lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <005801c455a5$7e7e0790$3200000a@alex>
From: jkuperus at planet.nl (Jelmer)
Subject: RE: SECURE SOCKETS LAYER COELACANTH: Phreak Phishing Expedition

>As a addendum, perhaps, though I wouldn't doubt someone
>might make some nice proof of concept code for this...

Don't mind if I do :)

The following demo will read out your logon name and your logon domain, or
at least it should :)

http://jelmer.homedns.org/test.htm

The url used is http://jelmer%2fwww.jelmer.homedns.org 

The problem is that ie looks at the part before the %2f to determine the
security zone etc but then loads the url in it's entirety, like this

http://jelmer - used to determine the zone
http://jelmer/www.jelmer.homedns.org - loaded

IE treats any url it sees without a period in it such as http://jelmer as
part of the Local Intranet Zone

>From the intranet zone we can easily obtain the logon name because Automatic
logon thru NTLM is enabled by default in the intranet zone.


Code at http://jelmer.homedns.org/code.zip

I excluded the rather large jcifs jar, you can download it from
http://jcifs.samba.org/src/jcifs-0.9.2.jar and place it in the lib folder



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