Re: [squid-users] Digest Authentication and Brute Force Attack

From: <alberto.avi@dont-contact.us>
Date: Fri, 19 May 2006 10:24:00 +0200

>>I verified using current 2.5.STABLE (what will become 2.5.STABLE14), but
>>the digest code has not changed in a long time.. last functional change
>>was in 2.5.STABLE10 where support for %m in error pages was added.

I dont't use Squid digest autheticator. I use an external digest helper:

auth_param digest program
/usr/local/prod/squid-2.5.STABLE12/libexec/usi-digest-auth.sh
auth_param digest children 5
auth_param digest realm PrxUSI

The script usi-digest-auth.sh read on its stdinput username:realm from
Squid.
Then the script search that userid:realm on a LDAP server to get a
precalculated digest H1 ( where H1=hash("username":"realm":"password") ).
The digest is returnet to Squid to continue with the digest authentication.

Well, now I enabled log_mime_hdrs as you suggested: great feature !

First request, no login information provided:

1148024924.321 296 10.182.35.253 TCP_DENIED/407 1726 GET http://www.google.com/ - NONE/- text/html [Accept: */*\r\nAccept-Language: it\r\nCookie: PREF=ID=72f8a58c6ef30649:TM=1142353686:LM=1142353686:S=-KyqRUkowquuC-y0\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727)\r\nHost: www.google.com\r\nProxy-Connection: Keep-Alive\r\nProxy-Authorization: Digest username="", realm="PrxUSI", qop="auth", algorithm="MD5", uri="/", nonce="U3htREAOQQgz+X10", nc=00000001, cnonce="17254ae1d382f9711385427739bc6271", response="6d72bf69c588a1c6cdef5f3d81b0c53f"\r\n] [HTTP/1.0 407 Proxy Authentication Required\r\nServer: squid/2.5.STABLE12\r\nMime-Version: 1.0\r\nDate: Fri, 19 May 2006 07:48:44 GMT\r\nContent-Type: text/html\r\nContent-Length: 1307\r\nE
xpires: Fri, 19 May 2006 07:48:44 GMT\r\nX-Squid-Error: ERR_CACHE_ACCESS_DENIED 0\r\nProxy-Authenticate: Digest realm="PrxUSI", nonce="XHhtRPAOQQjS8Fx+", qop="auth", stale=false\r\n\r]

Second request, unknown account used:

1148024945.939 470 10.182.35.253 TCP_DENIED/407 1726 GET http://www.google.com/ - NONE/- text/html [Accept: */*\r\nAccept-Language: it\r\nProxy-Authorization: Digest username="foouser", realm="PrxUSI", qop="auth", algorithm="MD5", uri="/", nonce="XHhtRPAOQQjS8Fx+", nc=00000001, cnonce="606767c30059191f5b7c0e2d253f1278", response="5fdaa2a2a45154678c42020bb0062bf0"\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727)\r\nHost: www.google.com\r\nProxy-Connection: Keep-Alive\r\nCookie: PREF=ID=72f8a58c6ef30649:TM=1142353686:LM=1142353686:S=-KyqRUkowquuC-y0\r\n] [HTTP/1.0 407 Proxy Authentication Required\r\nServer: squid/2.5.STABLE12\r\nMime-Version: 1.0\r\nDate: Fri, 19 May 2006 07:49:05 GMT\r\nContent-Type: text/html\r\nContent-Length: 13
07\r\nExpires: Fri, 19 May 2006 07:49:05 GMT\r\nX-Squid-Error: ERR_CACHE_ACCESS_DENIED 0\r\nProxy-Authenticate: Digest realm="PrxUSI", nonce="cXhtRIgSQQh3KOZo", qop="auth", stale=false\r\n\r]

Third request, known account but invalid password:

1148024983.585 714 10.182.35.253 TCP_DENIED/407 1726 GET http://www.google.com/ - NONE/- text/html [Accept: */*\r\nAccept-Language: it\r\nCookie: PREF=ID=72f8a58c6ef30649:TM=1142353686:LM=1142353686:S=-KyqRUkowquuC-y0\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727)\r\nHost: www.google.com\r\nProxy-Connection: Keep-Alive\r\nProxy-Authorization: Digest username="US01170", realm="PrxUSI", qop="auth", algorithm="MD5", uri="/", nonce="cXhtRIgSQQh3KOZo", nc=00000001, cnonce="7581984ebe5ffb1b4d0ed53e1719f9e5", response="915786a36b8ab9fcbb6b9d0f57e70dde"\r\n] [HTTP/1.0 407 Proxy Authentication Required\r\nServer: squid/2.5.STABLE12\r\nMime-Version: 1.0\r\nDate: Fri, 19 May 2006 07:49:43 GMT\r\nContent-Type: text/html\r\nContent-Length: 13
07\r\nExpires: Fri, 19 May 2006 07:49:43 GMT\r\nX-Squid-Error: ERR_CACHE_ACCESS_DENIED 0\r\nProxy-Authenticate: Digest realm="PrxUSI", nonce="l3htRKATQQiheZ5x", qop="auth", stale=false\r\n\r]

Fourth request, correct login (US01170)

1148025030.781 526 10.182.35.253 TCP_MISS/302 475 GET http://www.google.com/ US01170 DIRECT/66.249.85.104 text/html [Accept: */*\r\nAccept-Language: it\r\nCookie: PREF=ID=72f8a58c6ef30649:TM=1142353686:LM=1142353686:S=-KyqRUkowquuC-y0\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727)\r\nHost: www.google.com\r\nProxy-Connection: Keep-Alive\r\nProxy-Authorization: Digest username="US01170", realm="PrxUSI", qop="auth", algorithm="MD5", uri="/", nonce="u3htRLhJLQh/w38a", nc=00000001, cnonce="8ee6f046d2c4b6f146095942a588039f", response="a0fe96905ac8937ab42804f890f8b452"\r\n] [HTTP/1.0 302 Found\r\nLocation: http://www.google.it/\r\nCache-Control: private\
r\nContent-Type: text/html\r\nServer: GWS/2.1\r\nContent-Length: 218\r\nDate: Fri, 19 May 2006 07:50:30 GMT\r\nConnection: Keep-Alive\r\n\r]

Thank you very much for your attention and for your time.

Alberto.
Received on Fri May 19 2006 - 02:30:28 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Jun 01 2006 - 12:00:02 MDT