I wrote in another publication about authentication but am going to delve into authentication from the view as someone from the hacker underground. Web authentication has evolved immensely from the early days of the web where it was mostly basic authentication and for the more ‘secure’ websites digest authentication was used.

Tales from the Hacker Underground: Web Authentication So you if you are scratching your head wondering what the heck I am going on about well….basic authentication requires that a special file .htpasswd, containing the credentials of the individuals who are authorised to access a resource, be placed in the directory which is to be secured and data is sent over the network in unencrypted manner (sniffing attack anyone?...anyone?) anyway so digest authentication then came in and was intended to supersede unencrypted use of the Basic access authentication, allowing user identity to be established securely without having to send a password in plaintext over the network. As technologies improved we made the leap to form based authentication which is much more familiar now due to ability to save credentials to database and easily handle sessions.

So enough with the lecturing….access denied was basically (and still is?) a challenge in the underground where credentials and CCs were bartered for information and other credentials in IRC and yahoo chat rooms of course until the feds started carrying out sting operations. You are probably just thinking, “get on with it already”…..ok…so how the heck do we break into restricted sections?.....of course some of the techniques are still applicable and some not so but all this requires a skilled attacker so am not really worried that you will pull it off.

Bruteforce/Dictionary attacks
Mathematically virtually any password given sufficient computing power will eventually be cracked, brute force attacks mimic the act of a user trying to authenticate with a particular web application. These tools will systematically try out a list of passwords against a specific user account or list of user accounts until a match is found or until the list is exhausted. There is a myth that Yahoo, Gmail, Live are impervious to hacks......but I beg to differ, if an attacker has several proxies at his disposal and an attack tool that randomises the authentication attempts he will go virtually unnoticed….erm…if they have several years on their hands….so really this kind of attack is outdated on some services but not for others, for example this will work perfectly for routers.

One of the ‘gotchas’ of a brute force attack is account lockout, in case such a policy is enforced your brute force attack becomes a sort of DOS (denial of service) for that particular account. Oh…another one is IP blacklisting but this could lead to another DOS for legitimate users so again rarely used. One more technique of thwarting these attacks is using server side web application randomised delayed replies for authentication request which can lead to most tools giving many false positives or timing out but a versatile tool can easily beat this.

Tools required:
Some of these tools have evolved over time and become true gems that should be in everyone’s toolkit
Hydra (http://thc.org/thc-hydra/)

This is by far my favourite and more recent of tools I have listed, it supports a long list of protocols to crack..yes..even router enable passwords

 

 

 

 

Brutus (http://www.hoobie.net/brutus/)
This was an absolutely brilliant tool for its time and yah can still get the job done….very old so you can use more recent tools like hydra or medusa

Wwwhack:
This was another classic though it would be hard to find an active download…I think I have it archived somewhere on my drive but tested it recently against a site I was working on and it still does the job

“Brute force is nice and all but can’t I by pass this login crap all together…..?” well my friend you indeed can…there are so many techniques which I cannot all write down but let me down a few.

SQL Injections
This is so popular these days that countless tools have been developed. The vulnerability is present in an application when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. Not only can it be used to bypass authentication but it can be used to cause server-wide or even enterprise-wide damage if conditions are right. This attack is so preventable but still persists after being documented for so long…but I won’t dwell on that.

A successful attack can lead to an attacker getting all credentials from the database so that he/she can log in as anyone….the attacker will then be able to access the CMS and then upload a simple backdoor which he can then use to hide traces of himself and/or even control the entire server…its very simple but very effective and dangerous
Tools like Hajiv can be used to automate and exploit these SQL injection vulnerabilities easily


Figure 1 Havij in action