Penetration Testing mailing list archives

Re: PEN Testing a everchanging realm in apache

From: Vladimir Parkhaev <vladimir () arobas net>
Date: Wed, 29 May 2002 18:10:56 -0400

Quoting John_Leitch () NAI com (John_Leitch () NAI com):

Using the latest apache / ssl.

I need to find a way of brute forcing the auth but........ the web server
has an ever changing realm.

Is this possible or shall I look elsewhere ?

Regards


I am not sure what do you mean by "ever changing realm", but you can adapt the following
perl code to brute force your way in. You need to install Crypt::SSLeay module,
dictionary, a loop and ... pretty much it...



#!/usr/bin/perl -w
use LWP::UserAgent;

my $ua  = LWP::UserAgent->new;
my $req = HTTP::Request->new(POST => 'https://server.domain.com/&apos;);
$req->authorization_basic('foo', 'bar');
$res = $ua->request($req);
($res->is_success)?  print $res->content, "\n" : print $res->status_line, "\n";


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

PEN Testing a everchanging realm in apache John_Leitch (May 29)
- Re: PEN Testing a everchanging realm in apache Vladimir Parkhaev (May 30)
- <Possible follow-ups>
- RE: PEN Testing a everchanging realm in apache John_Leitch (May 30)
  - Re: PEN Testing a everchanging realm in apache David Litchfield (May 30)
  - Re: PEN Testing a everchanging realm in apache J. J. Horner (May 30)