This needs a little introduction... A guy named SnakE was asking a question in BSRF's IRC channel. It was about an .htpasswd file that he got, and I sort of carried away... into a mini lecture... :-) «@Raven» SnakE u got an .htpasswd password? «@Raven» so what's not to know? «@Raven» ok it's time for a spontaneous mini-lecture «@Raven» :-) «@Raven» is everyone ready? *** Joins: Legion (ahhh@AC850B25.ipt.aol.com) «@Raven» btw who logged my previous spontaneous mini-lecture? [r[T]s] and the subject is? «@Raven» hi Legion «Legion» hello «@Raven» r[T]s, http authentication [r[T]s] kewl «@Raven» a few people were asking about it «@Raven» so i've decided to run a little lecture «@Raven» ok is everyone paying attention? «+SnakE» go go go «+SnakE» :) [r[T]s] no :-), but as Nike say "Just do it!" «@Raven» alright, can anyone log this please? * r[T]s is logging «@Raven» anyone else? * Legion logging «@Raven» btw r[T]s send me the logs after we finish «@Raven» barakirs@netvision.net.il «@Raven» ok let's go [r[T]s] k «+SnakE» ready «+SnakE» :-) [r[T]s] only its quite ugly in txt ver :( «@Raven» alright, sometimes, when u enter a website or a certain section of it, you need to enter a password «@Raven» and i'm not talking about javascript passwords «@Raven» nor java passwords «@Raven» i'm talking about http authentication «@Raven» you are presented with a dialog box that asks you for a username and password «@Raven» the text in the dialog box depends on your browser «@Raven» now, what exactly is happening here? «@Raven» when u enter a directory on a webserver (for example: / on www.microsoft.com, or /seti at blacksun.box.sk/seti etc') «+SnakE» what?? «@Raven» ohh btw / is not the real / (as in the root directory) of the system «elad» could you hold the lecture 5 minutes i have to walk my dog «@Raven» it's just the "webroot" directory «@Raven» elad walk him in front of your PC «@Raven» :-) «elad» (/ is DocumentRoot - assuming you use apache) «elad» brb «@Raven» anyway when u set up a web server, you tell it which directory it should treat as it's / «@Raven» ok anyway, when u enter a directory «@Raven» when u enter a directory «@Raven» the web server checks for an .htpasswd file «@Raven» if there's an .htpasswd file in the directory «@Raven» it will not let you in just like that «@Raven» the .htpasswd is much like the unix password file «@Raven» it uses the same encryption «@Raven» and it's formatted in the username:encrypted-password form «@Raven» very similar to /etc/passwd on unix «@Raven» so if you manage to acquire this file «@Raven» u can use a standard unix password cracker, such as cracker jack or john the ripper or crack «@Raven» some will ask you to make it look like it's a real password file «@Raven» so instead of presenting them with raven:16Jjs05hW3456, you'll have to form it this way: «@Raven» username:password:uid:gid:free_text:home_directory:shell «@Raven» or just raven:16Jjs05hW3456:a:a:a:a:a «@Raven» the password cracker only looks at the first two fields «@Raven» any questions so far? «@Raven» or can we get to "how to obtain the .htpasswd file" part? [r[T]s] the content of the .htpasswd file is something like "user:encrypted_pass" ? «@Raven» yes «@Raven» the crypto is the same that unix uses «@Raven» altered DES «Legion» does the .htpasswd file contain all the passwords that are used> «@Raven» no, only the passwords for HTTP access [r[T]s] in that specific dir, right? «Legion» thats what i meant:) «@Raven» it's used to restrict access to directories on the web server «@Raven» ohh ok «@Raven» r[T]s, yes «@Raven» and u can have multiple usernames and passwords «@Raven» btw .htpasswd authentication is what most porn sites use «@Raven» :-) «@Raven» just for your information «@Raven» alright, are we ready to continue? «+SnakE» yes [r[T]s] ye «@Raven» alright, so now we get to obtaining the .htpasswd file [r[T]s] > "how to obtain the .htpasswd file" < [r[T]s] :) «@Raven» r[T]s very cute «@Raven» ok let's continue «@Raven» so basically we'll have to exploit all sorts of server holes «@Raven» for example: «@Raven» once upon a time there was a very ground-shaking hole in the coldfusion webserver «@Raven» a lot of webpages were hacked at that time «@Raven» anyway, if i remember correctly, the bug allowed a user to exploit a hole in a cgi script or another sort of script «@Raven» and displaying any file he wanted «@Raven» just by typing in a url [r[T]s] something like "showcode.asp" in NT? «+SnakE» is`nt front page valuable for such bugs? «@Raven» something like (i'm just making this up as an example, i don't really remember it): blacksun.box.sk/somescript?show=secret_passwords.txt «@Raven» SnakE, yes, some versions of frontpage too «@Raven» r[T]s, yes, much like the showcode.asp bug «@Raven» many webservers have such holes [r[T]s] kewl kewl «@Raven» of course the existence of the hole depends on the version of the webserver «@Raven» so basically we need to identify the web server and version «+SnakE» Raven do u know where can i find the pwd files if using front_page? «@Raven» and search a database such as packetstorm.securify.com [r[T]s] SnakE; fp has many of _vti_xxx holes, if i'm not mistaken «@Raven» SnakE can we get to it later please? «@Raven» r[T]s right «@Raven» anyway... «@Raven» finding the web server type and version is easy «@Raven» basically u just do what i explained in the tutorial, uh... «@Raven» it was named... *** Quits: Legion (ahhh@AC850B25.ipt.aol.com) (Ping timeout) «@Raven» ok wait a sec lemme check [r[T]s] telnet to it, maybe? (port 80) «@Raven» Extracting Web Server Information using Telnet «@Raven» funky name «+SnakE» yes «@Raven» anyway if you're reading the logs right now and you don't know what to do, read that tutorial «+SnakE» :-) «@Raven» and after u get this file, u can just crack it «@Raven» and viola!! you're in «@Raven» that's all for today folks, now can i have the logs? :-) «@Raven» barakirs@netvision.net.il [r[T]s] sure. [r[T]s] just a sec Oh, almost forgot to mention... in fact I forgot to mention this during the lecture, so I'm adding this as a footnote: Such passwords can also be broken by brute-force password crackers. These programs submit different passwords, based on a words list, or just by making up letter/number/symbol combinations. However they are very slow, and it's very easy to detect such an attack and block your attempts, or even worse - let you think that you're going wrong even if you got the correct password, so the average script kiddie would believe that he didn't get the password.