Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: HTTP sniffer for Digest Authentication?

from [Ivan Ristic] Network Security [Permanent Link]
Subject: Re: HTTP sniffer for Digest Authentication?
Date: Wed, 22 Sep 2004 10:25:31 +0100 


However I am not sure how you plan to use this Digest to replay an attack. 


  At this time I am only evaluating advantages of Digest over
  Basic authentication, so I won't be trying any of this in practice.



Usually the webservers use "nonce" to calculate the MD5 digest for
digest authentication, which makes replaying an attack, using a
sniffed digest, virtually impossible. Nonce is different each time
401 challenge is issued, thus making the digest different each time.


  That is correct, but there is still a window of opportunity while
  a server-generated nonce remains valid. Nonce lifetime is
  implementation and configuration specific. For example, on Apache
  it defaults to 300 seconds. If I am in position to discover Digest
  hashes as they travel over the wire, each hash would give me
  five minutes authenticated time with the server. Provided there
  are other active users on the server, I can repeat the process for
  as long as I want.

  The point is that if I know what I am doing, Digest authentication has
  few advantages over Basic. But, while Digest won't deter attackers
  who understand HTTP well, it will still serve as a barrier to those
  who have no or little technical skills, but would happily use a
  password sniffer to discover base-64 encoded passwords.

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: HTTP sniffer for Digest Authentication?, Saqib . N . Ali
Next by Date:  OWASP NYC Local Chapter Meeting, Stan Guzik
Previous by Thread:  Re: HTTP sniffer for Digest Authentication?, Saqib . N . Ali
Next by Thread:  Re: HTTP sniffer for Digest Authentication?, Saqib . N . Ali
Indexes:  [Date] [Thread] [Top] [All Lists]