hydra and HTTP NTLM
1,968 views
Skip to first unread message
Robin Wood
May 23, 2012, 8:14:59 AM5/23/12
to weba...@securityfocus.com, PaulDotCom Mailing List
Anyone know how to use the new HTTP NTLM feature in Hydra? I'm trying
to brute force a MS Front Page login which only asks for
authentication when the OPTIONS method is used as far as I can tell.
Robin
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
to brute force a MS Front Page login which only asks for
authentication when the OPTIONS method is used as far as I can tell.
Robin
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
Robin Wood
May 24, 2012, 9:08:04 AM5/24/12
to Tony Turner, PaulDotCom Security Weekly Mailing List, _, weba...@securityfocus.com
On 24 May 2012 13:36, Tony Turner <tony_l...@yahoo.com> wrote:
> Have you tried http://www.foofus.net/~jmk/tools/FPbrute.pl yet? Or is there
> a reason you wanted to use Hydra?
I've tried that but it seems to expect the login request for a simple
GET. I'm testing a FrontPage install which allows me to read but then
fails on write. Checking the traffic when I click save it sends an
OPTIONS request which gets a reply of 401 which triggers FP to then
start the handshake.
Robin
> ________________________________
> From: Robin Wood <ro...@digininja.org>
> To: _ <packe...@gmail.com>
> Cc: "weba...@securityfocus.com" <weba...@securityfocus.com>; PaulDotCom
> Mailing List <pauld...@mail.pauldotcom.com>
> Sent: Thursday, May 24, 2012 8:17 AM
> Subject: Re: [Pauldotcom] hydra and HTTP NTLM
>
> On 24 May 2012 13:06, _ <packe...@gmail.com> wrote:
>> http ntlm is IIS based windows auth.
>
> Yes but I still don't know how to attack it.
>
> Robin
> _______________________________________________
> Pauldotcom mailing list
> Pauld...@mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
>
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauld...@mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
> Have you tried http://www.foofus.net/~jmk/tools/FPbrute.pl yet? Or is there
> a reason you wanted to use Hydra?
I've tried that but it seems to expect the login request for a simple
GET. I'm testing a FrontPage install which allows me to read but then
fails on write. Checking the traffic when I click save it sends an
OPTIONS request which gets a reply of 401 which triggers FP to then
start the handshake.
Robin
> ________________________________
> From: Robin Wood <ro...@digininja.org>
> To: _ <packe...@gmail.com>
> Cc: "weba...@securityfocus.com" <weba...@securityfocus.com>; PaulDotCom
> Mailing List <pauld...@mail.pauldotcom.com>
> Sent: Thursday, May 24, 2012 8:17 AM
> Subject: Re: [Pauldotcom] hydra and HTTP NTLM
>
> On 24 May 2012 13:06, _ <packe...@gmail.com> wrote:
>> http ntlm is IIS based windows auth.
>
> Yes but I still don't know how to attack it.
>
> Robin
> Pauldotcom mailing list
> Pauld...@mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
>
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauld...@mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_
May 24, 2012, 8:33:49 AM5/24/12
to Robin Wood, weba...@securityfocus.com, PaulDotComMailing List
what kind of attack have you done so far?
On May 24, 2012, at 6:17 AM, Robin Wood <ro...@digininja.org> wrote:
> On 24 May 2012 13:06, _ <packe...@gmail.com> wrote:
>> http ntlm is IIS based windows auth.
>
> Yes but I still don't know how to attack it.
>
> Robin
>
>> On May 23, 2012, at 6:14 AM, Robin Wood <ro...@digininja.org> wrote:
>>
On May 24, 2012, at 6:17 AM, Robin Wood <ro...@digininja.org> wrote:
> On 24 May 2012 13:06, _ <packe...@gmail.com> wrote:
>> http ntlm is IIS based windows auth.
>
> Yes but I still don't know how to attack it.
>
> Robin
>
>> On May 23, 2012, at 6:14 AM, Robin Wood <ro...@digininja.org> wrote:
>>
_
May 24, 2012, 8:06:34 AM5/24/12
to Robin Wood, weba...@securityfocus.com, PaulDotCom Mailing List
http ntlm is IIS based windows auth.
Robin Wood
May 24, 2012, 8:17:22 AM5/24/12
to _, weba...@securityfocus.com, PaulDotCom Mailing List
On 24 May 2012 13:06, _ <packe...@gmail.com> wrote:
> http ntlm is IIS based windows auth.
Yes but I still don't know how to attack it.
