HTTP auth for Terminal Server brute force - HTTP auth?

From: Susan Chan Lee (susan.lee@securityassoc.com)
Date: Wed Dec 18 2002 - 10:54:48 EST

• Next message: Ralph Los: "Re-opening an old thread: NetWare-Enterprise-Web-Server/5.1 --As sistence requested."
• Previous message: labs@NGSEC: "[NGSEC] ngGame #2 - Web Authentication II"
• In reply to: Ozan Gonenc: "RE: Terminal Server brute force"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

If the server is also running IIS then you could use the techniques
outlined by David Litchfield in his post on 5th March 2002 -
Considerations for IIS Authentication. If you expand upon the techniques
outlined in the post (below) and follow the error messages you can
ascertain what accounts are on the system.

Tested and it works for me...

GET / HTTP/1.1
Host: iis-server
Authorization: Basic cTFraTk6ZDA5a2xt

If the server responds with a 401 Access Denied response then Basic auth
is enabled. If the server responds with a 200 OK then this means one of
two things - the server does not support Basic auth (the most likely) or
there is a system account on the server called "q1ki9" with a password
of "d09klm" (most unlikely!).

More information look at the orginal post:
http://www.nextgenss.com/advisories/iisauth.txt

*************************************************************
Advanced Hands-On Security in the Arabic Gulf
DefensiveHacking and DefensiveForensics, Qatar January 2003
www.securityassoc.com/DefensiveCourse.pdf
*************************************************************

Thanks
Susan Chan Lee
Security Associates - Singapore

-----Original Message-----
From: Ozan Gonenc [mailto:ogonenc@adga.ca]
Sent: Saturday, November 30, 2002 3:52 AM
To: 'Deus, Attonbitus'; 'visigoth'; 'Robert E. Lee'
Cc: 'Joe Luna'; pen-test@securityfocus.com
Subject: RE: Terminal Server brute force

This utility helps automate manual login/password attempts. Works
pretty well for dictionary type attacks. It's a bit slow, especially
when you have two clients going at the same time.

tscrack 2.0.37 Dictionary Based Windows Terminal Services Cracker

Something to keep you busy until TSGrinder comes out.

______________________________
Ozan Gonenc
IT Security Specialist
AEPOS Technologies Corporation
http://www.aepos.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: Ralph Los: "Re-opening an old thread: NetWare-Enterprise-Web-Server/5.1 --As sistence requested."
• Previous message: labs@NGSEC: "[NGSEC] ngGame #2 - Web Authentication II"
• In reply to: Ozan Gonenc: "RE: Terminal Server brute force"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:26 EDT