Section 6.6 Authentication Attacks

As you study this section, answer the following questions:

  • How can hackers use password spraying attacks?
  • How can hackers use credential stuffing attacks?
  • How can you protect your systems from these kinds of attacks?
  • How can you identify if you are the victim of one of these attacks?

In this section, you will learn to:

  • Perform a DHCP spoofing on-path attack
  • Analyze a DHCP spoofing on-path attack
  • Analyze HTTP POST packets with Wireshark

The key terms for this section include:

Key Terms and Definitions

Key Terms and Definitions
Term Definition
Security challengesChanges in the way people use networks, such as bring your own device (BYOD), cloud computing, working from home, and social networking, have complicated protecting a network against security threats.
Password sprayingA variant of the brute-force password attack where the same password is tried (sprayed) on multiple accounts.
Credential stuffingA type of attack where a hacker breaks into one account and then tries that same password on other accounts the user owns.
Signs of compromiseIndicators that can alert you that your accounts have been compromised, such as unusual network traffic, privileged users performing unusual tasks, connections from unusual geographic locations, a spike in read volume, and registry changes.
Best practicesRecommended actions to protect accounts, such as using strong and unique passwords, avoiding suspicious links, and setting up multi-factor authentication.
Broken access controlA type of security vulnerability that occurs when a system fails to restrict or limit access to authorized users appropriately, allowing unauthorized users to gain access to sensitive or confidential information, modify or delete data, or perform other unauthorized actions.

This section helps you prepare for the following certification exam objectives:

Exam Objective
CompTIA CySA+ CS0-0031.1 Explain the importance of system and network architecture concepts in security operations
  • Network architecture
    • Cloud

1.2 Given a scenario, analyze indicators of potentially malicious activity

  • Network-related
    • Irregular peer-to-peer communication
    • Scans/sweep
  • Application-related

1.3 Given a scenario, use appropriate tools or techniques to determine malicious activity

  • Tools
    • Packet capture
      • Wireshark
    • Domain Name System (DNS) and Internet Protocol (IP) reputation

1.4 Compare and contrast threat-intelligence and threat-hunting concepts

  • Threat hunting
    • Indicators of compromise (IoCs)

2.2 Given a scenario, analyze output from vulnerability assessment tools

  • Tools
    • Network scanning and mapping

2.4 Given a scenario, recommend controls to mitigate attacks and software vulnerabilities

  • Cross-site scripting
  • Data poisoning
  • Broken access control
  • Identification and authentication failures

2.5 Explain concepts related to vulnerability response, handling, and management

  • Secure coding best practices
    • Session management
TestOut CyberDefense Pro4.3 Analyze indicators of compromise
  • Investigate networks for any signs of compromise

5.1 Implement identity and access management (IAM)

  • Administer user accounts

6.6.1 Identity and Access Management Threats Overview

Click one of the buttons to take you to that part of the video.

Identity and Access Management Threats 00:00-00:30 If a criminal wanted to rob a bank, it would be incredibly easy if he or she could disguise themselves as the bank manager. They could then walk right in and do whatever they wanted without anyone getting suspicious—at least at first.

That's exactly what hackers try to do when they attack a company's identity and access management systems. If they can fool the system into thinking that they're the boss, they basically have free reign of the place.

Security Complications 00:30-01:05 Protecting against security threats is becoming more complicated all the time. With the addition of social networking platforms and cloud computing, there are more things than ever that need protection. More and more people are working from remote locations, which means companies have to find ways to protect their identity and access credentials even when their employees aren't in the office.

Hackers can also be very resilient. If one kind of attack doesn't work, there's always another for them to try until something gives. Their toolbox contains a variety of attacks that you should know about so you can take preventative measures.

Password Spraying 01:05-01:42 One kind of attack is called password spraying. This is a kind of brute-force attack where a hacker tries guessing a user's password multiple times in a short length of time. These attacks can often be prevented by common security countermeasures, such as locking out a user who gets the wrong password a certain number of times.

In a password-spraying attack, the hacker sprays the same password over multiple accounts, one after the other, to see if he or she can hack into any of them. If none of these work, they try the next password. They often use common passwords to take advantage of those who don't create strong enough ones.

