Section 18: Authentication Attacks

Authentication Attacks: Tools and Techniques

This section focuses on the tools and techniques used to perform authentication attacks, targeting mechanisms that verify user identities to gain unauthorized access to systems and data. The focus is on exploiting weaknesses in password management, authentication protocols, and identity verification methods.

Objectives

The section centers around domain four, attacks, and exploits, specifically objectives 4.2, 4.3, and 4.5:

  • Objective 4.2: Perform network attacks using appropriate tools.

  • Objective 4.3: Perform authentication attacks using appropriate tools.

  • Objective 4.5: Perform web application attacks using appropriate tools.

Password Attacks

Discusses methods to compromise passwords, including brute force, dictionary attacks, and keylogging.

Hands-On Demo

Showcases password cracking tools like John the Ripper and Hashcat.

Password Spraying

Discusses how attackers attempt to access a large number of accounts with a few commonly used passwords.

Password Masking Attack

Explores techniques that manipulate password input fields to trick users into revealing their passwords.

Credential Stuffing Attacks

Involves automated injection of breached username and password pairs to gain access to user accounts.

Credential Passing Attacks

Examines methods such as pass the hash or pass the ticket attacks.

Multi-Factor Authentication (MFA) Fatigue

Explains how attackers bypass MFA by bombarding users with authentication requests until they approve an access attempt.

Directory Service Attacks

Focuses on attacks against directory services like Kerberos or Active Directory.

Demo using Crack Map Exec (CME)

Provides insights into the tool's ability to automate the assessment of the security posture of a network system.

Security Assertion Markup Language (SAML) Exploitation

Demonstrates how attackers exploit vulnerabilities in SAML single sign-on processes for unauthorized access.

OpenID Connect (OIDC) Exploitation

Explores weaknesses in OIDC implementations that can be used to impersonate users or steal sensitive information.

Hash Attacks

Details methods to exploit poorly implemented hash functions used for storing passwords, potentially revealing user credentials using collision techniques.

Password Attack Types

  • Brute Force Attacks

  • Dictionary Attacks

  • Hybrid Attacks

  • Rainbow Table Attacks

Brute Force Attacks

Every possible combination of characters is tried until the correct password is found.

Example using Hydra:
Hydraljkellyx4:8:az:19ssh://192.168.1.100Hydra -l jkelly -x 4:8:a-z:1-9 ssh://192.168.1.100

  • -l jkelly: specifies the username as jkelly.

  • -x 4:8:a-z:1-9: specifies the generator: passwords of length 4 to 8 using characters a-z and numbers 1-9.

Dictionary Attacks

Uses a predefined list of words against the password.

Example using John the Ripper:
johnwordlist=/path/to/wordlistrulesformat=ftpjohn --wordlist=/path/to/wordlist --rules --format=ftp

Hybrid Attacks

Combines brute force and dictionary attacks by adding variations to dictionary words.

Example using John the Ripper:
johnwordlist=/path/to/wordlistrulesformat=md5john --wordlist=/path/to/wordlist --rules --format=md5

Rainbow Table Attacks

Uses precomputed tables of hash passwords and their corresponding plain text passwords to crack password hashes.

Example using Hashcat:
hashcatm0a3ocracked.txthash.txtrainbowtable.txthashcat -m 0 -a 3 -o cracked.txt hash.txt rainbow_table.txt

  • -m 0: specifies the MD5 hash type.

  • -a 3: specifies the brute-force attack mode.

  • -o: output file name that stores cracked passwords.

Password and Authentication Methods

  • Password Spraying

  • Password Masking Attacks

  • Credential Stuffing Attacks

  • MFA Fatigue

Password Spraying

Tries a few common passwords across many accounts.

Example using CrackMapExec:
crackmapexecsmb192.168.1.0/24uusers.txtpSummer2024!crackmapexec smb 192.168.1.0/24 -u users.txt -p 'Summer2024!'

  • smb: specifies the SMB protocol.

  • 192.168.1.0/24: specifies the IP range.

  • -u users.txt: specifies the usernames listed in user.txt.

  • -p 'Summer2024!': specifies the password to try.

Password Masking Attacks

Creates passwords that follow specific patterns or rules.

Example using Hashcat:
hashcata3m0hashfile.txt?u?l?l?l?l?d?d!hashcat -a 3 -m 0 hashfile.txt ?u?l?l?l?l?d?d!

  • -a 3: specifies a mask attack.

  • -m 0: specifies the MD5 hash type.

  • ?u: uppercase.

  • ?l: lowercase.

  • ?d: digit.

  • ?s: special character.

Credential Stuffing

Uses breached username and password pairs to gain unauthorized access.

Example using Hydra:
hydra -L usernames.txt -P passwords.txt http-post-form '/login.php:username=^USER^&password=^PASS^:F=Incorrect' -vV

  • -L usernames.txt: specifies the file containing usernames.

  • -P passwords.txt: specifies the file containing passwords.

  • http-post-form: specifies the target URL, form parameters, and failed login attempt message.

MFA Fatigue

Exploits users' frustration with frequent authentication prompts.

Credential Passing Attacks

  • Pass the Hash Attacks

  • Pass the Ticket Attacks

  • Pass the Token Attacks

Pass the Hash Attack

Authenticates using the hash value of a user's password rather than the plain text password. Extract password hashes using Mimikatz:
mimikatz # sekurlsa::logonpasswords
Pass the hash to access a remote system using CrackMapExec:
crackmapexecsmbuHxcrackmapexec smb -u -H -x

Pass the Ticket Attacks

Uses stolen Kerberos tickets to authenticate to a network service. Extract Kerberos tickets using Mimikatz:
mimikatz # kerberos::list /export
Use Impacket's PSExec tool to authenticate with the extracted ticket:
psexec.pyknopass@psexec.py -k -no-pass @

Pass the Token Attacks

Uses stolen authentication tokens to gain unauthorized access. Token Example:
<br><br>"alg":"HS256",<br>"typ":"JWT"<br><br><br>"sub":"1234567890",<br>"name":"JohnDoe",<br>"admin":true<br><br><br>{<br>"alg": "HS256",<br>"typ": "JWT"<br>}<br>{<br>"sub": "1234567890",<br>"name": "John Doe",<br>"admin": true<br>}<br>

Kerberos and LDAP Attacks

  • Kerberos Attacks

  • LDAP Injection Attacks

Kerberos Attacks

Uses stolen Kerberos tickets to authenticate. Command to extract tickets:
mimikatz # kerberos::list /export

LDAP Injection Attacks

Exploits insecure LDAP queries. Example of LDAP injection:
(uid=)(!(userPassword= )){(!(uid=*)(|(uid=*)(uid=

CrackMapExec

Can be used for credential validation and command execution on remote systems. Command to validate credentials:
crackmapexecsmbupcrackmapexec smb -u -p

Command to execute commands on remote systems:
$$crackmapexec smb -u -p -x <