This needs a little introduction...
A guy named SnakE was asking a question in BSRF's IRC channel. It was about an
.htpasswd file that he got, and I sort of carried away... into a mini
lecture...   :-)

@Raven SnakE u got an .htpasswd password?
@Raven so what's not to know?
@Raven ok it's time for a spontaneous mini-lecture
@Raven :-)
@Raven is everyone ready?
*** Joins: Legion (ahhh@AC850B25.ipt.aol.com)
@Raven btw who logged my previous spontaneous mini-lecture?
[r[T]s] and the subject is?
@Raven hi Legion
Legion hello
@Raven r[T]s, http authentication
[r[T]s] kewl
@Raven a few people were asking about it
@Raven so i've decided to run a little lecture
@Raven ok is everyone paying attention?
+SnakE go <Raven> go go
+SnakE :)
[r[T]s] no :-), but as Nike say "Just do it!"
@Raven alright, can anyone log this please?
* r[T]s is logging
@Raven anyone else?
* Legion logging
@Raven btw r[T]s send me the logs after we finish
@Raven barakirs@netvision.net.il
@Raven ok let's go
[r[T]s] k
+SnakE ready
+SnakE :-)
[r[T]s] only its quite ugly in txt ver :(
@Raven alright, sometimes, when u enter a website or a certain section of it, you need to enter a password
@Raven and i'm not talking about javascript passwords
@Raven nor java passwords
@Raven i'm talking about http authentication
@Raven you are presented with a dialog box that asks you for a username and password
@Raven the text in the dialog box depends on your browser
@Raven now, what exactly is happening here?
@Raven when u enter a directory on a webserver (for example: / on www.microsoft.com, or /seti at blacksun.box.sk/seti etc')
+SnakE what??
@Raven ohh btw / is not the real / (as in the root directory) of the system
elad could you hold the lecture 5 minutes i have to walk my dog
@Raven it's just the "webroot" directory
@Raven elad walk him in front of your PC
@Raven :-)
elad (/ is DocumentRoot - assuming you use apache)
elad brb
@Raven anyway when u set up a web server, you tell it which directory it should treat as it's /
@Raven ok anyway, when u enter a directory
@Raven when u enter a directory
@Raven the web server checks for an .htpasswd file
@Raven if there's an .htpasswd file in the directory
@Raven it will not let you in just like that
@Raven the .htpasswd is much like the unix password file
@Raven it uses the same encryption
@Raven and it's formatted in the username:encrypted-password form
@Raven very similar to /etc/passwd on unix
@Raven so if you manage to acquire this file
@Raven u can use a standard unix password cracker, such as cracker jack or john the ripper or crack
@Raven some will ask you to make it look like it's a real password file
@Raven so instead of presenting them with raven:16Jjs05hW3456, you'll have to form it this way:
@Raven username:password:uid:gid:free_text:home_directory:shell
@Raven or just raven:16Jjs05hW3456:a:a:a:a:a
@Raven the password cracker only looks at the first two fields
@Raven any questions so far?
@Raven or can we get to "how to obtain the .htpasswd file" part?
[r[T]s] the content of the .htpasswd file is something like "user:encrypted_pass" ?
@Raven yes
@Raven the crypto is the same that unix uses
@Raven altered DES
Legion does the .htpasswd file contain all the passwords that are used>
@Raven no, only the passwords for HTTP access
[r[T]s] in that specific dir, right?
Legion thats what i meant:)
@Raven it's used to restrict access to directories on the web server
@Raven ohh ok
@Raven r[T]s, yes
@Raven and u can have multiple usernames and passwords
@Raven btw .htpasswd authentication is what most porn sites use
@Raven :-)
@Raven just for your information
@Raven alright, are we ready to continue?
+SnakE yes
[r[T]s] ye
@Raven alright, so now we get to obtaining the .htpasswd file
[r[T]s] > "how to obtain the .htpasswd file" <
[r[T]s] :)
@Raven r[T]s very cute
@Raven ok let's continue
@Raven so basically we'll have to exploit all sorts of server holes
@Raven for example:
@Raven once upon a time there was a very ground-shaking hole in the coldfusion webserver
@Raven a lot of webpages were hacked at that time
@Raven anyway, if i remember correctly, the bug allowed a user to exploit a hole in a cgi script or another sort of script
@Raven and displaying any file he wanted
@Raven just by typing in a url
[r[T]s] something like "showcode.asp" in NT?
+SnakE is`nt front page valuable for such bugs?
@Raven something like (i'm just making this up as an example, i don't really remember it):
blacksun.box.sk/somescript?show=secret_passwords.txt
@Raven SnakE, yes, some versions of frontpage too
@Raven r[T]s, yes, much like the showcode.asp bug
@Raven many webservers have such holes
[r[T]s] kewl kewl
@Raven of course the existence of the hole depends on the version of the webserver
@Raven so basically we need to identify the web server and version
+SnakE Raven do u know where can i find the pwd files if using front_page?
@Raven and search a database such as packetstorm.securify.com
[r[T]s] SnakE; fp has many of _vti_xxx holes, if i'm not mistaken
@Raven SnakE can we get to it later please?
@Raven r[T]s right
@Raven anyway...
@Raven finding the web server type and version is easy
@Raven basically u just do what i explained in the tutorial, uh...
@Raven it was named...
*** Quits: Legion (ahhh@AC850B25.ipt.aol.com) (Ping timeout)
@Raven ok wait a sec lemme check
[r[T]s] telnet to it, maybe? (port 80)
@Raven Extracting Web Server Information using Telnet
@Raven funky name
+SnakE yes
@Raven anyway if you're reading the logs right now and you don't know what to do, read that tutorial
+SnakE :-)
@Raven and after u get this file, u can just crack it
@Raven and viola!! you're in
@Raven that's all for today folks, now can i have the logs? :-)
@Raven barakirs@netvision.net.il
[r[T]s] sure.
[r[T]s] just a sec

Oh, almost forgot to mention... in fact I forgot to mention this during the
lecture, so I'm adding this as a footnote:
Such passwords can also be broken by brute-force password crackers. These
programs submit different passwords, based on a words list, or just by making
up letter/number/symbol combinations. However they are very slow, and it's
very easy to detect such an attack and block your attempts, or even worse -
let you think that you're going wrong even if you got the correct password, so
the average script kiddie would believe that he didn't get the password.
