Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > webappsec > 02 > 110009.html (Request Expert securityfocus.com Support)

Re: IIS 5.0 with Integrated Window Authentication

From: Dave Aitel <dave(at)immunitysec.com>
Date: Thu Nov 07 2002 - 11:58:33 EST

No base language's class libraries are a match for the rich programing API that the GPL code base provides in this area, be it libwhisker, WHArsenal, SPIKE Proxy, or any of the many other tools.

You probably could use the C#'s WebClient.Credentials Property to set your credentials, then do some basic Whisker 1.0-style effort to build a tiny scanner. However, I think that to do a professional job, you're going to want to have a bit more control and a bit more stick behind your spearhead, in the form of advanced features. The ability to write custom checks with VulnXML, for example.

So I suggest one of three things:

  1. Use APS with SPIKE Proxy (or some other application assessment tool that can itself bounce through another proxy) APS is pure python and GPL, so if I get a lot more requests for this functionality (feel free to bug me at dave@immunitysec.com), I'll merge his code with SPIKE Proxy's core. (To bounce SPIKE Proxy though another proxy, download version 1.4.4, and use the -h and -H parameters to spkproxy.py)
  2. Check out SPIKE 2.7, which includes NTLM buffer overflow tools and brute forcers. (E.G, you can sniff a request that you want to fuzz, then use SPIKE's much more fast and powerful fuzzing framework to find overflows, format string bugs, SQL injection and the like - all through NTLM authenticated requests). It also includes a transparent HTTP[S] proxy (webmitm).
  3. You can e-mail me and I'll send you the current SP 1.4.5 Beta, which includes an ordering fix (so GET /a?a=b&c=d always is a=b&c=d and not c=d&a=b) and a mod I whipped up this morning that lets you browse NTLM pages through the proxy by passing the authentication back and forth a bit. However, rewrite request and scanning functionality still don't know about NTLM, and so that functionality won't be effective against NTLM servers. For the record, the bug was not in SPIKE Proxy's handling of Connection: Keep-Alive, but actually IE doesn't bother to respond to WWW-Authenticate when it is set up to use a Proxy. So I changed WWW-Authenticate to Proxy-Authenticate: and Proxy-Authorization to Authorization and it worked. Integrating APS would have been a more final solution, but that's slightly more than a few minutes' work.

Dave Aitel
Immunity, Inc.
http://www.immunitysec.com/

On Wed, 6 Nov 2002 12:21:46 -1000
"Jason Coombs" <jasonc@science.org> wrote:

> it might be easier for you to code your own scanner real quick using
Received on Thu Nov 7 18:27:12 2002

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:44 EDT

Do you need help?X
Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library