| View previous topic :: View next topic |
| Author |
Message |
cmxflash
-
Joined: 11 Dec 2004
Posts: 872
|
 Posted: Fri May 06, 2005 12:55 am Post subject: Logging HTACCESS? |
 |
|
Is it possible to see what username and password the user is using to access my website, even if the account does not exist?
If not, can Aprelium fix it in the next version *please*?
(Yes, I'm going to use it for an evil purpose)
BTW, this is my 100th post, yay! |
|
| Back to top |
  |
 |
Anonymoose
-
Joined: 09 Sep 2003
Posts: 2192
|
| Posted: Fri May 06, 2005 9:40 am Post subject: |
|
|
Auth Digest passwords are passed as a hash, not as plain text. They are then checked against a hash in the Abyss conf file - at no point does Abyss have access to a plain text version of them after the account is created. Feel free to try and crack the MD5 hashing though ;)
Last edited by Anonymoose on Mon May 09, 2005 12:42 am; edited 1 time in total |
|
| Back to top |
|
|
aprelium
-
Joined: 22 Mar 2002
Posts: 6800
|
| Posted: Fri May 06, 2005 3:59 pm Post subject: Re: Logging HTACCESS? |
|
|
| cmxflash wrote: | Is it possible to see what username and password the user is using to access my website, even if the account does not exist?
If not, can Aprelium fix it in the next version *please*?
(Yes, I'm going to use it for an evil purpose)
BTW, this is my 100th post, yay! |
That's pretty easy to do if you want to see which people were not allowed access to the server. All you have to do is to write a PHP script that will log in a file the Authorization header values (or better, the user/password values that are decoded by PHP).
Next, setup this script as your 401 error page.
If you need help with the script coding, let us know.
_________________
Support Team
Aprelium - http://www.aprelium.com |
|
| Back to top |
 |
|
cmxflash
-
Joined: 11 Dec 2004
Posts: 872
|
| Posted: Fri May 06, 2005 7:50 pm Post subject: Re: Logging HTACCESS? |
|
|
| aprelium wrote: | | cmxflash wrote: | Is it possible to see what username and password the user is using to access my website, even if the account does not exist?
If not, can Aprelium fix it in the next version *please*?
(Yes, I'm going to use it for an evil purpose)
BTW, this is my 100th post, yay! |
That's pretty easy to do if you want to see which people were not allowed access to the server. All you have to do is to write a PHP script that will log in a file the Authorization header values (or better, the user/password values that are decoded by PHP).
Next, setup this script as your 401 error page.
If you need help with the script coding, let us know. |
It would be nice if you could make an example-script for me, since I'm not that good at PHP (yet). |
|
| Back to top |
|
|
aprelium
-
Joined: 22 Mar 2002
Posts: 6800
|
| Posted: Sat May 07, 2005 1:09 pm Post subject: Re: Logging HTACCESS? |
|
|
cmxflash,
We'll post an example of such a script here later.
_________________
Support Team
Aprelium - http://www.aprelium.com |
|
| Back to top |
|
|
cmxflash
-
Joined: 11 Dec 2004
Posts: 872
|
| Posted: Sun May 08, 2005 5:42 pm Post subject: Re: Logging HTACCESS? |
|
|
| Does anybody know a MD5-cracker that's working? |
|
| Back to top |
|
|
Anonymoose
-
Joined: 09 Sep 2003
Posts: 2192
|
| Posted: Mon May 09, 2005 12:40 am Post subject: |
|
|
John The Ripper has always worked.
However, if you're checking against digest auth authentication, you're going to be trying to brute force or dictionary guess a base 64 encoding of the username + password guess. It's going to take forever and a day to encode each of your guesses and test them. Don't bother wasting your time...
For basic auth, if you can't wait for Aprelium to give you a script, just stick a packet sniffer on your machine. |
|
| Back to top |
|
|
aprelium
-
Joined: 22 Mar 2002
Posts: 6800
|
| Posted: Mon May 09, 2005 1:47 pm Post subject: Re: Logging HTACCESS? |
|
|
cmxflash,
Here is the script. Copy it in a file called 401.php and make it your custom error page for status code 401:
| Code: |
<?php
$log_file_name = "C:\\authfailed.log";
$username = $_SERVER['PHP_AUTH_USER'];
if (isset($username))
{
$file = fopen($log_file_name, "at");
if ($file)
{
$ip = $_SERVER['REMOTE_ADDR'];
$date = date("r");
$url = "http://" . $_SERVER['REDIRECT_HTTP_HOST'] . $_SERVER['REDIRECT_REQUEST_URI'];
$password = $_SERVER['PHP_AUTH_PW'];
fwrite($file, "$date\t$url\t[$username]\t[$password]\t$ip\n");
fclose($file);
}
}
?>
<HTML>
<TITLE>Error 401</TITLE>
<BODY>
Your unauthorized access attempt was logged.
</BODY>
</HTML>
|
Change the value of $log_file_name if you wish. The script is easy to understand and can be modified at will to log whatever you want to track those "crackers".
_________________
Support Team
Aprelium - http://www.aprelium.com |
|
| Back to top |
|
|
TRUSTAbyss
-
Joined: 29 Oct 2003
Posts: 3752
Location: USA, GA
|
| Posted: Mon May 09, 2005 2:56 pm Post subject: |
|
|
| Now you can tell when someone is hacking your server. Thank You! :-) |
|
| Back to top |
 |
|
cmxflash
-
Joined: 11 Dec 2004
Posts: 872
|
| Posted: Mon May 09, 2005 7:33 pm Post subject: |
|
|
Danke Aprelium =)
(Thanks) |
|
| Back to top |
|
|
cmxflash
-
Joined: 11 Dec 2004
Posts: 872
|
| Posted: Wed May 11, 2005 2:11 pm Post subject: |
|
|
| Is it possible to make it log the password if the account don't exist on the server? |
|
| Back to top |
|
|
admin
Site Admin
Joined: 03 Mar 2002
Posts: 1332
|
| Posted: Wed May 11, 2005 2:30 pm Post subject: |
|
|
| cmxflash wrote: | | Is it possible to make it log the password if the account don't exist on the server? |
That's what it does: Error 401 is only raised when the account is not declared on the server and thus all the logged information comes from unknown user/password access attempts. |
|
| Back to top |
|
|
|
