'[Owasp-dotnet] (IIS Metabase and Security tokens) fw: re: OWASP Conference Demo'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       owasp-dotnet
Subject:    [Owasp-dotnet] (IIS Metabase and Security tokens) fw: re: OWASP Conference Demo
From:       "Dinis Cruz" <dinis () ddplus ! net>
Date:       2005-10-14 21:41:29
Message-ID: 5db051bc92244bda942b8d25c58d75fd () ddplus ! net
[Download RAW message or body]

now without the attachment (since sourceforge is bloking zip files)

----------------------------------------
From: "Dinis Cruz" <dinis@ddplus.net>
Sent: 14 October 2005 17:37
To: Jeremy.W.Long@wellsfargo.com
Subject: re: OWASP Conference Demo 

Hello Jeremy

 Thanks for your kind comments, 

 The tools that I was using to see the tokens and the metabase were the Owasp ANBS \
(Asp.Net Baseline Analyzer) v0.55 which you can download from here: \
http://www.owasp.net/Downloads/tabid/54/Default.aspx (last one on the list).

 Attached is the Proof of Concept for the IIS Security Token Vulnerabiltity which I \
sent to Microsoft more than I year ago.

 You might also find the videos \
(http://prdownloads.sourceforge.net/owasp/AppSec2004-Dinis_Cruz-Full_Trust_Videos.zip) \
and presentations from last year's owasp conference \
(http://prdownloads.sourceforge.net/owasp/)

 Also read   
  - this thread for more details \
http://sourceforge.net/mailarchive/message.php?msg_id=12291340 and  \
                http://sourceforge.net/mailarchive/message.php?msg_id=12556189 
  - this post http://lists.netsys.com/pipermail/full-disclosure/2004-September/026732.html


 Best regards

 Dinis Cruz
 Owasp .Net Project Leader

----------------------------------------
From: Jeremy.W.Long@wellsfargo.com
Sent: 14 October 2005 16:04
To: dinis@ddplus.net
Subject: OWASP Conference Demo 

Hello,   

I just got back from the OWASP Conference in DC and I wanted to say that your \
research on .NET is fascinating - I am looking forward to reading any papers you \
publish.  I hope your negotiations with Microsoft go well.  

I do have one question for you though - You were using a tool to harvest passwords \
and tokens from the IIS Metabase.  What tool were you using and is it available?  

Thanks,   

Jeremy Long  
Application Systems Engineer  
Corporate Information Security - Code Review  


[Attachment #3 (text/html)]

<font face="arial" size="2">now without the attachment (since sourceforge is bloking \
zip files)<br /><br /></font><font face="Tahoma, Arial, Sans-Serif" size="2"><hr \
align="center" size="2" width="100%" /><b>From</b>: "Dinis Cruz" \
&lt;dinis@ddplus.net&gt;<br /><b>Sent</b>: 14 October 2005 17:37<br /><b>To</b>: \
Jeremy.W.Long@wellsfargo.com<br /><b>Subject</b>: re: OWASP Conference Demo</font><br \
/><br /><font face="arial" size="2">Hello Jeremy<br /> <br /> Thanks for your kind \
comments, <br /> <br /> The tools that I was using to see the tokens and the metabase \
were the Owasp ANBS (Asp.Net Baseline Analyzer) v0.55 which you can download from \
here: http://www.owasp.net/Downloads/tabid/54/Default.aspx (last one on the list).<br \
/> <br /> Attached is the Proof of Concept for the IIS Security Token Vulnerabiltity \
which I sent to Microsoft more than I year ago.<br /> <br /> You might also find the \
videos (http://prdownloads.sourceforge.net/owasp/AppSec2004-Dinis_Cruz-Full_Trust_Videos.zip) \
and presentations from last year's owasp conference \
(http://prdownloads.sourceforge.net/owasp/)<br /> <br /> Also read &nbsp; <br /> \
&nbsp;- this thread for more details \
http://sourceforge.net/mailarchive/message.php?msg_id=12291340 and&nbsp; \
http://sourceforge.net/mailarchive/message.php?msg_id=12556189 <br /> &nbsp;- this \
post http://lists.netsys.com/pipermail/full-disclosure/2004-September/026732.html<br \
/> <br /> Best regards<br /> <br /> Dinis Cruz<br /> Owasp .Net Project Leader<br /> \
<br /></font><font face="Tahoma, Arial, Sans-Serif" size="2"><hr align="center" \
size="2" width="100%" /><b>From</b>: Jeremy.W.Long@wellsfargo.com<br /><b>Sent</b>: \
14 October 2005 16:04<br /><b>To</b>: dinis@ddplus.net<br /><b>Subject</b>: OWASP \
Conference Demo</font><br /><br /> <!-- Converted from text/rtf format --> <p><font \
face="Arial" size="2">Hello,</font> </p> <p><font face="Arial" size="2">I just got \
back from the OWASP Conference in DC and I wanted to say that your research on .NET \
is fascinating - I am looking forward to reading any papers you publish.&nbsp; I hope \
your negotiations with Microsoft go well.</font></p> <p><font face="Arial" size="2">I \
do have one question for you though - You were using a tool to harvest passwords and \
tokens from the IIS Metabase.&nbsp; What tool were you using and is it \
available?</font></p> <p><font face="Arial" size="2">Thanks,</font> </p> <p><font \
face="Arial" size="2">Jeremy Long</font> <br /><font face="Arial" \
size="2">Application Systems Engineer</font> <br /><font face="Arial" \
size="2">Corporate Information Security &#8211; Code Review</font> <br /><font \
face="Arial" size="2"><br /> </font></p><br />


-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Owasp-dotnet mailing list
Owasp-dotnet@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/owasp-dotnet

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic