Vro password cracking-Authentication

Introduction to www-authenticate

Www-authenticate is a simple and effective user identity authentication technology in the early days.

Many website verification uses this simple verification method to verify the validity of the data requested by the client. This method is especially used in embedded fields, such as router login authentication.

Disadvantage: This authentication method is clearly transmitted during transmission. the user name and password encryption method is BASE-64, and the decoding process is very simple, the source code of codec can be easily searched on the network. Using this authentication method is safer for common users, but with a little understanding of the TCP/IP protocol and HTTP transmission protocol and verification process, it is very easy to crack the authentication username and password. Therefore, its authentication technology is not very secure.

Authentication process:

First, the WEB browser of the client sends an HTTP request to the server based on the information entered by the user. For example, if the user wants to access 192.168.1.1, the browser sends one (possibly multiple) request to the router based on this information) WEB request.

Step 2: After receiving the request, the router will parse whether the sent data contains data in the format of "Authorization: Basic YWRtaW46YWRtaW4 =". If no such data exists, the server sends the HTTP header "WWW-Authenticate: Basic realm =". "" to the client, the client is required to send a valid user name and password to the server. (The prompt message displayed when verification fails is also included when this header is sent, as shown in:

 

When the client browser receives a message similar to "WWW-Authenticate: Basic realm =". ", a dialog box is displayed asking you to enter the verification information.

After the user enters the User name: admin Password: admin, the browser sends data to the router in the following format:

"Authorization: Basic YWRtaW46YWRtaW4 =" (without quotation marks). Authorization: Basic is the standard HTTP header for www-authenticate authentication, YWRtaW46YWRtaW4 = is the username and password encrypted by BASE-64. The decrypted format is admin: admin.

After receiving the data with the user authentication information, the router parses the data and extracts the user name and password to verify the validity. If the user name and password are all valid, then, the page data requested by the user is sent to the client, and the browser restores the received data to the webpage content. If the user authentication information is invalid, an error message is returned.

Advantages and disadvantages of www-authenticate Authentication

Advantage: www-authenticate authentication is used, and few tasks are performed on the server. Some verification processes are completed in the client browser. Such as whether to enter user information twice and the pop-up user information dialog box, which are all done by the browser, and the server does not need to write user dialog boxes or other things, you do not need to determine whether the client IP address is the same.

Disadvantage: The verification method is too simple to be cracked.