From: John_Leitch@NAI.com
Date: Thu May 30 2002 - 04:53:00 EDT
Hi,
Thanks for that but the ever changing realm is as follows.....
When a connection is established to the server and you are presented with a
login prompt the realm is different everytime. Its almost like the server
has / is using /dev/random to assign the realm so its never the same.
-----Original Message-----
From: Vladimir Parkhaev [mailto:vladimir@arobas.net]
Sent: 29 May 2002 23:11
To: John_Leitch@NAI.com
Cc: pen-test@securityfocus.com
Subject: Re: PEN Testing a everchanging realm in
apache
Quoting John_Leitch@NAI.com (John_Leitch@NAI.com):
> Using the latest apache / ssl.
>
> I need to find a way of brute forcing the auth but........
the web server
> has an ever changing realm.
>
> Is this possible or shall I look elsewhere ?
>
> Regards
>
I am not sure what do you mean by "ever changing realm", but
you can adapt the following
perl code to brute force your way in. You need to install
Crypt::SSLeay module,
dictionary, a loop and ... pretty much it...
#!/usr/bin/perl -w
use LWP::UserAgent;
my $ua = LWP::UserAgent->new;
my $req = HTTP::Request->new(POST =>
'https://server.domain.com/');
$req->authorization_basic('foo', 'bar');
$res = $ua->request($req);
($res->is_success)? print $res->content, "\n" : print
$res->status_line, "\n";
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:21 EDT