Network Security: Detailed info on Re: HTTP sniffer for Digest Authentication?

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security Web-App-Sec

[Top] [All Lists]

Re: HTTP sniffer for Digest Authentication?

from [Saqib . N . Ali] Network Security

[Permanent Link]

Subject:	Re: HTTP sniffer for Digest Authentication?
Date:	Thu, 23 Sep 2004 13:21:04 -0700





Hello

  Below is a fragment from my access log with a 10-second nonce. Apache
  asks the client to reauthenticate (with a 401 response and a new
  nonce) every 10 seconds.


Yup you correct. I read up on how webserver implement nonce generated
digests, and this seems correct. I guess the nonce has to have a min
lifetime of 10 or more because of the stateless nature of HTTP ??? Maybe
someone can enlighten me on this.

  After extending nonce lifetime, I took a set of request headers
  from the audit log and used them in a new request, and was
  successfully authenticated. I could repeat the process as many
  times as I wanted. That is, until the original nonce expired.


This seems doable, and should be easier, if nonce is set to expire @ 300
sec intervals.


Thanks.
Saqib Ali
http://validate.sf.net

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
HTTP sniffer for Digest Authentication?, Ivan Ristic Re: HTTP sniffer for Digest Authentication?, Saqib . N . Ali Re: HTTP sniffer for Digest Authentication?, Ivan Ristic Re: HTTP sniffer for Digest Authentication?, Saqib . N . Ali Re: HTTP sniffer for Digest Authentication?, Saqib . N . Ali Re: HTTP sniffer for Digest Authentication?, Ivan Ristic Re: HTTP sniffer for Digest Authentication?, Saqib . N . Ali <=

Previous by Date:	HTML based Brute force log in questrion, Toby Barrick
Next by Date:	RE: XSS, SQL injection etc - permutations of input strings, Frank Knobbe
Previous by Thread:	Re: HTTP sniffer for Digest Authentication?, Ivan Ristic
Next by Thread:	Enumerating databases..., KrK
Indexes:	[Date] [Thread] [Top] [All Lists]