Project 2068/11.1 - ObiWaN

[History |Download |Documentation |Targets |Mail ]

I. Disclaimer
II. New in current version
1. Introduction
2. How to use
3. How it works in detail
4. Tuning and Tips
5. Dangers, Problems and Bugs
Appendix
A Background

I. Disclaimer

The license for this tool can be found here.

II. New in this version (current 0.6a)

The most important change is HTTP Proxy server support. You can connecting to a proxy server in stead of connecting direct to your target. Nice feature.
Solaris is now supported - since I learned a lot about UNIX flavors, make files, header files, linker and C standards from a friendly guru. Sometimes developer and networker can learn many things from each other. In this case the networker learned more ;)
Third change: I know what I do. Yes. It´s real cool, if you know how to use memory (and free() it later !!!) and so on. The Windows version is such a smart program, because I did all mistakes on Linux before.
And some bugs fixed. Now you have a timeout function for the first connect.

1. Introduction

First: Project 2068/11.1 is called ObiWaN in this text. See Appendix A for more background informations about this names.

ObiWan is written to check Webserver. The idea behind this is: Webserver with simple challenge-response authentication mechanism mostly have no switches to set up intruder lockout or delay timings for wrong passwords. In fact this is the point to start from. Every user with a HTTP connection to a host with basic authentication can try username-password combinations as long as he/she like it.
Like other programs for UNIX system passwords (crack) or NT passwords (l0phtcrack) ObiWaN uses wordlists and alternations of numeric or alpha-numeric characters as possible passwords. Since Webservers allow unlimited requests it is a question of time and bandwith to break in a server system.

The most interesting targets are web based administration frontends like Netscapes Server Administration. If you can break in, you are able to create accounts, stop the server and modify its content. Real fun.

2. How to use

If you look for a way in a restricted area of Web content - skip this and go to 2.2.

For breaking in a remote administration system you need more then ObiWaN (this fact will change in the next time - I think). First use a portscanner. If you find ports with "very even" numbers like 10000, 20000, 15000 and so on you should try this ports. This is because a remote administration system mostly request a port at installation time. Near every admin will take a
simple on to remember. To test this port type:

./ObiWaN -h target.bla.com -a nobody -w wordlist.txt -p (portnum) -vT

ObiWaN will test this port for the presence of a Webserver and look for basic authentication requests. I know that you in fact do not need an account name or a wordlist for this test, but this is such a minor bug. I don´t think it´s changing fast. For a Netscape Administration Server you should try the username "admin". This is because "admin" is the default value for the administration user and this is mostly not changed during the installation.

2.2 Breaking into an account

The first thing by breaking into an account is to look for a username. If you try to break in with the wrong username, you can try it as long as you like - ObiWaN will fail.

Some examples how to get a username:

Let´s take the URL http://private.hompage.server.com/~death/ . Here is the username visible in the URL. Everyone who use UNIX know what I mean. For the rest: the string after the ~ is the username. In this case is it "death".
On an other Webserver. Look for the username on the Webpages. Possible usernames are the names in email addresses (jon if there is a jon@comp.com), Informations on the bottom of the page (last modyfied by Jon Dodo <jdodo> - here is the username "jdodo") and so on.
Look for a LDAP server which gives you all usernames on the network or try finger (don´t know only one site which has enabled it)
If you are in the same LAN or logical network domain (NT Domain or something like this) try this usernames.

If you can´t get a username - look for the type of Webserver. If it is a Microsoft IIS you can use "Administrator". For an Apache you sure need a real name because it is system idependend and uses its own authentification database.
Netscape is a special case. Often (in near all cases) a Netscape Webserver (Enterprise or FastTrack) has its own remote Administration tool, and you can try "admin".

Now its time to open a shell and start ObiWaN! There are some options necessary. Not optional are:

-h hostname : This is the DNS name or IP address of your target host 
-a account  : This is the explored account name (username) 
-w wordlist : An absolute or relative path name to the big (hope so) 
              wordlist file. This one you should never edit and it should 
              have an complete empty line as it´s first. Every word is in a 
              seperate line.

