Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: penetrating web-based authentication if you know one of the username

from [Ole Martin Dahl] Network Security [Permanent Link]
Subject: Re: penetrating web-based authentication if you know one of the usernames
Date: Wed, 18 May 2005 18:04:53 +0200 
Ølstad wrote:

Hi!

I have this web-based service/directory which offers users access through a 
username/password-authentication process. I am wondering what if some of the 
usernames are compromised, and I actually don't want to change the username? 
Are there any tools able to run some kind of bruteforce-attack or something, 
against my web-authentication? Other alternatives? Do I really have to 
consider my whole system as compromised just because a username may be lost?

In addition, does anyone know of any tool that can help me audit the 
web-server regarding to passwordpolicy, passwordstrength etc.

I appreciate all relevant answers :-)

Very best

R



Many tools, including vulnerability scanners [1], can do such
brute-force tests. Dedicated brute-force tools also exist, e.g. [2].

Why are you afraid if the usernames are compromised, usernames should
not be considered secret. The confideniality of the password are the
secret part, maybe you also meant this.

For å full web application audit I recommend OWASP as a methodoical
approach.

Regards

Ole Martin Dahl

[1] http://www.nessus.org
[2] http://www.hoobie.net/brutus/
[3] http://www.owasp.org/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: penetrating web-based authentication if you know one of the usernames, Scovetta, Michael V
Next by Date:  Re: penetrating web-based authentication if you know one of the usernames, Pablo Fernández
Previous by Thread:  Re: penetrating web-based authentication if you know one of the usernames, L. Walker
Next by Thread:  Re: penetrating web-based authentication if you know one of the usernames, Pablo Fernández
Indexes:  [Date] [Thread] [Top] [All Lists]