From: Joseph McCray (joe@learnsecurityonline.com)
Date: Fri Dec 21 2007 - 00:45:05 EST
Sup anon...I've never run into something like this on a test. So I am
NOT speaking from experience here.
Did some quick googling...ended up here:
http://pajhome.org.uk/crypt/md5/
Quick questions...
1. What happens when you browse to that login page with javascript
disabled?
* http://pajhome.org.uk/crypt/md5/auth.html
2. Can you attack the admin's computer. Is there a "contact webmaster"
link on the page?
* Possibly attack the site admin via client-side, and then run
IEPwdump.
3. Have you been able to do any social engineering/spear phishing that
might allow you to attempt to record the admin logging into the page.
--------------
Personally, I would try at least the 3 options above before I would
resort to brute-forcing the login page knowing that it uses a password
salt.
If I was absolutely forced to attempt the attack you are talking about I
would say to go about it this way.
I agree with you that although the salt may be predictable, the amount
of time you'd waste trying to determine that is just too great.
Wget the login page every 25 seconds, then parse/regex the salt and use
the same method the page does to encode your password list with a
counter that will pause the login process and change out that $salt
variable every 25 seconds.
I'm thinking this is less than 30 lines of the pick your poison
scripting languages (Perl, Python, Ruby). With perl - I'd go for some
sort of nested foreach loop with the counter set for 25 seconds before
swapping out the $salt var.<-- Sorry, I'm sure that there is probably a
more ELEGANT way to code this up. I'm just not a "Software Engineer".
Anon - let us know what you end up doing, and if you come up with some
code to attempt these types of logins post it here so the rest of it can
play with it and maybe even improve it.
From the googling I did just now it looks like there is a slow but
steady increase in webmasters doing these types of logins especially
with md5 and some sort of salt.
A little script like this would definitely be of use to this list.
P.S. - thanks for trying to bring the list back <wink>
j0e
On Wed, 2007-12-19 at 19:44 -0800, Anonymous wrote:
> I would send this from my work account but every time
> I respond to a question I get a bunch of spam. So...
> on to the real situation.
>
> A customer's ColdFusion MX7 admin page is reachable
> from the Internet. As part of the external pen test
> I'd like to attempt to brute force this page. It would
> seem to be easier than normal because there is only a
> password - no username is needed.
>
> However, there is a small problem that I'm not sure
> how to tackle quickly. I don't have much time left.
>
> The form action is this:
>
> <form name="loginform"
> action="/cfide/administrator/enter.cfm" method="POST"
> onSubmit="cfadminPassword.value =
> hex_hmac_sha1(salt.value,
> hex_sha1(cfadminPassword.value));" >
>
> There is a hidden field in the form with the salt
> value:
>
> <input name="salt" type="hidden"
> value="1198120613281">
>
> I imagine the salt is predictable but I also imagine
> that it wouldn't help much to predict it. Maybe I'm
> wrong. The page has a meta refresh of 50.
>
> The password field is:
>
> <input name="cfadminPassword" type="Password"
> size="15" maxlength="100" id="admin_login">
>
> Because of the encoding of the entered password with
> the salt it doesn't look like I can use Hydra. Am I
> stuck writing my own script using wget (or something)
> and a function to hash the password and salt. If so,
> does anyone know about these functions: hex_hmac_sha1
> and hex_sha1?
>
> Hopefully this is the type of thing that will bring
> the old PT List back.... maybe...
>
> Thanks for any input!
>
>
> ____________________________________________________________________________________
> Be a better friend, newshound, and
> know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
--
Joe McCray
Toll Free: 1-866-892-2132
Email: joe@learnsecurityonline.com
Web: https://www.learnsecurityonline.com
Learn Security Online, Inc.
* Security Games * Simulators
* Challenge Servers * Courses
* Hacking Competitions * Hacklab Access
"The only thing worse than training good employees and losing them
is NOT training your employees and keeping them."
- Zig Ziglar
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:17 EDT