch the HTTP headers using a proxy like Exodus
or
Paros to identify witch authentication are you dealing with.
Some of the possible values for *WWW-Authenticate* header are *basic*
for
basic authentication (here you can use something like DownBload
suggestion),
*NTLM* for windows authentication and *Digest* for digest
authentication.

I dont know a tool for brute forcing windows or digest authentication.
In fact, given those are challenge digests instead of  *direct*
authentication type, I doubt a tool like that exist.

cheers :)

-----Original Message-----
From: Mark G. Spencer [mailto:mspencer () evidentdata com]
Sent: Friday, September 12, 2003 2:56 PM
To: webappsec () securityfocus com
Subject: Dictionary and brute forcing web authentication?


I'm looking for advice on dictionary and brute forcing web
authentication.
Most of the websites I have access to at work have various kinds of
forms
based authentication.  I've been playing with a plugin for Sleuth
(httpbrute_plugin.zip) and am having difficulty.

At a minimum I need to give the plugin the user and password fields from
the
source of the webpage so it knows where to perform the dictionary
attack.  I
also need a failure string so the plugin knows when it has failed (and
if it
hasn't failed, theoretically succeeded), but herein lies the problem.
I'm
looking at a page called "securedefault.asp" .. When I enter a bogus
username and password, the login screen just displays again .. No
special
failure message.

Any ideas how to handle this?

Also .. I noticed on some websites that as soon as you go to them, a
user
and password box pops up.  I am not able to view source on these, either
in
IE or Sleuth.  In IE the user and password box opens immediately, and in
Sleuth I get a Windows username and password box.  I'm assuming these
are
*not* basic http authentication?  Any advice on how to dictionary attack
these things?

Thanks!

Mark

Attachment: smime.p7s
Description: