PAM login system

Discuss the many weaknesses of browser security and ways to mitigate the threat

PAM login system

Post by tiduswc on Tue Sep 16, 2008 6:36 am
([msg=11838]see PAM login system[/msg])

There's a web hacking competition in my university. And one of the question is about guessing the username to put in the textbox. And the only hint is that site uses PAM.

I tried with all kind of SQL injection. But none seems to work. Not even has a SQL error statement. Just usual 'wrong username'.

Searched about PAM and it appears to be unix base system login module. So tried all those passwd, ls, none work as well.

Any clue/hint/idea?

Thank you.
tiduswc
New User
New User
 
Posts: 1
Joined: Tue Sep 16, 2008 6:33 am
Blog: View Blog (0)


Re: PAM login system

Post by thedotmaster on Sun Oct 05, 2008 7:56 pm
([msg=13221]see Re: PAM login system[/msg])

First check if the "/images/" folder has directory listings enabled. If it does, that's your first step. Then check out the robots.txt file and see if there's anything interesting in there. Run burpsuite and see how it handles the login. Try inputting various special characters - see if it reacts badly to any. Perhaps run nikto as well. See if it stores anything in cookies. That sorta thing. Check .htaccess.
Hope this helps.
Image
User avatar
thedotmaster
Contributor
Contributor
 
Posts: 984
Joined: Sun May 04, 2008 4:39 pm
Location: North West UK
Blog: View Blog (1)


Re: PAM login system

Post by myhexhax on Sun Oct 05, 2008 8:14 pm
([msg=13227]see Re: PAM login system[/msg])

Maybe they're using LDAP authentication or something d: Try logging in with your user account, lol. Did you also try default user accounts like root, guest, etc?
Last edited by myhexhax on Mon Oct 06, 2008 7:22 am, edited 1 time in total.
gniripsni ewa si rehte eht morf cisum siht
myhexhax
Poster
Poster
 
Posts: 217
Joined: Tue Sep 16, 2008 2:19 pm
Location: Between the ether and the information superhighway
Blog: View Blog (0)


Re: PAM login system

Post by Rijnzael on Sun Oct 05, 2008 10:41 pm
([msg=13235]see Re: PAM login system[/msg])

PAM is an authentication module framework for linux. You should look at the site in question and try to determine which pam authentication module they're using for those login credentials, and look for any vulnerabilities in their implementation of it.
Rijnzael
Poster
Poster
 
Posts: 164
Joined: Sun Apr 13, 2008 10:12 am
Location: 128.0.0.0/8
Blog: View Blog (0)


Re: PAM login system

Post by Dwere13 on Sun Oct 05, 2008 10:42 pm
([msg=13236]see Re: PAM login system[/msg])

I don't know if this wiki page will do any good... http://en.wikipedia.org/wiki/Pluggable_ ... on_Modules
But I googled PAM. Figured that's as good a way as any to start. Let us know how you do, eh?

Edit: I personally, would expect the... most useful information - if any - on the wiki page, to be in the criticisms bit.
Dwere13
Experienced User
Experienced User
 
Posts: 68
Joined: Sun Sep 21, 2008 1:59 am
Location: BC
Blog: View Blog (0)


Re: PAM login system

Post by thedotmaster on Mon Oct 06, 2008 1:37 am
([msg=13244]see Re: PAM login system[/msg])

Image
User avatar
thedotmaster
Contributor
Contributor
 
Posts: 984
Joined: Sun May 04, 2008 4:39 pm
Location: North West UK
Blog: View Blog (1)



Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests