From: Christine Kronberg (Christine_Kronberg@genua.de)
Date: Thu Feb 09 2006 - 05:13:03 EST
On Wed, 8 Feb 2006, Dave wrote:
>
>> To all:
>>
>> I have been asked to perform a security audit of 1 IP address for client.
>> They have given me the 1 IP address and a clue (webblaze).
>>
>> If I enter the IP address and then /webblaze, I am taken to a login page
>> (user name and password requested).
>>
>> What tools would you recommend that I use for this assignment?
>>
> nmap and nessus will tell you more about the IP and what other services are
I'm not so much impressed by using nessus. In most cases I archieve
more by using nmap, telnet and brain. Might be due to the fact the
last couple of pen-tests were against computers pretty much protected.
For the original poster as a starting I recommend using nmap to see
whether other ports on that host are available.
> running that you might be able to exploit. If they just want you to test the
> strength of the webpage login then possibly using Brutus will reveal weak
> passwords etc... although this is generally a bad idea. Right off hand, I
> cant look now, but webblaze may be a publicly available script...download it
> and check the source for any possible coding errors that could be exploited.
Before you can exploit a possible weakness you have to bypass the
authentication. If this can be done depends on the type of
authentication.
Searching for weak password is certainly a way to go. But: If you
don't have any username to start, you must use a list of common
usernames and a list of weak passwords. Ok, no problem to get those
lists. But you have to test each password foreach user. That consumes
a good deal of time. If you are not allowed to harm the computer by
filling up the logfiles whatever this does to the node, you are very
limited. Example: I did that for a customer a while ago. First step
was to get some probable usernames from google. Found about 100.
Now, my private password list has about 12 Mio entries. Stripping
them down to a maximum of 8 characters left about 4.5 Mio entries.
Using hydra with abount 180 tries/min gives:
100 x 4.5Mio /180 = 1736 days.
No way to go. So you need to use a very small password lists (really
easy passwords). But then it is highly unlikely that you find something.
I ended up calculating my paramters for a runtime of 5 hours.
I remember the thread about password cracking a while back pretty well.
But I wonder: How many of you do this over the net? Not having any
username to check on? It is one thing to have an encrypted password
list, it is completely different to have nothing at all.
Cheers,
Christine Kronberg.
-- GeNUA mbH ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:28 EDT