Robin
Robin
Seth Art
May 23, 2012, 3:46:45 PM5/23/12
to Robin Wood, weba...@securityfocus.com
I have not used the new HTTP NTLM feature of Hydra, but just an FYI to
be mindful of account lockouts if the backend auth is NTLM based.
Seth
be mindful of account lockouts if the backend auth is NTLM based.
Seth
Norma Snockers
May 25, 2012, 2:59:43 AM5/25/12
to weba...@securityfocus.com, PaulDotCom Mailing List
Ok not what you were originally asking but I used to use tsgrinder
-----Original Message-----
From: Robin Wood
Sent: 25 May 2012 03:33:31 GMT
To: _
Cc: weba...@securityfocus.com,PaulDotCom Mailing List
Subject: Re: hydra and HTTP NTLM
On 24 May 2012 13:06, _ <packe...@gmail.com> wrote:
> http ntlm is IIS based windows auth.
Yes but I still don't know how to attack it.
Robin
-----Original Message-----
From: Robin Wood
Sent: 25 May 2012 03:33:31 GMT
To: _
Cc: weba...@securityfocus.com,PaulDotCom Mailing List
Subject: Re: hydra and HTTP NTLM
On 24 May 2012 13:06, _ <packe...@gmail.com> wrote:
> http ntlm is IIS based windows auth.
Yes but I still don't know how to attack it.
Robin
Robin Wood
May 25, 2012, 4:10:31 PM5/25/12
to Navarro, Gregory J, Tony Turner, PaulDotCom Security Weekly Mailing List, _, weba...@securityfocus.com
On 25 May 2012 16:59, Navarro, Gregory J <Gregory....@disney.com> wrote:
> Do you know of a valid login but just not the password. If so just fuzz it with Burp
I have no credentials but even if I did I don't think Burp does NTLM,
for it to do it it would have to be able to work with the four way
handshake and I've not seen anywhere that that appears to be an
option. If you can point me at how to do it I'll happily try.
Robin
> Do you know of a valid login but just not the password. If so just fuzz it with Burp
I have no credentials but even if I did I don't think Burp does NTLM,
for it to do it it would have to be able to work with the four way
handshake and I've not seen anywhere that that appears to be an
option. If you can point me at how to do it I'll happily try.
Robin
Navarro, Gregory J
May 25, 2012, 11:59:04 AM5/25/12
to Robin Wood, Tony Turner, PaulDotCom Security Weekly Mailing List, _, weba...@securityfocus.com
Do you know of a valid login but just not the password. If so just fuzz it with Burp
From: listb...@securityfocus.com [mailto:listb...@securityfocus.com] On Behalf Of Robin Wood
Sent: Thursday, May 24, 2012 6:08 AM
To: Tony Turner; PaulDotCom Security Weekly Mailing List
Cc: _; weba...@securityfocus.com
Sent: Thursday, May 24, 2012 6:08 AM
To: Tony Turner; PaulDotCom Security Weekly Mailing List
Cc: _; weba...@securityfocus.com
Robin Wood
May 25, 2012, 8:59:50 AM5/25/12
to Security Auditor, weba...@securityfocus.com, PaulDotCom Mailing List
On 25 May 2012 13:52, Security Auditor <audit...@gmail.com> wrote:
> Hi,
> I would say use an interceptor proxy which can handle this stuff
> easily. For example burp, ZAP or others.
>
> I played with hydra on DVWA app and could not succeed at bruting.....
>
> hope this helps
I don't know a way to get Burp to brute force NTLM, can ZAP do it? Any
instructions would be gratefully received.
Robin
> cheers
>
> Audi
> Hi,
> I would say use an interceptor proxy which can handle this stuff
> easily. For example burp, ZAP or others.
>
> I played with hydra on DVWA app and could not succeed at bruting.....
>
> hope this helps
I don't know a way to get Burp to brute force NTLM, can ZAP do it? Any
instructions would be gratefully received.
Robin
> cheers
>
> Audi
Security Auditor
May 25, 2012, 8:52:30 AM5/25/12
to Robin Wood, weba...@securityfocus.com, PaulDotCom Mailing List
Hi,
I would say use an interceptor proxy which can handle this stuff
easily. For example burp, ZAP or others.
I played with hydra on DVWA app and could not succeed at bruting.....
hope this helps
I would say use an interceptor proxy which can handle this stuff
easily. For example burp, ZAP or others.
I played with hydra on DVWA app and could not succeed at bruting.....
hope this helps
Robin Wood
May 25, 2012, 4:02:11 AM5/25/12
to Jamie Riden, weba...@securityfocus.com
On 25 May 2012 08:55, Jamie Riden <jamie...@gmail.com> wrote:
> http://ntlmaps.sourceforge.net/ - and script that. Would be slow but
> it would be something.
>
> Might be better to rip or amend the code though...
I saw that mentioned as an option when someone else asked about this
area but was after a quicker option. I might have a look through this
after the test as a tool for next time.
> cheers,
> Jamie
> --
> Jamie Riden / ja...@honeynet.org / jamie...@gmail.com
> http://uk.linkedin.com/in/jamieriden
> On 23 May 2012 13:14, Robin Wood <ro...@digininja.org> wrote:
>> Anyone know how to use the new HTTP NTLM feature in Hydra? I'm trying
>> to brute force a MS Front Page login which only asks for
>> authentication when the OPTIONS method is used as far as I can tell.
>
> Pathological case is to use something like ntlmaps -
>> Anyone know how to use the new HTTP NTLM feature in Hydra? I'm trying
>> to brute force a MS Front Page login which only asks for
>> authentication when the OPTIONS method is used as far as I can tell.
>
> http://ntlmaps.sourceforge.net/ - and script that. Would be slow but
> it would be something.
>
> Might be better to rip or amend the code though...
I saw that mentioned as an option when someone else asked about this
area but was after a quicker option. I might have a look through this
after the test as a tool for next time.
> cheers,
> Jamie
> --
> Jamie Riden / ja...@honeynet.org / jamie...@gmail.com
> http://uk.linkedin.com/in/jamieriden
Jamie Riden
May 25, 2012, 3:55:23 AM5/25/12
to Robin Wood, weba...@securityfocus.com
On 23 May 2012 13:14, Robin Wood <ro...@digininja.org> wrote:
> Anyone know how to use the new HTTP NTLM feature in Hydra? I'm trying
> to brute force a MS Front Page login which only asks for
> authentication when the OPTIONS method is used as far as I can tell.
> to brute force a MS Front Page login which only asks for
> authentication when the OPTIONS method is used as far as I can tell.
Pathological case is to use something like ntlmaps -
http://ntlmaps.sourceforge.net/ - and script that. Would be slow but
it would be something.
Might be better to rip or amend the code though...
http://ntlmaps.sourceforge.net/ - and script that. Would be slow but
it would be something.
Might be better to rip or amend the code though...
cheers,
Jamie
--
Jamie Riden / ja...@honeynet.org / jamie...@gmail.com
http://uk.linkedin.com/in/jamieriden
Jamie
--
Jamie Riden / ja...@honeynet.org / jamie...@gmail.com
http://uk.linkedin.com/in/jamieriden
Fábio Soto
May 26, 2012, 9:51:53 AM5/26/12
to Seth Art, Robin Wood, weba...@securityfocus.com
... and the Active Directory configured to block Access after "n" login
attempts...
-----Mensagem original-----
De: listb...@securityfocus.com [mailto:listb...@securityfocus.com] Em
nome de Seth Art
Enviada em: quarta-feira, 23 de maio de 2012 16:47
Para: Robin Wood
Cc: weba...@securityfocus.com
Assunto: Re: hydra and HTTP NTLM
attempts...
-----Mensagem original-----
De: listb...@securityfocus.com [mailto:listb...@securityfocus.com] Em
nome de Seth Art
Enviada em: quarta-feira, 23 de maio de 2012 16:47
Para: Robin Wood
Cc: weba...@securityfocus.com
Assunto: Re: hydra and HTTP NTLM
Robin Wood
May 26, 2012, 5:35:29 PM5/26/12
to PaulDotCom Security Weekly Mailing List, Navarro, Gregory J, PaulDotCom Security Weekly Mailing List, _, weba...@securityfocus.com
On 25 May 2012 21:59, Sherif El-Deeb <arche...@gmail.com> wrote:
> Back when nothing was supporting Outlook Web Access bruteforcing, I've
> written a simple bash script that automated the process using "curl"... I
> suggest you do the same.
>
> "curl --ntlm" -> it will be two nested for loops, the outer iterates through
> usernames, the inner iterates through passwords... then process server's
> answer using multiple grep and cut to check for correct/bad credentials
> using variables and "if".
>
> The only problem with that method will be the speed(lack of), so, I have
> included a simple function to make sure at least "32" instances of curl are
> running at any given time
>
> ===== start of code example=====
> #!/bin/bash
> .....
> .....
> CheckCurl(){
> CurlCount=$(pidof curl | wc -w)
> [ $CurlCount -ge 32 ] && CheckCurl
> }
>
> echo [*] Starting...
