[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <005801c455a5$7e7e0790$3200000a@alex>
From: jkuperus at planet.nl (Jelmer)
Subject: RE: SECURE SOCKETS LAYER COELACANTH: Phreak Phishing Expedition
>As a addendum, perhaps, though I wouldn't doubt someone
>might make some nice proof of concept code for this...
Don't mind if I do :)
The following demo will read out your logon name and your logon domain, or
at least it should :)
http://jelmer.homedns.org/test.htm
The url used is http://jelmer%2fwww.jelmer.homedns.org
The problem is that ie looks at the part before the %2f to determine the
security zone etc but then loads the url in it's entirety, like this
http://jelmer - used to determine the zone
http://jelmer/www.jelmer.homedns.org - loaded
IE treats any url it sees without a period in it such as http://jelmer as
part of the Local Intranet Zone
>From the intranet zone we can easily obtain the logon name because Automatic
logon thru NTLM is enabled by default in the intranet zone.
Code at http://jelmer.homedns.org/code.zip
I excluded the rather large jcifs jar, you can download it from
http://jcifs.samba.org/src/jcifs-0.9.2.jar and place it in the lib folder
Powered by blists - more mailing lists