Credential Stuffing 01:42-02:17 Another tool in their box is called credential stuffing. First, the hacker has to get their hands on large collection of usernames and passwords, perhaps from hacking another large corporation or site. Then they use these same usernames and passwords on a variety of other sites. This is often possible because people use the same usernames and passwords for many different sites. Many people don't change their passwords too often, either. This means that even old information can be useful for credential stuffing. Even though only one site was compromised at first, now accounts from all of the internet can be broken into.

Signs of Compromise 02:17-03:09 One of the best ways to detect a breach is to use a security logging platform. This tracks login attempts and shows patterns of multiple failed logins. If you see someone trying to log in too many times or across multiple accounts, you may have a password-spraying attack on your hands.

There are many other signs that can indicate that your network has been compromised. It's a good idea to learn to spot these signs quickly. Warning signs include:

Unusual network traffic leaving your network

Privileged users are acting strangely

Logins from unusual geographical locations

Huge spikes in your database's read volume

Suspicious registry changes

These aren't the only warning signs, but any of these are possible red flags that mean you need to investigate right away. The sooner you spot a breach, the more likely you are to contain the damage.

Best Safety Practices 03:09-04:05 There are many things you can do to keep your network from being compromised. You can make sure to use strong passwords for your account. These often include uppercase and lowercase letters, numbers, and special characters to make them more complex. It's also a good idea to have unique passwords for different accounts that you use so that it's harder to hack multiple accounts at once.

It's also a good idea to avoid clicking on links in emails from senders who you don't know. Hackers often try to create an official-looking email from a major company to fool you into clicking on a link that installs malware on your computer.

You might also consider setting up multi-factor authentication, or MFA. This means that those logging into their accounts have to take more than one step to sign in. For example, they enter a password and then have to enter a code that's sent to their email. This makes it much harder to hack an account.

Summary 04:05-04:41 That's it for this lesson. To recap, hackers have all sorts of tools to attack systems. These include password spraying, which is a certain kind of brute-force attack, and credential stuffing, which allows the hacker to gain access to multiple sites. Network admins should be on the lookout for warning signs, such as high read database values and logins from strange locations. They should also work to prevent such attacks by training users to create strong passwords, use multi-factor identification, and avoid suspicious-looking emails.

6.6.2 Identity and Access Management Threats Facts

This lesson covers the following topics:

  • Security challenges
  • Signs of compromise
  • Best practices
  • Broken access control

Security Challenges

Over time, changes in the way people use networks, such as bring your own device (BYOD), cloud computing, working from home, and social networking, have complicated protecting a network against security threats. Organizations must find ways to protect identity and access credentials inside and outside the office. Security professionals must also anticipate and prepare for new ways of conducting business.

Hackers are innovative, and if one attack does not work, there are various other types of attacks to try. A couple of types of attacks that security professionals should be aware of are the following:

Password spraying is a variant of the brute-force password attack. In a brute-force attack, a hacker tries all possible passwords for an account in a short amount of time. With password spraying, the same password is tried (sprayed) on multiple accounts. If the password does not work on any account, a new password is tried on the accounts.

In credential stuffing , a hacker breaks into one account and then tries that same password on other accounts the user owns. Unlike credential cracking, the attacker automates the logins for a large number (thousands to millions) of previously discovered credential pairs using standard web automation tools like Selenium, cURL, or PhantomJS. This type of attack is successful because many users reuse the same username/password combination across multiple sites.

Signs of Compromise

There are many signs that can alert you that your accounts have been compromised. Look for the following:

  • Unusual network traffic
  • Privileged users performing unusual tasks or acting strangely
  • Connections from unusual geographic locations
  • A spike in read volume
  • Registry changes

Best Practices

To protect accounts, consider using the following best practices:

  • Use strong passwords
  • Use unique passwords
  • Avoid suspicious links
  • Set up multi-factor authentication

Broken Access Control

Broken access control is a type of security vulnerability that occurs when a system fails to restrict or limit access to authorized users appropriately. This vulnerability allows unauthorized users to gain access to sensitive or confidential information, modify or delete data, or perform other unauthorized actions.

Access control mechanisms should ensure that users can only access resources they have permission to access. For example, a web application may have different user roles, such as "administrator" and "customer," and access control rules are designed to support these roles by limiting the data and functions available to each.

When these access control mechanisms are not implemented correctly or can be bypassed, attackers may be able to exploit the application and gain unauthorized access to the application's configuration, the data it has access to, or the systems it accesses as part of its operation but unseen to non-administrative users. For example, if an attacker guesses or steals an authorized user's credentials or the system allows for direct object references, an attacker can modify a URL (or other references) to specify a resource they should not be able to access.

Broken access control is a common vulnerability that can have severe consequences. Implementing access controls properly and regularly testing for vulnerabilities to mitigate the risk of exploitation is essential.

6.6.3 Client-Side and Network Attacks

Click one of the buttons to take you to that part of the video.

Client-Side and Network Attacks 00:00-00:12 Session hijacking can occur on the higher-level protocols of the Application layer or the TCP/UDP protocols on the Network layer.

Application-Level Attacks 00:12-00:36 Let's talk about the application-level attacks first. At the Application level, the session ID lets the server knows who it's communicating with. This permits the user to progress to a different page on a website without having to log in again.

It would be hard for a company to keep people browsing their site for long if a user had to log in every time they wanted to look at another product or read a different article.

Obtaining Session IDs 00:36-01:02 Attackers can hijack the sessions by capturing the session IDs through sniffing or calculating them with gathered information and algorithms. Session IDs can also be captured through an on-path attack. These attacks can be at the network level or in the browser.

First let's look at the on-path browser attack. The two most common forms of this attack are cross-site scripting, or XSS, and session fixation.

Cross-Site Scripting 01:02-03:14 Cross-site scripting is an attack that involves injecting malicious Java, Flash, or HTML scripts into web application code on trusted websites. Attackers can do this when the web application allows user input, and the code doesn't validate the entered information. Lacking validation checks essentially opens the door for attackers to insert their own code. Two common forms of cross-site scripting are stored and reflected. A stored cross-site scripting, or persistent XSS, attack is dangerous because it targets web applications that allow users to store data on the site for other users to retrieve.

For example, Bob wants to sell his house and purchase a home out in the country. Bob has heard about a web application that has some great reviews, and he decides to give it a try. After he creates an account, the application prompts him to enter a description of the property he currently owns and wants to sell, so he does. He uploads a picture and writes a description. He decides to uses some HTML tags to bold a few words for emphasis. He submits his listing before he goes to work for the day.

A few hours later, Brutus decides to try to hack into this site. He starts by reviewing the posted listings. He notices the bolded words in Bob's listing, which tells him that HTML tags may be enabled on the user end. Brutus enters his own listing to see of he can exploit this opportunity. He creates an account, enters a description of a property, and then adds a script, which will email him a copy of the cookie information for any user who looks at his ad. This cookie information will contain that user's session ID. Brutus posts his listing on the website and waits for someone to view it.

Later that evening, Bob decides to start looking for houses in the country. He sees the two-bedroom ranch in the country and clicks on the listing. As soon as he does, the malicious code reads Bob's cookie and immediately shares it to Brutus's email.

Now Brutus can load Bob's cookie into his own browser. He can impersonate Bob and gather any personal information Bob had entered in his profile on the site – including his address and credit card information. And Bob has no idea this just happened.

Reflected Cross-Site Scripting 03:14-04:07 On the other hand, a reflected cross-site scripting attack, or non-persistent XSS attack, is simpler and more common than the stored XSS attack. In a reflected attack, an attacker finds a trusted site that has flaws in its input validation. Then the attacker injects code through a URL, such as in a form, in an email, or in a link from the attacker's site to the trusted site. The attack executes when a user clicks the link. The form, email, or link returns a response that contains the malicious code. Most sites use scripting to function, so the browser will probably allow the trusted site to run its scripts and unknowingly execute the malicious script with the same permission level as it would give the trusted site. This attack can result in capturing the user's cookie and personal information or even install malware on the user's computer.

Session Fixation 04:07-04:57 Session fixation is similar to stored cross-site scripting attacks, except that they target websites where session IDs are provided in the hyperlink.

Let's return to the example of Bob and Brutus. Now that Brutus knows Bob's email address, he wants to see what other information he can gather, so he finds a website that includes session IDs in the hyperlink and sends Bob an email advertisement for a beautiful house in the country. Instead of directing Bob directly to the website, he's manipulated the hyperlink so it's connected to a specific session ID. Once Bob clicks on the URL, the website prompts him for a login, and he enters his login information, aligning his credentials with that session ID. Now, if Brutus opens the same URL with the same session ID Bob is using, he can access Bob's live, authenticated session.

Client-Side Attacks 04:57-05:37 These cross-site scripting attacks are considered a client-side attack because even though the attacker first manipulated the application on the server, each exploit was directed at the user on the client side of the application.

Another form of client-side attack that is often overlooked by software developers is sniffing for session IDs in embedded applications.

Software developers can implement strict security policies for their web applications, but may not think to put the same level of security on the embedded applications. Embedded applications can be forgotten because they run on a dedicated hardware platform, usually with only one purpose that is secondary to the main web application it's embedded in.

Network Attacks 05:37-06:15 Now that we've learned a bit about application-level hijacking, let's move on to network attacks such as TCP and UDP hijacking, DNS spoofing, and on-path attacks.

As the name suggests, TCP/IP session hijacking is an attack on a TCP session.

TCP hijacking follows the same basic session hijacking steps as other attacks, where the attacker sniffs the traffic between two machines, monitors the traffic to gain information to help them predict the packet sequence numbers, terminates the connection to the target machine through at denial-of-service attack, and then injects packets to the server as if the attacker is the authentic client.

UDP Hijacking 06:15-06:48 Unlike TCP, UPD is a connectionless protocol. In other words, there isn't a verified connection between the server, or host machine, and the client. Because of this, the attacker doesn't need to predict a packet sequence. Instead, the attacker just convinces the victim that he is the server. He does this by sending a response to the client before the server does, taking over the server's role. Given UDP's high level of vulnerability and the low number of error recovery options, it's primarily used for DNS queries and network broadcast messages.

DNS Spoofing 06:48-07:27 DNS spoofing, also known as DNS cache poisoning, targets Active Directory or other DNS-reliant networks. In DNS spoofing, an attacker alters the DNS server in a way that will redirect traffic to a malicious website that can gather sensitive information about a user or that can install malware on the target machine.

As you can see in this example, the target client sends a request to access a website and is usually granted access based on the DNS information available on the server. However, once the attacker injects alternate, malicious information into the DNS server, the target is redirected to the malicious website.

Network On-Path Attack 07:27-07:52 Another well-known attack is the on-path attack, once known as a man-in-the-middle attack. This attack starts with the attacker sniffing traffic between the target machine and the server or the host machine. Then he uses ARP poisoning to strategically redirect communication through his machine. At this point, he can forward manipulated and potentially malicious traffic to either the victim or the host machine.

Summary 07:52-08:16 That's it for this lesson. In this video, we talked about application-level session hijacking, such as stored and reflected cross-site scripting and session fixation attacks. We also talked about network-level session hijacking such as TCP and UDP attacks, DNS spoofing, and on-path attacks.

6.6.4 Client-Side and Network Attack Facts

This lesson covers the following topics:

  • Application-level hijacking
  • Network-level hijacking

Application-Level Hijacking

At the application level, the session ID identifies the client to the server. This permits the user to go to different pages on a website without being required to log in on each page. Session IDs can be found in various places.

Several methods are available for an attacker to obtain the session ID from an application:

Attack Method Description
Stored cross-site scripting attackIn a stored cross-site scripting attack, an attacker injects malicious Java, HTML, or Flash scripts into web application code on trusted websites. This type of attack:
  • Is also known as persistent XSS.
  • Targets web applications that allow users to store data on the site for other users to retrieve.
  • Only works if the application lacks input validation checks and sanitizing.
  • Is considered a client-side attack.
Reflected cross-site scripting attackIn a reflected cross-site scripting attack, an attacker injects malicious Java, HTML, or Flash scripts into web application code on trusted websites. Key facts regarding this type of attack are:
  • It is also known as non-persistent XSS.
  • It only works if the application lacks input validation checks and sanitizing.
  • Browsers generally allow the trusted site to run scripts even if a malicious script has been added.
  • The attack can result in:
    • Captured user cookies.
    • Captured personal information.
    • Malware installation on the target's computer.
The attack takes place as follows:
  • The attacker gets the target to click on a link that appears to be legitimate but sends the user to a malicious website. Typically the attacker places the link:
    • In a form.
    • In an email.
    • On a trusted site.
  • The attack executes when a user clicks the link.
  • The malicious site returns a response that contains the malicious code.
Session fixation attackThe session fixation attack focuses on websites where session IDs are provided in the hyperlink. In this type of attack:
  • A URL with a session ID already embedded in it is sent to the target.
  • If a user logs in using this URL, the log-in credentials become aligned with the session ID.
  • A successful attack provides the attacker with the same level of access as the target.
Embedded application attackIn an embedded application attack, an attacker sniffs an embedded application to find a session ID. Embedded applications often have weaker security in place and can be an easy target for attackers.

Network-Level Hijacking

The following table lists several methods for hijacking session IDs at the network level.

Attack Method Description
TCP/IP session hijackingTCP/IP is a connection-based protocol. A TCP/IP session hijacking attack follows these basic hijacking steps:
  • Traffic sniffing between two machines.
  • Traffic monitoring for information to calculate the session ID or to capture the session ID.
  • Termination of the target computer's connection to the session through a denial-of-service attack.
  • Injection of packets to the server as if the attacker is the authentic client.
UDP session hijackingIn an attack on a UDP session, the attacker returns a response to the target before the server does. The attacker appears as the server to the target. Keep in mind that UDP:
  • Is a connectionless-based protocol.
  • Does not sequence packets.
  • Is primarily used for DNS queries and network broadcast messages.
DNS spoofingDNS spoofing is an attack in which the DNS server is altered to redirect traffic to a malicious website. Keep in mind a DNS spoofing attack:
  • Is also known as DNS cache poisoning.
  • Gathers sensitive data about a target.
  • Can install malware on the target machine.
  • Targets Active Directory and other DNS-reliant networks.
Network on-path attackA network on-path attack is also known as a man-in-the-middle attack. In a network on-path attack:
  • An attacker sniffs traffic between a target machine and a server or the host machine.
  • ARP poisoning is used to redirect communication through the attacker's machine.
  • The attacker can then forward manipulated, malicious traffic to the target or the host machine.

6.6.5 Perform an On-Path DHCP Attack

Click one of the buttons to take you to that part of the video.

On-Path Attack 00:00-00:34 On-path attacks come in many different forms. You have on-path attacks that spoof ARP and those that spoof the DNS, just to name a few. In this demo, we'll illustrate how to place yourself between a victim and the default gateway to capture traffic. We'll use Ettercap to spoof the default gateway when a victim machine tries to get an IP address from a DHCP server. Before diving in, I want to point out that on-path attacks used to be referred to as man-in-the-middle attacks, but now, on-path attacks is the preferred term.

Scan Subnet with Zenmap 00:34-02:14 I'll first scan my subnet to see what hosts are connected and identify my router. I'm going to do that by using a program called Zenmap. Zenmap is just a GUI version of the command line tool Nmap. If I come up to Applications, down to Information Gathering, and then come over here to the bottom, I'll see zenmap. I'll go ahead and open it up.

The first thing I want to do here is scan the subnet. I know that address, so I'll type in 10.10.10.0/24, the 24 representing the subnet mask. I don't want to do an Intense scan. With Zenmap, you can run some predetermined scans. I'll pick Quick Scan for this. Something cool about Zenmap is that it will enter the command over here. This is the command you'd use if you were using Nmap in the terminal. Now I'll come over and click on Scan.

All right, Zenmap went out, scanned my subnet, and finished up. I see my different machines down here, in this pane. I see the computer names, the domain it belongs to, and the IP address for each machine. I need the router IP and the victim machine's IP. Up here, I see that this one is named router, and the IP address is 10.10.10.1. That one was pretty easy. For the victim machine, I'm interested in this one, PC-12, with the IP address ending in 196. This is the machine that we're going after.

Finally, the machine I'm using to do the attack is this one, with the IP ending in 197. We need to remember all these IPs for later: this one that ends with the number 1, the one ending in 196, and the one we just looked at. We're done with Zenmap, so I'll close it.

Start Spoofing 02:14-03:18 Now we're ready to start spoofing. I'll do that with Ettercap. I'll go up to Applications, down to Sniffing & Spoofing, then to ettercap. After Ettercap opens, I'll go to the Sniff tab and select Unified Sniffing. I'll leave the network interface as eth0 and click OK. Now I'll go to Mitm and select DHCP spoofing from the list.

When the dialog box opens, I'll just leave the IP Pool empty. You can see it says optional here. If I wanted, I could put in my own range of IPs that I'd want my victim to grab. But we don't have to do that. I'll put in the netmask for the subnet, and that's 255.255.255.0. Now I'll put in the DNS server info. In my case, it's the same as the default gateway, 10.10.10.1. This is what the DHCP server is giving out. It'll be a point of interest as we proceed. Click OK. Down here, it says that DHCP spoofing is running. All right. Now, let's go over to a Windows machine. This is the victim machine.

The Windows Victim 03:18-04:27 I'm going to open an elevated command prompt here. I'll say Yes to the user access control. I'll do a quick ipconfig. I can confirm that I'm on the right machine because we have the IP ending in 196. But check out the Default Gateway—it's 10.10.10.1.

If I come here and do ipconfig /release and then ipconfig /renew, we now have a new Default Gateway, 10.10.10.197. What's happened here is that the Kali Linux machine has put itself in the middle, and all my traffic is going through there before going out to the internet.

Let's open a website here and enter some credentials. These aren't the real credentials for this site, but it doesn't matter. I just want to see if I'm capturing traffic and data. Let's return to the Kali Linux system and see what's happening with Ettercap.

Verify that Attack is Working 04:27-04:37 I'm back to my Kali Linux system. Looking down here, you can see that Ettercap captured the username and password I entered on the WordPress site from the victim Windows machine.

Recognize Spoofing with Wireshark 04:37-05:06 Let's look at one more thing before we move on. I'll open Wireshark and see if there's any way, we can figure out that our DHCP is being spoofed on our network. I'm sure there are many ways to figure this out, and Wireshark is just one of them.

I'll go to Applications, Spoofing & Sniffing, and then open wireshark. I see that eth0 is right here, so I'll click the shark fin to capture data. Now, we'll return to the victim Windows machine for a minute.

Renew IP Addresses on Windows 05:06-05:29 Let's create some DHCP traffic to look at on Wireshark. I'll come down and type cmd, right-click, and run the command prompt as an administrator. I'll say Yes to the UAC and type in ipconfig /release and ipconfig /renew. Once again, I have the gateway ending in 197. Let's go back to Kali Linux.

Wireshark DHCP Results 05:29-06:26 All right. I'm back on the Kali Linux machine. There's a bunch of stuff being captured. I'm only interested in the DHCP traffic, so I'll use a filter, type in bootp up here, and press Enter.

That narrowed things down. I'm interested in this one right here. It's a DHCP acknowledgment, and I have my source IP. This was captured when we obtained a new IP from the victim machine. I have it highlighted, and I'll move down here. Let me expand this out a bit. I'm going to come down here. You can see where it says, "Option: (3) Router." I'll expand this out, and you can see that the router IP is 10.10.10.197, which is the spoofed IP address, the IP of the Kali Linux machine. So, if I'm the system or security administrator for this network, I know something is going on, and that is this IP ending in 197 is replacing my real gateway, or router, of 10.10.10.1. It's not necessarily easy to detect, but with the right tools, it's possible.

Summary 06:26-06:50 That's it for this demo. In this demo, we used Ettercap to create an on-path attack by spoofing the default gateway when systems obtained their IP address information from the DHCP server. Then we confirmed that the victim's gateway was spoofed and verified with Wireshark and that the default gateway was, indeed, changed during the DHCP process.

Last Updated: