0

There is a web server I'd like to recon using httprint.

But that web server has a basic auth protection on 443. Port 80 is not responding. When I launch httprint, it says Unspecified Error

The same thing happens with netcat. It fails because of Basic Auth (ie "Connection Refused") When basic auth is disabled, both netcat and httprint work well.

How can I bypass basic auth for fingerprinting a web server?

enter image description here

I believe netcat works below for 2 reasons 1. There is no basic auth on the port 80 (it's a different web app showing on port 80) 2. There some sort of load balancing or reverse proxy because the app on port 80 is different of the app on port 443 although both have the same IP address

enter image description here

tommy
  • 3
  • 2
  • What you describe is not an authentication problem. And you can fingerprint a server without logging in – schroeder Feb 23 '20 at 08:18
  • @schroeder Please see the new screenshot in my OP to better understand my problem. – tommy Feb 23 '20 at 09:44
  • You've blanked out too much to be able to interpret the errors – schroeder Feb 23 '20 at 09:52
  • And your screenshot has nothing to do with fingerprinting. This is looking more like a networking problem than a security problem. – schroeder Feb 23 '20 at 09:53
  • have you looked up the errors? I'm seeing tons of resources to sort it out\ – schroeder Feb 23 '20 at 09:54
  • @schroeder Please see the last screenchot for port 80. Actually, I believe netcat works below for 2 reasons 1. There is no basic auth on the port 80 (it's a different web app showing on port 80) 2. There some sort of load balancing or reverse proxy because the app on port 80 is different of the app on port 443 although both have the same IP address – tommy Feb 23 '20 at 09:56
  • @schroeder I cant show this stuff or I'll break the engagement rules with my clients – tommy Feb 23 '20 at 09:57
  • @schroeder Yes I'm looking up the errors right now. Did not find anything usefull yet – tommy Feb 23 '20 at 09:58
  • 1
    does nc64 support tls? – schroeder Feb 23 '20 at 10:07
  • @tommy read up on how TLS and HTTP work. – vidarlo Feb 23 '20 at 12:09
  • @schroeder Thank you mate. I don't think it does. When I switched to so simply nc, I got no issue obtaining a TCP connection. Also, Steffen's answer below helped me get the expected 401. Thank you – tommy Feb 23 '20 at 13:07
  • @vidarlo Yes. I did not know nc was sending ONLY plain text HTTP. I did not know web server was expecting TLS handshake after TCP connection. Thank you mate. [This document](https://books.google.ci/books?id=SyXFg6uMLykC&pg=PA113&lpg=PA113&dq=netcat+https&source=bl&ots=T0t71mguvY&sig=ACfU3U3XClS7qIgRXrdK72Gy_NCHLqVoZQ&hl=fr&sa=X&ved=2ahUKEwjh4cS_2ufnAhXlsaQKHUFTAxsQ6AEwBHoECAoQAQ#v=onepage&q=netcat%20https&f=false) helped me solve the issue – tommy Feb 23 '20 at 13:08

2 Answers2

1

It fails because of Basic Auth (ie "Connection Refused") ...

I think you are missing concepts: "Connection refused" means that establishing a TCP connection to the server has failed. This has nothing to do with Basic Authentication which happens only after a successful TCP connection could be established. With Basic Authentication required the server actually provides a HTTP response suitable for fingerprinting.

In your case it might be more a problem of the source IP address blocked or no server at the location you try in the first place. What exactly of these is the problem is not clear from your question and thus it is unclear if and how it can be bypassed. But giving that the site is not responding on port 80 it might actually be the same for port 443. And if there is no server at this location in the first place then there is nothing to bypass.

EDIT after the OP provided screenshots:

  • The OP first tries to use netcat against port 443 and gets Connection Reset: This is because the OP tries to send a plain HTTP request to a HTTPS port and the server is closing the connection since plain HTTP is obviously not a valid start of a TLS handshake.
  • The OP then tries to use netcat against port 80. The OP actually gets a valid HTTP response which also clearly states Server: nginx - i.e. fingerprinting is actually successful. The status code of the response is 404, i.e. file not found. If basic auth would be involved the status code instead would be 401.
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Please see the new screenshot in my OP to better understand my problem. – tommy Feb 23 '20 at 09:45
  • 1
    @tommy: See my updated answer. In short: Nothing in the output indicates any kind of basic auth. The problem is mainly that you are not able to interpret the output correctly, likely because of missing understanding of HTTP and HTTPS. – Steffen Ullrich Feb 23 '20 at 10:42
  • Thank you very much. I did not know I was sending plain HTTP to a server waiting TLS handshake. I googled and found [this document](https://books.google.ci/books?id=SyXFg6uMLykC&pg=PA113&lpg=PA113&dq=netcat+https&source=bl&ots=T0t71mguvY&sig=ACfU3U3XClS7qIgRXrdK72Gy_NCHLqVoZQ&hl=fr&sa=X&ved=2ahUKEwjh4cS_2ufnAhXlsaQKHUFTAxsQ6AEwBHoECAoQAQ#v=onepage&q=netcat%20https&f=false) explaining how to use stunnel for banner grabing a HTTPS server. Thank you Steffen. Now I get Code 401 as expected from the server. – tommy Feb 23 '20 at 13:04
0

The only way to bypass authentication is if there was a website configuration error allowing you to do so.

An actual website authentication bypass would create tremendous churn in the security community followed by high profile CVE's, expedited vendor patches, and likely raising the Infocon level.

phbits
  • 1,002
  • 2
  • 5
  • 12