I. Disclaimer
II. New in current version
1. Introduction
2. How to use
3. How it works in detail
4. Tuning and Tips
5. Dangers, Problems and Bugs
Appendix
A Background
ObiWan is written to check Webserver. The idea behind this is:
Webserver with simple challenge-response authentication mechanism mostly
have no switches to set up intruder lockout or delay timings for wrong
passwords. In fact this is the point to start from. Every user with a HTTP
connection to a host with basic authentication can try username-password
combinations as long as he/she like it.
Like other programs for UNIX system passwords (crack) or NT passwords
(l0phtcrack) ObiWaN uses wordlists and alternations of numeric or alpha-numeric
characters as possible passwords. Since Webservers allow unlimited requests
it is a question of time and bandwith to break in a server system.
The most interesting targets are web based administration frontends like Netscapes Server Administration. If you can break in, you are able to create accounts, stop the server and modify its content. Real fun.
For breaking in a remote administration system you need more then ObiWaN
(this fact will change in the next time - I think). First use a portscanner.
If you find ports with "very even" numbers like 10000, 20000, 15000 and
so on you should try this ports. This is because a remote administration
system mostly request a port at installation time. Near every admin will
take a
simple on to remember. To test this port type:
./ObiWaN -h target.bla.com -a nobody -w wordlist.txt -p (portnum) -vTObiWaN will test this port for the presence of a Webserver and look for basic authentication requests. I know that you in fact do not need an account name or a wordlist for this test, but this is such a minor bug. I don´t think it´s changing fast. For a Netscape Administration Server you should try the username "admin". This is because "admin" is the default value for the administration user and this is mostly not changed during the installation.
Some examples how to get a username:
Now its time to open a shell and start ObiWaN! There are some options necessary. Not optional are:
-h hostname : This is the DNS name or IP address of your target host -a account : This is the explored account name (username) -w wordlist : An absolute or relative path name to the big (hope so) wordlist file. This one you should never edit and it should have an complete empty line as it´s first. Every word is in a seperate line.The rest is usefull (why should I code useless options ??) but not necessary. If you only like to look for a specific account on your own Webserver and like to know if he is stupid enought to use the password "test" or "changeme" then that´s it. In all other cases you should read the possible options to tune your attack.
-p PortNum : Is only needed, if you like to break in a server on a port unequal to 80. (For example a Netscape Administration Server) -u /bla/ : Often usefull because the most restricted areas are subdirs of the Webserver. Remember des last /. It runs without this but is not tested very well and you will get some response code unequal to 200. Possible 3xx codes. -T : Use this flag for tests. However, you must enter the non-optional options too but only "host","port" and "URI" will be used. -v : Very verbose mode. If you read this output you can write your own ObiWaN. And you see all sends and responses. -D : Only usefull for debuging or something obscure. I put this in my code for debuging. It display one line per try and says you, how many words tested yet. -N : Nice feature for semi-creative passwords. It is called a numeric attack. Many people take a word as password and use one or two additional numbers for "secure" it. *g* -N 2 says ObiWaN to try all passwords from the wordlist(s) with one and two digits at the end. -A : The same game as -N. This one is called alphanumeric attack. What do you think is the difference ? Right ! It uses alpha- numeric characters. -b / -B : Very important feature for indor breakins. You must use this in combination. It introduces ObiWaN to use a regular bruteforce starting with -b letters up to -B letters. It takes time !!! -P : Delay betwen two attemps in ms. If one test fails, ObiWaN waits -P miliseconds before it trys the next one. Use this option if you don´t like to produce a connection congestion in your enviroment. -m : How many daemons shuld try to break in. They split all tasks and work parallel. The splitting betwen all daemons is not very accurate but it brings a time save of 30%.See section 5 for more. -d : Says ObiWaN where to put temporary files. But it produces only in multdaemon mode such files. Ergo: Only use this option in multi daemon mode. Be carefull: if you werite "-d /tmp" ObiWaN makes a file /tmpobwXXXXX. Do not miss the last / (eg. "-d /tmp/")!! -s : Special wordlist file. Look in section 4 for details. -x : Proxy server. Since version 0.6 ObiWaN can use a HTTP Proxy to scan servers.The Option -x requires the DNS name of this proxy. -X : Port of HTTP proxy daemon (only usefull with -x). If you don´t use -X, port 8080 is assumed.
OK. Assuming you found the name "jfk" as the username of your system admin. Fine. You need a good wordlist file. There are many files on the Internet. Look for 3 things: a wordlist with common passwords in english (admins love english), a wordlist in the native laguage of your admin and a wordlist with things of intrest (eg. StarTrack). Then make one huge file from thes wordlists (UNIX command cat). Assuming the area with informations about the payment in your company is under the URL /master/pay/ then you can first test ObiWaN for possible problems.
./ObiWaN -h intranet -a jfk -w hugelist.txt -vTIf it reports some problems, try to fix it (eg. perission problems). Now you can start your attack. There are two possible ways. I prefer the first one but this is your choice.
The first way is to run ObiWaN more then once. One run only with the wordlist.
./ObiWaN -h intranet -a jfk -w hugelist.txtThen you see the testrate (words per second) and so on. If this fails, run it with alphanumeric variation (good choice is depth of 2).
./ObiWaN -h intranet -a jfk -w hugelist.txt -A 2If this fails too, try a depth of 3. The last chance to get the password is to run it in bruteforce loop mode.
./ObiWaN -h intranet -a jfk -w hugelist.txt -b 6 -B 8A start depth for the bruteforce loop less then 4 is very stupid, because near all passwords are 4 characters or more.On UNIX Systems, you should use as upper depth 8, because they mostly don´t compare passwords with more then 8 characters.
The second way is to start the same procedure in one command line.
./ObiWaN -h intranet -a jfk -w hugelist.txt -A 2 -b 4 -B 8Since ObiWaN stops searching (hope so) if it finds the matching password, in fact it does the same. This way is the prefered one if you don´t sit on the box where ObiWaN is running. You can redirect the output to a file and rename ObiWaN to something like "dbengine", if you are not the only one user of this box.
First it tests the Webserver for authentication requests. It sends the command
GET / HTTP/1.0to the Webserver. He replys with a HTTP header. This possible looks like this:
HTTP/1.1 401 Authorization Required Date: Tue, 29 Sep 1998 09:32:28 GMT Server: Apache/1.3.0 (Unix) S.u.S.E./5.3 mod_perl/1.12 WWW-Authenticate: Basic realm="Area51" Connection: close Content-Type: text/htmlThis is a point to start from. The server request basic authentication. In fact it says "Authenticate !" and then sends his informations about which authentication sheme you can use to authenticate. There can be more then "basic". A Windows NT ISS sends additional something like
WWW-Authenticate: NTLMbut we only look for basic authentication. The realm is only a name for the restricted area. This server calls his restricted area "Area 51".
GET / HTTP/1.0 Authenticate: Basic amZrOndyb25nThe string after "Basic" is a base64 encoded version of username:password. In this case I tryed "jfk:wrong" and this is in base64 encoded format: amZrOndyb25n
Additional to this a hint: Don´t think "Why wordlists ? Let me
start a brute force attack from 2 up to 12 and i will find the password."
This is real stupid since such an attack by 130 words per secound takes
287.238.849.928.587 days (786.955.753.229 years). Don´t do this.
Collect wordlists from the internet and you will become happy.
The second problem is logging. Not only, if you are not permitted to
test this Webserver and you fail to break in a remote administration system
you are the stupid one. No. Since the Webrserver logs every connect with
a full line in the logfile (or
eventlog in NT) this is much space. Possible in the middle of your
attack the server crashes because of a filesystem overrun and you are the
cause. Bad news. Additional to this I´m not sure if ObiWaN stops
in such a case.
A simple calculation for logging. Round 100 bytes takes a line in W3C
standard logfile format. Depends on your DNS name. By 150 words per second
this are 15000 bytes/s = 878,91 Kbyte per minute. Assumed 10 MB log space,
you have 12 minutes. I know: many Webserver have much more log space. But
think about NT. NT boxes slow rapidly down if they have a huge eventlog
(and belive me: there are many admins with a . Crash-Bom-Bang. And the
last 500 GET commands had your IP address. Very bad news.
Conclusion: Be carefull with ObiWaN. Use the -P flag. Try to get informations about your target hardware before you render it down.
There are some problems with special cases:
ObiWaN stands for "Operation burning insecure Webserver against Netscape".
Sorry Netscape, but this idea came up by a confrontation with a Netscape
Administration Server, not with Microsoft. What a pity. The "burning" describes
the effect, if you use ObiWaN in wrong enviroments - particular not in
your own. (the network or router "burn" or you have some "burning" problems
with the police !).
You need in all cases a running TCP/IP installation. If you don´t
know what I mean, go away. Then you should be connected
to a LAN or the Internet over an TCP/IP transporting connection. By UNIX
folks I don´t need to tell this but I don´t know how many Windows
(L)users would like to scan a Webserver by using NetBEUI.
And please: If you don´t have Winsock2: Update NOW!
If you start the program an you get something different then a black box with "nice" graphix you may have a problem. Mail me.
target.foobar.com target.foobar.com/index.htm target.foobar.com/members/secret/super/protected/ 193.169.10.23 123.222.123.54/members/noname/Invalid inputs are
afdasdfasdf <-- nice to see you drunken on the keboard http://www.microsoft.com <-- this is invalid in 2 ways ftp://bla.fasel.net <-- STUPIDO, ObiWaN is for HTTP not for FTP !
DON´T USE PROTOCOL IDENTIFIERS LIKE "http://" !!!!In the input field below you can enter a port. Valid range for TCP ports is 1 to 65535. The most servers running on port 80 (standard HTTP) but in some cases you will find the need to use a different port, because your target use port 8080 or 20000 or 12345. Close the box by hitting the OK button.
Now click on the big "Launch attack" button. In the area below - called "output area" - you will see the result of your action. If you have entered a hostname and port refering to a webserver with authentication, you will see the line "LET THE WAR BEGIN". Else you get some error messages.
Select an account (username). Click on the two nice red guys below the wordlist icon. Enter the target account name.
To run a real attack switch the option button "T" to "A".
Now you have to decide:
Password: secret Tested (numeric depth 2): secret0...secret9,secret10...secret99