Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: brute force ColdFusion MX7 admin page

from [Joseph McCray] Network Security [Permanent Link]
Subject: Re: brute force ColdFusion MX7 admin page
Date: Fri, 21 Dec 2007 00:45:05 -0500 
Sup anon...I've never run into something like this on a test. So I am
NOT speaking from experience here.


Did some quick googling...ended up here:
http://pajhome.org.uk/crypt/md5/


Quick questions...
1. What happens when you browse to that login page with javascript
disabled?

        * http://pajhome.org.uk/crypt/md5/auth.html 

2. Can you attack the admin's computer. Is there a "contact webmaster"
link on the page?

        * Possibly attack the site admin via client-side, and then run
IEPwdump.

3. Have you been able to do any social engineering/spear phishing that
might allow you to attempt to record the admin logging into the page.

--------------

Personally, I would try at least the 3 options above before I would
resort to brute-forcing the login page knowing that it uses a password
salt.

If I was absolutely forced to attempt the attack you are talking about I
would say to go about it this way.

I agree with you that although the salt may be predictable, the amount
of time you'd waste trying to determine that is just too great. 

Wget the login page every 25 seconds, then parse/regex the salt and use
the same method the page does to encode your password list with a
counter that will pause the login process and change out that $salt
variable every 25 seconds. 

I'm thinking this is less than 30 lines of the pick your poison
scripting languages (Perl, Python, Ruby). With perl - I'd go for some
sort of nested foreach loop with the counter set for 25 seconds before
swapping out the $salt var.<-- Sorry, I'm sure that there is probably a
more ELEGANT way to code this up. I'm just not a "Software Engineer".

Anon - let us know what you end up doing, and if you come up with some
code to attempt these types of logins post it here so the rest of it can
play with it and maybe even improve it.

From the googling I did just now it looks like there is a slow but
steady increase in webmasters doing these types of logins especially
with md5 and some sort of salt. 

A little script like this would definitely be of use to this list.

P.S. - thanks for trying to bring the list back <wink>

j0e 




On Wed, 2007-12-19 at 19:44 -0800, Anonymous wrote:

I would send this from my work account but every time
I respond to a question I get a bunch of spam. So...
on to the real situation.

A customer's ColdFusion MX7 admin page is reachable
from the Internet. As part of the external pen test
I'd like to attempt to brute force this page. It would
seem to be easier than normal because there is only a
password - no username is needed.

However, there is a small problem that I'm not sure
how to tackle quickly. I don't have much time left.

The form action is this:

<form name="loginform"
action="/cfide/administrator/enter.cfm" method="POST"
onSubmit="cfadminPassword.value =
hex_hmac_sha1(salt.value,
hex_sha1(cfadminPassword.value));" >

There is a hidden field in the form with the salt
value:

<input name="salt" type="hidden"
value="1198120613281">

I imagine the salt is predictable but I also imagine
that it wouldn't help much to predict it. Maybe I'm
wrong. The page has a meta refresh of 50.

The password field is:

<input name="cfadminPassword" type="Password"
size="15" maxlength="100" id="admin_login">

Because of the encoding of the entered password with
the salt it doesn't look like I can use Hydra. Am I
stuck writing my own script using wget (or something)
and a function to hash the password and salt. If so,
does anyone know about these functions: hex_hmac_sha1
and hex_sha1?

Hopefully this is the type of thing that will bring
the old PT List back.... maybe...

Thanks for any input!


      
____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ 


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

-- 
Joe McCray
Toll Free:  1-866-892-2132
Email:      joe@learnsecurityonline.com
Web:        https://www.learnsecurityonline.com


Learn Security Online, Inc.

* Security Games        * Simulators
* Challenge Servers     * Courses
* Hacking Competitions  * Hacklab Access

"The only thing worse than training good employees and losing them 
is NOT training your employees and keeping them." 

        - Zig Ziglar

Attachment: signature.asc
Description: This is a digitally signed message part

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  ORACLE pentest sql injection, Zosen Security
Next by Date:  Copying secret windows file, Clone
Previous by Thread:  brute force ColdFusion MX7 admin page, Anonymous
Next by Thread:  RE: brute force ColdFusion MX7 admin page, Marc Ouwerkerk
Indexes:  [Date] [Thread] [Top] [All Lists]