From: Ivan . (ivanhec@gmail.com)
Date: Wed Feb 08 2006 - 22:31:58 EST
Hi Edmond,
You could always start with a brute force attack on the login.
Try these tools
ObiWaN - http://www.phenoelit.de/fr/tools.html
Hydra - http://thc.org/download.php?t=r&f=hydra-5.2-src.tar.gz
Brutus - http://www2.packetstormsecurity.org/cgi-bin/search/search.cgi?searchvalue=brutus&type=archives&%5Bsearch%5D.x=0&%5Bsearch%5D.y=0
google
http://www.google.com.au/search?hl=en&q=brute+force+web+logins&btnG=Google+Search&meta=
cheers
Ivan
On 2/9/06, Erin Carroll <amoeba@amoebazone.com> wrote:
> List members,
>
> I allowed this question through even though it is, at it's heart, a very
> basic question that should have gone to security-basics or some other
> relavent list. My goal in doing so was to hopefully garner responses which
> would show Edmond and other less-experienced pen-testers the thought
> processes behind how professionals break down engagements into various
> segments and proceed with what is, to many of us, a simple and non-complex
> task. If this task was assigned to you how would you proceed? Why would you
> use the methods or tools chosen and how would your approach change based on
> the data you were able to collect? Maybe my method of approaching this would
> be radically different than yours. Maybe I might learn something I hadn't
> thought to try from this discussion. Sometimes the most basic questions can
> produce the most interesting discussions. So far, most of the reponses
> received on Edmond's email have been... not very professional.
>
> <rant> I spend a fair amount of time every day in weeding through enormous
> buckets of spam and submissions looking for things that would interest list
> subscribers and adhere to the focus on pen-testing. Not all of the
> submissions are areas everyone has interest in or are things we've seen
> previously (rainbow tables again Mom?) but I'm constantly surprised by the
> level and breadth of knowledge shared here. I don't blindly approve
> submissions willy-nilly. I will very occassionally allow more basic
> questions through because sometimes the responses bring out some gem of
> knowledge from our more experienced members. If you have an issue with
> something posted to the list please provide me with some feedback (aka
> complain to me, I wear asbestos underoos). Replying with the something
> equivalent to "HAHA n00b! U Suxx0r!" is not something I condone or will
> allow on the list. To paraphrase an email last year from Al Huger prior to
> my taking over moderation duties: "If you can't say something nice, don't
> bother saying anything." </rant>
>
> So how bout it gang? You've been given some basic information on a target
> IP. It's running HTTP. It also has a login/password prompt. Where do you go
> from here and what information do you look for next?
>
>
> --
> Erin Carroll
> Moderator
> SecurityFocus pen-test list
> "Do Not Taunt Happy-Fun Ball"
>
>
> > -----Original Message-----
> > From: Edmond Chow [mailto:echow@videotron.ca]
> > Sent: Tuesday, February 07, 2006 10:45 PM
> > To: 'Michael Gargiullo'; pen-test@securityfocus.com
> > Cc: 'Edmond Chow'
> > Subject: RE: Penetration test of 1 IP address
> >
> >
> >
> >
> > To all:
> >
> > I have been asked to perform a security audit of 1 IP address
> > for client.
> > They have given me the 1 IP address and a clue (webblaze).
> >
> > If I enter the IP address and then /webblaze, I am taken to a
> > login page (user name and password requested).
> >
> > What tools would you recommend that I use for this assignment?
> >
> > Thanks for your help.
> >
> > Regards,
> >
> >
> > Edmond
> >
> >
> > --------------------------------------------------------------
> > ----------------
> > Audit your website security with Acunetix Web Vulnerability Scanner:
> >
> > Hackers are concentrating their efforts on attacking
> > applications on your website. Up to 75% of cyber attacks are
> > launched on shopping carts, forms, login pages, dynamic
> > content etc. Firewalls, SSL and locked-down servers are
> > futile against web application hacking. Check your website
> > for vulnerabilities to SQL injection, Cross site scripting
> > and other web attacks before hackers do!
> > Download Trial at:
> >
> > http://www.securityfocus.com/sponsor/pen-test_050831
> > --------------------------------------------------------------
> > -----------------
> >
> > --
> > No virus found in this incoming message.
> > Checked by AVG Free Edition.
> > Version: 7.1.375 / Virus Database: 267.15.2/253 - Release
> > Date: 2/7/2006
> >
> >
>
> --
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
> Version: 7.1.375 / Virus Database: 267.15.2/253 - Release Date: 2/7/2006
>
>
>
> ------------------------------------------------------------------------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on your
> website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
> futile against web application hacking. Check your website for vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> -------------------------------------------------------------------------------
>
>
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:28 EDT