Re: PEN Testing a everchanging realm in apache

From: Vladimir Parkhaev (vladimir@arobas.net)
Date: Wed May 29 2002 - 18:10:56 EDT


Quoting John_Leitch@NAI.com (John_Leitch@NAI.com):
> Using the latest apache / ssl.
>
> I need to find a way of brute forcing the auth but........ the web server
> has an ever changing realm.
>
> Is this possible or shall I look elsewhere ?
>
> Regards
>

I am not sure what do you mean by "ever changing realm", but you can adapt the following
perl code to brute force your way in. You need to install Crypt::SSLeay module,
dictionary, a loop and ... pretty much it...

#!/usr/bin/perl -w
use LWP::UserAgent;

my $ua = LWP::UserAgent->new;
my $req = HTTP::Request->new(POST => 'https://server.domain.com/');
$req->authorization_basic('foo', 'bar');
$res = $ua->request($req);
($res->is_success)? print $res->content, "\n" : print $res->status_line, "\n";

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:21 EDT