Project 2068/11.1 - ObiWaN

[History |Download |Documentation |Targets |Mail ]

Server responses to ObiWaN attacks

OMNI httpd

The OMNI httpd from Omnicron had survived 1982 passwords. After this numer of attempts there was 1989 connections in TIME_WAIT. No chance to connect to this site. Shutdown the server and restart: no chance. The NT box was killed for port 80. NT become very slow if you call "netstat". Everything else runs but restart of the entire NT box is nessesary.

Xitami Webserver 2.4

The Xitami is a real nice free webserver. It survived all tests and the speed was ok (but Apache was faster for all users). ObiWaN was able to find the passwords even in long test series - the answer times was lower then Apache's. Logging can be a problem - it is not tested. But a logfile cycle is only possible to configure ervery restart.
A real security problem here: If you try to break in a Xitami Server - use a NULL string (no character - not a blank - nothing !!) as username. Possible a super-mega-password is set up for this Xitami. If you can break this password - everything is open for you. If you can't: Use the URI /admin/. If enabled, and you find the username/password you can reconfigureall servers and you can see all usernames and passwords in cleartext !