Re: penetrating web-based authentication if you know one of the usernames

On Wed, 2005-05-18 at 14:05 +0200, Ãlstad, Roger wrote:
> Hi!
>
> I have this web-based service/directory which offers users access through a 
> username/password-authentication process. I am wondering what if some of the 
> usernames are compromised, and I actually don't want to change the username? 
> Are there any tools able to run some kind of bruteforce-attack or something, 
> against my web-authentication? Other alternatives? Do I really have to 
> consider my whole system as compromised just because a username may be lost?
>
> In addition, does anyone know of any tool that can help me audit the 
> web-server regarding to passwordpolicy, passwordstrength etc.
>
> I appreciate all relevant answers :-)
>
> Very best
>
> R

There are a couple of HTTP Basic auth bruteforce products out there,
THC's Hydra being one of my favourites.  You can find this product @
http://www.thc.org

Brutus is another product off the top of my head, but I tend to be
biased and say Hydra :)

-- 
L. Walker
Administrator / Consultant
--
Security-focused Linux and Windows based administration services
http://magi.net.au - Development blog for *nix users and hosting groups
--

signature.asc
Description: This is a digitally signed message part