The rest is usefull (why should I code useless options ??) but not necessary. If you only like to look for a specific account on your own Webserver and like to know if he is stupid enought to use the password "test" or "changeme" then that´s it. In all other cases you should read the possible options to tune your attack.

-p PortNum  : Is only needed, if you like to break in a server on a port 
              unequal to 80. (For example a Netscape Administration Server) 
-u /bla/    : Often usefull because the most restricted areas are subdirs of
              the Webserver. Remember des last /. It runs without this but is 
              not tested very well and you will get some response code unequal 
              to 200. Possible 3xx codes. 
-T          : Use this flag for tests. However, you must enter the non-optional 
              options too but only "host","port" and "URI" will be used. 
-v          : Very verbose mode. If you read this output you can write your 
              own ObiWaN. And you see all sends and responses. 
-D          : Only usefull for debuging or something obscure. I put this in 
              my code for debuging. It display one line per try and says you, 
              how many words tested yet. 
-N          : Nice feature for semi-creative passwords. It is called a numeric 
              attack. Many people take a word as password and use one or 
              two additional numbers for "secure" it. *g* 
              -N 2 says ObiWaN to try all passwords from the wordlist(s) with 
              one and two digits at the end. 
-A          : The same game as -N. This one is called alphanumeric attack. 
              What do you think is the difference ? Right ! It uses alpha- 
              numeric characters. 
-b / -B     : Very important feature for indor breakins. You must use this in 
              combination. It introduces ObiWaN to use a regular bruteforce 
              starting with -b letters up to -B letters. It takes time !!! 
-P          : Delay betwen two attemps in ms. If one test fails, ObiWaN waits 
              -P miliseconds before it trys the next one. Use this option 
              if you don´t like to produce a connection congestion in your 
              enviroment. 
-m          : How many daemons shuld try to break in. They split all tasks and 
              work parallel. The splitting betwen all daemons is not very accurate
              but it brings a time save of 30%.See section 5 for more.
-d          : Says ObiWaN where to put temporary files. But it produces only 
              in multdaemon mode such files. Ergo: Only use this option in multi
              daemon mode. Be carefull: if you werite "-d /tmp" ObiWaN makes a 
              file /tmpobwXXXXX. Do not miss the last / (eg. "-d /tmp/")!! 
-s          : Special wordlist file. Look in section 4 for details.
-x          : Proxy server. Since version 0.6 ObiWaN can use a HTTP Proxy to scan 
              servers.The Option -x requires the DNS name of this proxy.
-X          : Port of HTTP proxy daemon (only usefull with -x). If you don´t use -X,
              port 8080 is assumed.

2.3. Example

Let´s say you like to test your corperate Intranet server. First read Section 5 for possible dangers in production eviroments. Now go to your server with a standard browser and look for usernames. If you have a user at this box, look at the convention. Example: If Jon Dave have the username jdave, the coreperate convention should be "first letter from the first name and the
complete last name is the username". But be carefull by looking for conventions. Some people (particular administrators) often have special usernames.

OK. Assuming you found the name "jfk" as the username of your system admin. Fine. You need a good wordlist file. There are many files on the Internet. Look for 3 things: a wordlist with common passwords in english (admins love english), a wordlist in the native laguage of your admin and a wordlist with things of intrest (eg. StarTrack). Then make one huge file from thes wordlists (UNIX command cat). Assuming the area with informations about the payment in your company is under the URL /master/pay/ then you can first test ObiWaN for possible problems.

./ObiWaN -h intranet -a jfk -w hugelist.txt -vT

If it reports some problems, try to fix it (eg. perission problems). Now you can start your attack. There are two possible ways. I prefer the first one but this is your choice.

The first way is to run ObiWaN more then once. One run only with the wordlist.

./ObiWaN -h intranet -a jfk -w hugelist.txt

Then you see the testrate (words per second) and so on. If this fails, run it with alphanumeric variation (good choice is depth of 2).

./ObiWaN -h intranet -a jfk -w hugelist.txt -A 2

If this fails too, try a depth of 3. The last chance to get the password is to run it in bruteforce loop mode.

