<<< Date Index >>>     <<< Thread Index >>>

RE: SECURE SOCKETS LAYER COELACANTH: Phreak Phishing Expedition



>As a addendum, perhaps, though I wouldn't doubt someone
>might make some nice proof of concept code for this...

Don't mind if I do :)

The following demo will read out your logon name and your logon domain, or
at least it should :)

http://jelmer.homedns.org/test.htm

The url used is http://jelmer%2fwww.jelmer.homedns.org 

The problem is that ie looks at the part before the %2f to determine the
security zone etc but then loads the url in it's entirety, like this

http://jelmer - used to determine the zone
http://jelmer/www.jelmer.homedns.org - loaded

IE treats any url it sees without a period in it such as http://jelmer as
part of the Local Intranet Zone

>From the intranet zone we can easily obtain the logon name because Automatic
logon thru NTLM is enabled by default in the intranet zone.


Code at http://jelmer.homedns.org/code.zip

I excluded the rather large jcifs jar, you can download it from
http://jcifs.samba.org/src/jcifs-0.9.2.jar and place it in the lib folder