Hosting Provided By

HTTP auth for Terminal Server brute force - HTTP auth?

From: Susan Chan Lee <susan.lee(at)securityassoc.com>
Date: Wed Dec 18 2002 - 10:54:48 EST

If the server is also running IIS then you could use the techniques outlined by David Litchfield in his post on 5th March 2002 - Considerations for IIS Authentication. If you expand upon the techniques outlined in the post (below) and follow the error messages you can ascertain what accounts are on the system.

Tested and it works for me...

GET / HTTP/1.1
Host: iis-server
Authorization: Basic cTFraTk6ZDA5a2xt

If the server responds with a 401 Access Denied response then Basic auth is enabled. If the server responds with a 200 OK then this means one of two things - the server does not support Basic auth (the most likely) or there is a system account on the server called "q1ki9" with a password of "d09klm" (most unlikely!).

More information look at the orginal post: http://www.nextgenss.com/advisories/iisauth.txt

Advanced Hands-On Security in the Arabic Gulf DefensiveHacking and DefensiveForensics, Qatar January 2003 www.securityassoc.com/DefensiveCourse.pdf

Thanks
Susan Chan Lee
Security Associates - Singapore

-----Original Message-----
From: Ozan Gonenc [mailto:ogonenc@adga.ca] Sent: Saturday, November 30, 2002 3:52 AM To: 'Deus, Attonbitus'; 'visigoth'; 'Robert E. Lee' Cc: 'Joe Luna'; pen-test@securityfocus.com Subject: RE: Terminal Server brute force

This utility helps automate manual login/password attempts. Works pretty well for dictionary type attacks. It's a bit slow, especially when you have two clients going at the same time.

Do you need help?

tscrack 2.0.37 Dictionary Based Windows Terminal Services Cracker

Something to keep you busy until TSGrinder comes out.

Ozan Gonenc
IT Security Specialist
AEPOS Technologies Corporation
http://www.aepos.com

This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ Received on Wed Dec 18 17:25:23 2002

This message: [ Message body ]
Next message: Ralph Los: "Re-opening an old thread: NetWare-Enterprise-Web-Server/5.1 --As sistence requested."
Previous message: labs(at)NGSEC: "[NGSEC] ngGame #2 - Web Authentication II"
In reply to: Ozan Gonenc: "RE: Terminal Server brute force"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:31 EDT