./ObiWaN -h intranet -a jfk -w hugelist.txt -b 6 -B 8

A start depth for the bruteforce loop less then 4 is very stupid, because near all passwords are 4 characters or more.On UNIX Systems, you should use as upper depth 8, because they mostly don´t compare passwords with more then 8 characters.

The second way is to start the same procedure in one command line.

./ObiWaN -h intranet -a jfk -w hugelist.txt -A 2 -b 4 -B 8

Since ObiWaN stops searching (hope so) if it finds the matching password, in fact it does the same. This way is the prefered one if you don´t sit on the box where ObiWaN is running. You can redirect the output to a file and rename ObiWaN to something like "dbengine", if you are not the only one user of this box.

3. How it works in detail

It works real simply. In fact a complex thing wouldn´t be written by me.

First it tests the Webserver for authentication requests. It sends the command

GET / HTTP/1.0

to the Webserver. He replys with a HTTP header. This possible looks like this:

HTTP/1.1 401 Authorization Required 
Date: Tue, 29 Sep 1998 09:32:28 GMT 
Server: Apache/1.3.0 (Unix) S.u.S.E./5.3 mod_perl/1.12 
WWW-Authenticate: Basic realm="Area51" 
Connection: close 
Content-Type: text/html

This is a point to start from. The server request basic authentication. In fact it says "Authenticate !" and then sends his informations about which authentication sheme you can use to authenticate. There can be more then "basic". A Windows NT ISS sends additional something like

WWW-Authenticate: NTLM

but we only look for basic authentication. The realm is only a name for the restricted area. This server calls his restricted area "Area 51".
Now we can try X thousend passwords. This looks like this request:

GET / HTTP/1.0 
Authenticate: Basic amZrOndyb25n

The string after "Basic" is a base64 encoded version of username:password. In this case I tryed "jfk:wrong" and this is in base64 encoded format: amZrOndyb25n
More details to basic authentication and the HTTP protocol can be found at RFC 2068 (section 11.1 describes basic auth).

3.2 Wordlists and Bruteforce

The processing of wordlists is only a top-down reading from the file and sending it to the target Webserver.
The numerical and alphanumerical variations use recuresive functions to create new passwords. Every recursion adds one character to the password readed from the wordlist. Starting from '0' to '9', from 'A' to 'Z' and then from 'a' to 'z'. Special characters are not tested. This is a way to secure your account. And this is the intention to create ObiWaN. Bruteforce attack is near the same procedure, but it is a little bit faster.

4. Tuning and Tips

To tune your attack, create a special wordlist file. This is a additional wordlist, tested before the huge one. This special wordlist is created per hand for every new attack. Here you can enter the most used faux pas in history of passwords. Start with the first- and last name and the username of your target account. Names of his/her friends, children, car, birthday ... . Then use some variations of companys name, known acronyms and so on. The special wordlist is included in all attack types (numerical,alphanumerical) and is prefered.

Additional to this a hint: Don´t think "Why wordlists ? Let me start a brute force attack from 2 up to 12 and i will find the password." This is real stupid since such an attack by 130 words per secound takes 287.238.849.928.587 days (786.955.753.229 years). Don´t do this. Collect wordlists from the internet and you will become happy.

5. Dangers, Problems and Bugs

There are some dangers by extensive testing Webservers.
The first one is simply a congestion of your network enviroment. Imagine, you send up to 200 Packets per second and if your target Webserver is a fast one, it response to this with 200 packets too. Assumed a 10 Mbit/s LAN and two real fast boxes (one attacker, one target) you can slow your network down to the ground.

The second problem is logging. Not only, if you are not permitted to test this Webserver and you fail to break in a remote administration system you are the stupid one. No. Since the Webrserver logs every connect with a full line in the logfile (or
eventlog in NT) this is much space. Possible in the middle of your attack the server crashes because of a filesystem overrun and you are the cause. Bad news. Additional to this I´m not sure if ObiWaN stops in such a case.
A simple calculation for logging. Round 100 bytes takes a line in W3C standard logfile format. Depends on your DNS name. By 150 words per second this are 15000 bytes/s = 878,91 Kbyte per minute. Assumed 10 MB log space, you have 12 minutes. I know: many Webserver have much more log space. But think about NT. NT boxes slow rapidly down if they have a huge eventlog (and belive me: there are many admins with a . Crash-Bom-Bang. And the last 500 GET commands had your IP address. Very bad news.

Conclusion: Be carefull with ObiWaN. Use the -P flag. Try to get informations about your target hardware before you render it down.

There are some problems with special cases:

If you use multidaemon mode and chose more deamons then lines are in wordlist/special wordlist file, you possible see some obscure things. Possible the main program don´t break at the end or numeric attacks will fail.
Some times the system do not give a signal from daemon to main prg. If this is the case, you should look in your themporary directory (if specified - else in the current) for a file named obwXXXXX where XXXXX is the PID of you ObiWaN main process. If there is such a file, inside you will find the account-informations. If not, all daemons failed. Now you can kill the main program by Ctrl+C.
ObiWaN has no funtion to detect timeouts. If your target crashes and you are using multidaemon then you have to stop the main program by pressing Ctrl+C.

Tips for using multiple daemons:

If you have a slow box, little RAM or a slow connection to your target - don´t use more then 4 daemons. The daemons need more memory then a single-mode ObiWaN. If your system is to slow, it is busy with swaping or creating sockets.
Multidaemons are great to attack clusters. In this case I understand "cluster" as more then one webserver with different IPs on different boxes and one DNS name. (eg. www.netscape.com). Here every daemon gets by requesting a IP for www.netscape.com a different one. So all daemons try to different boxes and this makes the attack X times faster.

Proxy server problems and tips

A problem with Network Appliance´s Netcache is known. By connecting to this proxy, you will never receive a response. If you Ctrl+C your ObiWaN you can see a full RECV-Queue at this socket. (netstat) I wonder why the socket says "No data available". Possible I can fix this later - so long use a different proxy server (eg. look on the next line).
If you are on a UNIX box - it is a good idea to use a local proxy server. This is because it helps to hide your attacks (and helps if you must connect to a fucking Netcache). Use a free proxy server called Squid. (http://squid.nlanr.net/Squid/) You can configure it to hide all your informations like IP address. This is done by the line "http_anonymizer paranoid" in your squid.conf file. Additional to hiding you it makes it possible to scan a host in official IP areas from a workstation on an inofficial IP net. Read more about proxys if you can´t follow me.

Appendix A

Project 2068/11.1 stands for the section 11.1 in RFC 2068 which describes the HTTP 1.1 protocol. This section explains the basic authentication.

ObiWaN stands for "Operation burning insecure Webserver against Netscape". Sorry Netscape, but this idea came up by a confrontation with a Netscape Administration Server, not with Microsoft. What a pity. The "burning" describes the effect, if you use ObiWaN in wrong enviroments - particular not in your own. (the network or router "burn" or you have some "burning" problems with the police !).

Windows documentation (now we go to something completely different)

First of all you need to read the UNIX documentation and to understand the background of ObiWaN. In this section I desribe only then buttons and dialog boxes of the windows version.

Required things ...

ObiWaN is one of thes Windows programs you can start from the location where it is copied to. Here is no SETUP needed. Possible I will build a standard Setup for users who don´t trust programs that run without installation but it is not needed.

You need in all cases a running TCP/IP installation. If you don´t know what I mean, go away. Then you should be connected to a LAN or the Internet over an TCP/IP transporting connection. By UNIX folks I don´t need to tell this but I don´t know how many Windows (L)users would like to scan a Webserver by using NetBEUI.
And please: If you don´t have Winsock2: Update NOW!

If you start the program an you get something different then a black box with "nice" graphix you may have a problem. Mail me.

Run it.

Now we can start. You must give ObiWaN all informations on the left side of the window. First select your target host. Click on the grey PC. In the messagebox you can enter a valid DNS name and optional a URI. Valid inputs are:

target.foobar.com
target.foobar.com/index.htm
target.foobar.com/members/secret/super/protected/
193.169.10.23
123.222.123.54/members/noname/

Invalid inputs are

afdasdfasdf                 <-- nice to see you drunken on the keboard
http://www.microsoft.com    <-- this is invalid in 2 ways
ftp://bla.fasel.net         <-- STUPIDO, ObiWaN is for HTTP not for FTP !

DON´T USE PROTOCOL IDENTIFIERS LIKE "http://" !!!!

In the input field below you can enter a port. Valid range for TCP ports is 1 to 65535. The most servers running on port 80 (standard HTTP) but in some cases you will find the need to use a different port, because your target use port 8080 or 20000 or 12345. Close the box by hitting the OK button.

Test mode

Make sure, the Option "TestMode on/off" is switched to on. This is the default start value. If you see a little "T" on the top of all options - all is ok. If you see a "A" - click on it and it will switch to a "T".

Now click on the big "Launch attack" button. In the area below - called "output area" - you will see the result of your action. If you have entered a hostname and port refering to a webserver with authentication, you will see the line "LET THE WAR BEGIN". Else you get some error messages.

Quit and Hide

On the right bottom of the black box, you find two buttons. You don´t see anything ? Move your mouse over this area and you will see! The "HIDE" button changes ObiWaN to a tray icon. This icon has a popup menu for start and stop scanning. If you have enabled counters and you hide ObiWaN while it runs a attack, you can see the numer of tested words by moving the mouse over the tray icon. In all cases you see the status (like "running", "failed" or "wins").

Attack mode

Select a Wordlist. Click on the green words below the PC-Icon. In this dialog you can open a standard and a special wordlist. You don´t read the UNIX docu ? This is the point to correct your mistake. I don´t like to explain everything twice.
If you select "OPEN" with the left mouse button, you can open a wordlist. If you use the right button, you deselect this wordlist. Simple - do you agree ?

Select an account (username). Click on the two nice red guys below the wordlist icon. Enter the target account name.

To run a real attack switch the option button "T" to "A".

Now you have to decide:

Verbose mode on or off ? It slows the attack down and if you don´t expect problems: don´t use it.
Counter on or off ? If this is your first attack you should use counters. They provide informations about words tested and your words per secound rate. I like this output and it hasn´t many influence to the speed.
Password display on or off ? If you select this option, ObiWaN lists every word he tests. Only real usefull if you use numeric or alphanumeric attacks - here you can see the progress ouf our variations.

Using a proxy server

To use a proxy betwen you and your target click on the button right of the "A/T" switch. If you see a green-only pictogram you don´t actual use a proxy. If you click on it, you need to enter the name and port of your proxy server. I think it is a good idea to delete ObiWaN, if you don´t know what the hell is a proxy. And please: don´t be stupid. Don´t ask you administrator for your proxy settings.

Variations

You have - like in the UNIX version - two possible additional variations and a pure bruteforce mode. The gray buttons are (in top-down): numeric, alphanumeric and brute force.

Numeric variation

Click on the numeric button. By click with the left or right mousebutton on the number right of it, you can increse or decrese the attack depth. Numeric means, that ever password is tested with depth digits at the end.

Password: secret
Tested (numeric depth 2): secret0...secret9,secret10...secret99

Alphanumeric variations

The same as numeric. Chose the button below the numeric button. Remember: Alphanumeric attack includes - like the name suggest - numeric attacks. So if you turn both on, you will get a standard "Stupido ... blabla ... " Messagebox.

Brute force

If all wordlists fail and you have a good connection to your target and you have many time you can start a real brute force attack. This tests variations from n to m characters (alphanumeric). Switch alphanumeric on and chose the start depth. Switch brute force on and chose the end depth. Assuming you selected start depth of 4 and brute force end depth of 6, ObiWaN will test all combinations from "0000".."zzzz" to "00000".."zzzzz" to "000000".."zzzzzz". Belive me: this takes many time!

Word at the End

Since Windows is a slow thing, you should not play oter network "games" while you scan.
All options like verbose mode, counter, password display and so on can be switched on or off while ObiWaN is scanning.