Đang chuẩn bị nút TẢI XUỐNG, xin hãy chờ
Tải xuống
Các thư mục công cộng cho phép truy cập vào một trang tìm kiếm có thể được sử dụng để tìm người sử dụng bằng tên. Trong hầu hết trường hợp, ký tự đại diện tìm kiếm không được phép, có nghĩa là một tìm kiếm cho * không sẽ trả về một danh sách tất cả người dùng, như có thể mong đợi. | Usernames Passwords and Secret Stuff Oh My Chapter 9 351 Figure 9.4 Microsoft Outlook Web Access Hosts a Public Directory The public directory allows access to a search page that can be used to find users by name. In most cases wildcard searching is not allowed meaning that a search for will not return a list of all users as might be expected. Entering a search for a space is an interesting idea since most user descriptions contain a space but most large directories will return an error message reading This query would return too many addresses Applying a bit of creativity an attacker could begin searching for individual common letters such as the Wheel of Fortune letters R S T L N and E. Eventually one of these searches will most likely reveal a list of user information like the one shown in Figure 9.5. Figure 9.5 Public Outlook Directory Searching for Usernames 352 Chapter 9 Usernames Passwords and Secret Stuff Oh My Once a list of user information is returned the attacker can then recycle the search with words contained in the user list searching for the words Voyager Freshmen or Campus for example. Those results can then be recycled eventually resulting in a nearly complete list of user information. Searching for Passwords Password data one of the Holy Grails during a penetration test should be protected. Unfortunately many examples of Google queries can be used to locate passwords on the Web as shown in Table 9.2. Table 9.2 Queries That Locate Password Information Query Description filetype config config intext .Net Web Application configuration may appSettings User ID filetype netrc password intitle Index of passwords modified inurl db main.mdb contain authentication information .netrc file may contain cleartext passwords Password directories ASP-Nuke database files often contain passwords filetype bak inurl htaccess passwd shadow htusers filetype log See ipsec copyright inurl calendarscript users.txt inurl ccbill filetype log data inurl cgi-bin inurl .
