Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Ncrack: buggy web server response / authentication

From: ithilgore <ithilgore.ryu.l () gmail com>
Date: Fri, 24 Jul 2009 15:40:43 +0300
I have been lately trying to debug an issue with the http-module of Ncrack. The
problem is that I have been getting some false positives, which however don't
seem to be as 'false' in deeper inspection.

I have been conducting the tests against an Apache 2.2 with a
basic-authentication protected directory which accepts only 1 certain pair of
pre-configured credentials which I already know.

Normally, web servers reply with a "401 Authorization Required" message when
authentication is needed to access that resource. They also include a line in
the HTTP message that denotes the kind of authentication scheme they are
expecting. "Basic" authentication is the most common one and is based on
base64-encoding the string: <username>:<password> . If the credentials are
correct, then the web server replies with a "200 OK" message and grants you
access to the resource you are trying to view.

The problem I have come against is that the web server replied with a "200 OK"
message and granted me access to the resource even for pairs that were normally
not configured to be valid!

I also tested against the server without having the correct credentials in the
username/password lists, so as to exclude the slightest chance that the later
"200 OK" message were confused with the one that was indeed true (with the
correct credentials).

I also seem to be getting some false negatives at times, but the most worrisome
problem is the false positives. This holds true because not only do I get the
"200 OK" message but also the content of the protected page is transmitted (as
the tcpdump logs show me). However, if I later open up a browser and submit
these credentials, I cannot of course access the page. Consequently, I am
starting to think that maybe this is erroneous behaviour as far as the Apache
web server is concerned. It could be a bug/race condition that is triggered when
too many connections take place, but I am not really sure yet.

Has anyone come across this behaviour before? It is a fairly confusing matter.

-- ithilgore


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: