|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: check authentication-methods
From: andric cheung (andriccheung
yahoo.com.hk)
Date: Wed Jun 18 2003 - 11:17:24 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
In-Reply-To: <BAY7-F32t5BBBVhyemY0003be8ahotmail.com>
Thomas,
Telnet is a good way. However, when the site is SSL protected, you will
need something like a SSL proxy to check the authentication method.
You can consider:
achilles (win),
paros proxy (java, proxy chaining support),
spike proxy (browser)
Andric
>
>There is a valid reason for an automated tool to check authentication
>methods. On several large web portals, one might find several different
>authentication methods for any number of site paths. I've seen this on a
>few occasions. Yet I have not seen it in any automated tool.
>-Joe R.
>
>-----Original Message-----
>From: Dennis Hurst [mailto:dennishurstinc.com]
>Sent: Saturday, June 14, 2003 11:17 PM
>To: 'Thomas Springer'; webappsecsecurityfocus.com
>Subject: RE: check authentication-methods
>
>
>Thomas,
>
>You could just Telnet to the web server on port 80 and send a simple GET
>/ request, then look at the headers that come back. Here an example of
>what comes back from IIS.
>
>Server: Microsoft-IIS/5.0
>Date: Sun, 15 Jun 2003 04:15:03 GMT
>WWW-Authenticate: Negotiate
>WWW-Authenticate: NTLM
>Content-Length: 4431
>Content-Type: text/html
>
>
>The WWW-Authenticate: NTLM header tells you it's asking for NTLM. If
>it's using basic it will have BASIC in the header.
>
>Here's how I did it
>
>At a command prompt type: telnet <your web server> 80 <press enter>
>You will get a blank screen, type GET / <press enter>
>You will get the headers dumped back to you.
>
>Hope this helps.
>
>
>Have a great day,
>
>Dennis Hurst
>dhurstspidynamics.com
>SPI Labs
>
>
>-----Original Message-----
>From: Thomas Springer [mailto:tuevserveraudit.net]
>Sent: Friday, June 13, 2003 7:00 AM
>To: webappsecsecurityfocus.com
>Subject: check authentication-methods
>
>
>Anybody knows a tool (prefferably win32) to check, wich
>401-authentication-methods are supported by a webserver (i.e. basic,
>ntlm)?
>
>thomas springer
>tuev-sueddeutschland
>it-security
>
>Thomas Springer
>
>_________________________________________________________________
>MSN 8 with e-mail virus protection service: 2 months FREE*
>http://join.msn.com/?page=features/virus
>
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]