6.5 Accessing Poorly Protected Information

You can find server backup files and other sensitive data if you look hard enough. I know a handful of cases in which administrators have set up private areas of web service space to store such files, with predictable directory names (for example, /backup, /private, or /test). In one such instance, I downloaded a 500-MB backup image of a Linux web server, containing the /etc/passwd, /etc/shadow, and other useful system files.

Automated web service scanning tools are proficient at identifying these obvious file locations and directories. The stats.html page on the BT corporate web site reveals potentially sensitive information You can find it at http://www.bt.com/stats.html and see it in Figure 6-15.

Figure 6-15. The BT web site reveals usage information

A casual look through this page reveals a table with column headings of HOST, GROUP, TIME, and CPU.

6.5.1 Brute-Forcing HTTP Authentication

When assessing large environments, analysts often encounter basic HTTP authentication prompts. By launching brute-force password-grinding attacks against these authentication mechanisms, an attacker can gain access to potentially sensitive information or system components (web application back-end management systems, etc.).

In particular, the Brutus and Hydra brute-force tools are exceptionally good at launching parallel brute-force password grinding attacks against web authentication mechanisms. The tools are available from the following locations and are discussed throughout this book with working examples: