- Intro to Practical Enterprise Pentesting
- Shodan 101
- Web Attacks
Views: 2
Enumeration & Brute Force
Authentication enumeration is a fundamental aspect of security testing, concentrating specifically on the mechanisms that protect sensitive aspects of web applications; this process involves methodically inspecting various authentication components ranging from username validation to password policies and session management. Each of these elements is meticulously tested because they represent potential vulnerabilities that, if exploited, could lead to significant security breaches.
Authentication Enumeration
Useful enumeration
Identifying Valid Usernames
Knowing a valid username lets an attacker focus just on the password. Error messages generated during login or password reset attempt(s) that specify “this account doesn’t exist” or “incorrect password” can hint at valid usernames, making an attacker’s job easier.
Password Policies
The guidelines when creating passwords can provide valuable insights into the complexity of the passwords used in an application.
<?php
$password = $_POST['pass']; // Example1
$pattern = '/^(?=.*[A-Z])(?=.*\d)(?=.*[\W_]).+$/';
if (preg_match($pattern, $password)) {
echo "Password is valid.";
} else {
echo "Password is invalid. It must contain at least one uppercase letter, one number, and one symbol.";
}
?>In the above example, if the supplied password doesn’t satisfy the policy defined in the pattern variable, the application will return an error message revealing the regex code requirement. An attacker might generate a dictionary that satisfies this policy.
Common Places to Enumerate
Registration Pages
If a registration attempt results in a message stating that a username or email is already taken, the application is unwittingly confirming its existence to anyone trying to register. Attackers exploit this feature by testing potential usernames or emails, thus compiling a list of active users without needing direct access to the underlying database.
Password Reset Features
Password reset mechanisms are designed to help users regain access to their accounts by entering their details to receive reset instructions. However, the differences in the application’s response can unintentionally reveal sensitive information. For example, variations in an application’s feedback about whether a username exists can help attackers verify user identities.
Verbose Errors
Verbose error messages during login attempts or other interactive processes can reveal too much. When these messages differentiate between “username not found” and “incorrect password,” they’re intended to help users understand their login issues. However, they also provide attackers with definitive clues about valid usernames, which can be exploited for more targeted attacks.
Data Breach Information
Data from previous security breaches is a goldmine for attackers as it allows them to test whether compromised usernames and passwords are reused across different platforms. If an attacker finds a match, it suggests not only that the username is reused but also potential password recycling, especially if the platform has been breached before.
Enumerating Users via Verbose Errors
Verbose errors can turn into a goldmine of information, providing insights such as:
- Internal Paths: Like a map leading to hidden treasure, these reveal the file paths and directory structures of the application server which might contain configuration files or secret keys that aren’t visible to a normal user.
- Database Details: Offering a sneak peek into the database, these errors might spill secrets like table names and column details.
- User Information: Sometimes, these errors can even hint at usernames or other personal data, providing clues that are crucial for further investigation.
Inducing Verbose Errors
Attackers induce verbose errors as a way to force the application to reveal its secrets. Below are some common techniques used to provoke these errors:
- Invalid Login Attempts: This is like knocking on every door to see which one will open. By intentionally entering incorrect usernames or passwords, attackers can trigger error messages that help distinguish between valid and invalid usernames. For example, entering a username that doesn’t exist might trigger a different error message than entering one that does, revealing which usernames are active.
- SQL Injection: This technique involves slipping malicious SQL commands into entry fields, hoping the system will stumble and reveal information about its database structure. For example, placing a single quote (
') in a login field might cause the database to throw an error, inadvertently exposing details about its schema. - File Inclusion/Path Traversal: By manipulating file paths, attackers can attempt to access restricted files, coaxing the system into errors that reveal internal paths. For example, using directory traversal sequences like
../../could lead to errors that disclose restricted file paths. - Form Manipulation: Tweaking form fields or parameters can trick the application into displaying errors that disclose backend logic or sensitive user information. For example, altering hidden form fields to trigger validation errors might reveal insights into the expected data format or structure.
- Application Fuzzing: Sending unexpected inputs to various parts of the application to see how it reacts can help identify weak points. For example, tools like Burp Suite Intruder are used to automate the process, bombarding the application with varied payloads to see which ones provoke informative errors.