Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos network security services platform







Bugtraq: RE: SECURE SOCKETS LAYER COELACANTH: Phreak Phishing Expedition

RE: SECURE SOCKETS LAYER COELACANTH: Phreak Phishing Expedition

From: Jelmer <jkuperus_at_planet.nl>
Date: Sat, 19 Jun 2004 04:31:09 +0200

>As a addendum, perhaps, though I wouldn't doubt someone
>might make some nice proof of concept code for this...

Don't mind if I do :)

The following demo will read out your logon name and your logon domain, or
at least it should :)

http://jelmer.homedns.org/test.htm

The url used is http://jelmer%2fwww.jelmer.homedns.org

The problem is that ie looks at the part before the %2f to determine the
security zone etc but then loads the url in it's entirety, like this

http://jelmer - used to determine the zone
http://jelmer/www.jelmer.homedns.org - loaded

IE treats any url it sees without a period in it such as http://jelmer as
part of the Local Intranet Zone

>From the intranet zone we can easily obtain the logon name because Automatic
logon thru NTLM is enabled by default in the intranet zone.

Code at http://jelmer.homedns.org/code.zip

I excluded the rather large jcifs jar, you can download it from
http://jcifs.samba.org/src/jcifs-0.9.2.jar and place it in the lib folder
Received on Jun 19 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]