> for USER in $(cat $userList)
> do
> for PASSWORD in $(cat $passList)
> do
> #before running the command, we want to make sure that the running instances
> of curl are not greater than 32
> CheckCurl
> #note that this will save the output to a folder called "html_out", change
> that or create it.
> curl --ntlm -u 'domain\ $USER:$PASSWORD' blah blah blah blah
> ....... & # the ending ampersand is very important for multithreading
> done
>
> done
>
> ===== End of code example=====
>
> Hope that helps,
> Sherif Eldeeb.
I was reading backwards through the mails so I just got curl working
then got to this mail which is a great script, I'll give it a go.
And to the people who suggested watch out for lockout, I will.
Robin
> Back when nothing was supporting Outlook Web Access bruteforcing, I've
> written a simple bash script that automated the process using "curl"... I
> suggest you do the same.
>
> "curl --ntlm" -> it will be two nested for loops, the outer iterates through
> usernames, the inner iterates through passwords... then process server's
> answer using multiple grep and cut to check for correct/bad credentials
> using variables and "if".
>
> The only problem with that method will be the speed(lack of), so, I have
> included a simple function to make sure at least "32" instances of curl are
> running at any given time
>
> ===== start of code example=====
> #!/bin/bash
> .....
> .....
> CheckCurl(){
> CurlCount=$(pidof curl | wc -w)
> [ $CurlCount -ge 32 ] && CheckCurl
> }
>
> echo [*] Starting...
> for USER in $(cat $userList)
> do
> for PASSWORD in $(cat $passList)
> do
> #before running the command, we want to make sure that the running instances
> of curl are not greater than 32
> CheckCurl
> #note that this will save the output to a folder called "html_out", change
> that or create it.
> curl --ntlm -u 'domain\ $USER:$PASSWORD' blah blah blah blah
> ....... & # the ending ampersand is very important for multithreading
> done
>
> done
>
> ===== End of code example=====
>
> Hope that helps,
> Sherif Eldeeb.
I was reading backwards through the mails so I just got curl working
then got to this mail which is a great script, I'll give it a go.
And to the people who suggested watch out for lockout, I will.
Robin
Gary Oleary-Steele
May 27, 2012, 4:44:13 AM5/27/12
to Robin Wood, Security Auditor, weba...@securityfocus.com, PaulDotCom Mailing List
Robin,
I have a ruby script for this somewhere, it's integrated with our scanner system but I'll see if I can pull the code to use as standalone. If I were you though I'd use python with urllib2, has ntlm support via an extension (or "opener" as the are known), also ruby http libs support ntlm. The protocol for frontpage is simple to replicate for what you need, I'll send u an example on Monday.
Gary
Sent from my iPhone
#####################################################################################
Scanned by MailMarshal - M86 Security's comprehensive email content security solution.
For details on purchasing MailMarshal or alternative Mail Security products please
contact our Sales Team on 0113 257 8955 Option 1
#####################################################################################
I have a ruby script for this somewhere, it's integrated with our scanner system but I'll see if I can pull the code to use as standalone. If I were you though I'd use python with urllib2, has ntlm support via an extension (or "opener" as the are known), also ruby http libs support ntlm. The protocol for frontpage is simple to replicate for what you need, I'll send u an example on Monday.
Gary
Sent from my iPhone
Scanned by MailMarshal - M86 Security's comprehensive email content security solution.
For details on purchasing MailMarshal or alternative Mail Security products please
contact our Sales Team on 0113 257 8955 Option 1
#####################################################################################
Robin Wood
May 27, 2012, 6:09:19 PM5/27/12
to Gary Oleary-Steele, Security Auditor, weba...@securityfocus.com, PaulDotCom Mailing List
On 27 May 2012 09:44, Gary Oleary-Steele <Ga...@sec-1.com> wrote:
> Robin,
>
> I have a ruby script for this somewhere, it's integrated with our scanner system but I'll see if I can pull the code to use as standalone. If I were you though I'd use python with urllib2, has ntlm support via an extension (or "opener" as the are known), also ruby http libs support ntlm. The protocol for frontpage is simple to replicate for what you need, I'll send u an example on Monday.
Brilliant, thanks.
> Robin,
>
> I have a ruby script for this somewhere, it's integrated with our scanner system but I'll see if I can pull the code to use as standalone. If I were you though I'd use python with urllib2, has ntlm support via an extension (or "opener" as the are known), also ruby http libs support ntlm. The protocol for frontpage is simple to replicate for what you need, I'll send u an example on Monday.
Robin
Reply all
Reply to author
Forward
0 new messages