AdSense

Monday, April 2, 2018

Setting up HTTP Digest Authentication


SETTING UP HTTP DIGEST AUTHENTICATION

- Layout for this exercise:



 - While HTTP Basic Authentication exchanges "username:password" in plain text, just encoded with Base64, however HTTP Digest Authentication sends the credentials encrypted with a MD5 Hash.

- In future posts we'll see how the MD5 is crafted by the Apache server. For now, more information about HTTP Digest Authentication is available here:

 https://en.wikipedia.org/wiki/Digest_access_authentication


 - Let's set up HTTP Digest Authentication at the Apache web server on the folder "digestauth", located in the web root folder "/var/www/html/":

- First of all, the mod_auth_digest must be installed:



 - The utility htdigest creates a file (in this case it is a hidden file named .htdigest) used by Apache to establish the credentials. Three parameters are provided by the user:

     realm: withelist_authority
     username: admin 
     password: ababa



- Checking the content of the hidden file .htdigest:



 - Adding some directives to the virtual host configuration file, located at "/etc/apache2/sites-enabled/000-default.conf":



- Note that the directives are specified for the folder "/digestauth", providing its whole path. Also, AuthName must match the realm provided for .htdigest, in this case "whitelist_authority":




 - Restarting the web server:
- Checking that the configuration is correct:



- Checking the status of the server:

- Now, in case of providing bad credentials, the server answers with the Unauthorized message:
- However, authenticating with the correct credentials, access to the web resource is available:










Posted by at
Labels:

HTTP Basic Authentication bruteforce attack with Burp proxy


HTTP BASIC AUTHENTICATION BRUTEFORCE ATTACK WITH BURP PROXY

 - Layout for this exercise:

- This exercise is based in the previous post Setting up HTTP Basic Authentication.

 - In this case the goal  is to bruteforce HTTP Basic Authentication using the Burp Suite Proxy.

 - First of all, let's enable manually a proxy connection at the Firefox browser of Kali Linux.

 - Firefox -> Preferences -> Advanced > Network > Connection Settings:



- Manual proxy configuration: listening on localhost port 8080:



- Launching Burp:







- Options tab: checking that the proxy is listening on the localhost interface at port 8080:



- Connecting the browser to the web page protected with Basic Authentication:


- Burp intercepts the request to the web page:

- Forwarding the request:


- The Apache web server responds with the "Authentication Required" message. Let's introduce some arbitrary credentials, for instance "asdfg:asdfg":


- Burp intercepts the sending credentials:


- Now, Burp will help us to craft those sending credentials. For that purpose, the message is sent to the Intruder:


- The target of the attack is www.whitelist.com:


- The Positions tab helps to specify where to insert the payload for the attack. Decoding with Base64, the fake credentials "asdfg:asdfg" are revealed:






- Putting the username:password space between the section sign §:









- Going to the next tab, Payload sets the type of attack: Brute forcer.



- In this example the character set is simple, just 2 letters (ab), and the minimum and maximum number of characters is 5. 


- Adding a processing rule for the prefix "admin:", corresponding to the username:


- Adding a processing rule for Base64 encoding, used by Basic Authentication:


- The two rules for proccessing the payload:


- It is also very important to remove the character = for encoding, because = is used by Base64 for padding:





- The attack is ready to be started:





- Because the charset is 2 and the number of characters is 5, the total number of tries will be 2^5 = 32.

 - The attack starts, and the response status is 401 until a 200 answer is received. Obviously, the 200 message corresponds to a successful try:

- Decoding with Base64:



- The result is the correct credentials "admin:ababa":


- The web server responses, as expected, with the HTML code of the web page:





- Removing the proxy:








- Finally, authenticating the correct credentials the web page is available:








Posted by at
Labels:

Bypassing HTTP Basic Authentication with Metasploit


BYPASSING HTTP BASIC AUTHENTICATION WITH METASPLOIT

 - Layout for this exercise:

- This exercise is based in the previous post Setting up HTTP Basic Authentication.

 - Creating the files users.txt and passwords.txt:








- Launching Metasploit in quiet (-q) mode:

- Using the auxiliary module http_login:


- Setting some options:


- Running the exploit, there is a successful login corresponding to the correct credentials:



- Authenticating with the correct credentials, the web resource is available:




- Note: in this exercise a very simple combination of username:password has been used,  because the purpose was just to illustrate the usage of the attacking tools. However, in real world there are available complex lists of combinations of username:password that can be used for performing dictionary and brute force attacks. The Kali command #locate wordlists provides many available wordlists, for instance into the folder /usr/share/wordlists

Posted by at
Labels:
Subscribe to: Posts (Atom)