Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: brute force ColdFusion MX7 admin page

from [Anonymous] Network Security [Permanent Link]
Subject: Re: brute force ColdFusion MX7 admin page
Date: Tue, 15 Jan 2008 14:14:15 -0800 (PST) 
I thought I'd send out a follow-up on my inquiry. It
seems that there aren't enough of these. See the
details below the summary.

1) If your scan reveals /cfide/administrator/index.cfm
as being available look for the availability of
/cfide/componentutils/login.cfm
2) Brute force it using whatever tool you'd like. When
you get guess the correct password the server will
respond with the HTTP status of 302 (content moved).
3) Try guessed password at
/cfide/administrator/index.cfm

That's it.

I found one document that really seemed to help me get
beyond the salting issue. Other comments to me and the
list also helped.

http://www.eusecwest.com/esw06/esw06-davis.pdf

This document lists another ColdFusion page
(/cfide/componentutils/login.cfm). This other page
doesn't have a salting function. Although it
apparently doesn't actually allow for logging into the
admin console it will tell you if you have guessed the
correct password by returning the HTTP status code of
302.

I used WebScarab's fuzzing tool and a regular
expression to attempt to brute force the password.
WebScarab kept stopping for some reason and never even
came close to completing. I also tried Hydra's HTTP
post function with a dictionary file but it returned
some false positives and no successes. In the end I
did not have enough time to guess the admin password.

It looks like this is a pretty serious issue as the
research I did shows that these login attempts are not
logged (without a CF server I can't confirm). The PDF
referenced above shows how you can use the admin
console to execute a slow but accurate port scan of
the host environment plus a lot of other fun stuff.

For some reason Nessus doesn't check for
/cfide/componentutils/login.cfm but does check for
/cfide/administrator/index.cfm. Keep this in mind if
you run across the same situation in any of your
engagements.

Shoot any questions my way if you'd like. And thanks
again for everyone's input.

-Leo
--- Anonymous <anon_email4me@yahoo.com> wrote:


I would send this from my work account but every
time
I respond to a question I get a bunch of spam. So...
on to the real situation.

A customer's ColdFusion MX7 admin page is reachable
from the Internet. As part of the external pen test
I'd like to attempt to brute force this page. It
would
seem to be easier than normal because there is only
a
password - no username is needed.

However, there is a small problem that I'm not sure
how to tackle quickly. I don't have much time left.

The form action is this:

<form name="loginform"
action="/cfide/administrator/enter.cfm"
method="POST"
onSubmit="cfadminPassword.value =
hex_hmac_sha1(salt.value,
hex_sha1(cfadminPassword.value));" >

There is a hidden field in the form with the salt
value:

<input name="salt" type="hidden"
value="1198120613281">

I imagine the salt is predictable but I also imagine
that it wouldn't help much to predict it. Maybe I'm
wrong. The page has a meta refresh of 50.

The password field is:

<input name="cfadminPassword" type="Password"
size="15" maxlength="100" id="admin_login">

Because of the encoding of the entered password with
the salt it doesn't look like I can use Hydra. Am I
stuck writing my own script using wget (or
something)
and a function to hash the password and salt. If so,
does anyone know about these functions:
hex_hmac_sha1
and hex_sha1?

Hopefully this is the type of thing that will bring
the old PT List back.... maybe...

Thanks for any input!


     


____________________________________________________________________________________

Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now. 


http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ








      
____________________________________________________________________________________
Never miss a thing.  Make Yahoo your home page. 
http://www.yahoo.com/r/hs

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Simple Buffer Overflow (shell testing), Vuln Dev
Next by Date:  Re: SQL Injection: Issue with UNION SELECT ALL, Francois Larouche
Previous by Thread:  Re: Simple Buffer Overflow (shell testing), Vuln Dev
Next by Thread:  Re: brute force ColdFusion MX7 admin page, me
Indexes:  [Date] [Thread] [Top] [All Lists]