Credential Brute Forcing

A brute force attack are very inefficient and are typically a last resort. Using a wordlist, a brute force attack guesses all the words on the list to see what one is the correct password.

Session Hijacking

Credential-stealing attacks allow a hacker or penetration tester to authenticate directly to a service using a stolen account. Session hijacking attacks take a different approach by stealing an existing authenticated session. These attacks don’t require that the attacker gain access to the authentication mechanism; instead they take over an already authenticated session with a website.

Most websites that require authentication manage user sessions using HTTP cookies managed in the user’s browser. In this approach the user accesses the website’s login form and uses their credentials to authenticate. If the user passes the authentication process, the website provides the user’s browser with a cookie that may be used to authenticate future requests. Once the user has a valid cookie stored in the browser, the browser transmits that cookie with all future requests made to the website. The website inspects the cookie and determines that the user has already authenticated and does not need to reenter their password or complete other authentication tasks.

Redirect

Insecure URL redirects are another vulnerability that attackers may exploit in an attempt to steal user sessions. Some web applications allow the browser to pass destination URLs to the application and then redirect the user to that URL at the completion of their transaction. For example, an ordering page might use URLs with this structure:

https://www.mycompany.com/ordering.php?redirect=http%3a//www.mycompany.com/thankyou.htm

The web application would then send the user to the thank you page at the conclusion of the transaction. This approach is convenient for web developers because it allows administrators to modify the destination page without altering the application code. However, if the application allows redirection to any URL, this creates a situation known as an unvalidated redirect, which an attacker may use to redirect the user to a malicious site. For example, an attacker might post a link to the page above on a message board but alter the URL to appear as

https://www.mycompany.com/ordering.php?redirect=http%3a//www.evilhacker.com/passwordstealer.htm

A user visiting this link would complete the legitimate transaction on the mycompany.com website but then be redirected to the attacker’s page, where code might send the user straight into a session-stealing or credential theft attack.

Developers seeking to include redirection options in their applications should perform validated redirects that check redirection URLs against an approved list. This list might specify the exact URLs authorized for redirection, or more simply, it might just limit redirection to URLs from the same domain

Default Credentials

Many vendors send out appliances or applications with default credentials for first time set-up. System Administrators occasionally forget or don't want to change the password. These default credentials are easily found online.

Weak Credentials

Users often choose easy to remember passwords for ease of use.

Kerberos Exploits

Kerberos is a commonly used centralized authentication protocol that is designed to operate on untrusted networks by leveraging encryption. Kerberos uses the authentication process shown in Figure 9.10. Users authenticate to an authentication server (AS) and initially obtain a ticket granting ticket (TGT). They then use the TGT to obtain server tickets from the authentication server that they may use to prove their identity to an individual service.

Kerberos relies on a central key distribution center (KDC). Compromise of the KDC would allow an attacker to impersonate any user. Kerberos attacks have received significant attention over the past few years, as local attacks against compromised KDCs have resulted in complete compromise of Kerberos-authenticated systems. Common Kerberos attacks include the following:

• Administrator account attacks, in which an attacker compromises an administrator account and uses it to manipulate the KDC
• Kerberos ticket reuse, including pass-the-ticket attacks, which allow impersonation of legitimate users for the life span of the ticket, and pass-the-key attacks, which reuse a secret key to acquire tickets
• Ticket granting ticket (TGT)–focused attacks. TGTs are incredibly valuable and can be created with extended life spans. When attackers succeed in acquiring TGTs, they often call them “golden tickets” because they allow complete access to Kerberos- connected systems, including creation of new tickets, account changes, and even falsification of accounts or services.