Monthly Archives: April 2016

Username Enumeration Timing Attack

This is kinda cool. One way of enumerating usernames is to try a username against a login screen and have the error message tell you “That username doesn’t exist.” Or try to create a new account and have the system tell you “That username already exists.” But if a site is coded properly, it won’t give you that kind of info, making username enumeration (ie. figuring out valid and existing usernames) harder. So how about figuring them out with a timing attack?

When a username and password are submitted to a site for checking, they’re sent to a database and the dbms needs to find the username, and when it finds the row with the username, it checks the password hash against what exists in the database. However if the username doesn’t exist, the dbms doesn’t need to bother checking the password hash. It can just return the generic fail message. This small difference can be seen in the response time. In a recent test, I created a list of 50 usernames and 5 were known good. I interspersed the valid usernames in with all the invalid ones. I used the same password for every attempt, and ran them through Burp Intruder. The result was that the five good returned the slowest response times. There was one invalid password mixed in, but out of the six slowest responses, my five valid usernames were right there. Knowing this, I could do some open source searches for potential usernames and test them against a login screen. I did also test usernames of varying length and it didn’t change the results. Just in case of having a list with mostly valid usernames, I could also pad it with likely garbage usernames, things like “aaaaaaaaa” or “nekdhspfacshabdfks”. This one will be fun to try again in future assessments.

136 total views, no views today

Web App Test

In my first test, I worked with my manager. It was a web test and one that was pretty solid. However one fun thing was something I saw in a presentation at BSides Baltimore last week. A bad password policy may be a low finding. A lack of bad auth attempt lockout feature may be a low finding. A username enumeration may be a low finding. However, if a site has all three? That is a critical finding. If you can enumerate a list of valid usernames (just check LinkedIn for names and figure out the username format) and then throw the top 1000 passwords against a list of usernames, you’ll get in.

Some other stuff too, but also wrote the report and sent it in. Looking forward to the next one!

108 total views, no views today

Privilege Escalation in Windows

Welp, I get to start in an area that I probably know least about, Windows. I’m sure someday I’ll look back and think this was silly easy, because of the fact that I have access through one set of credentials. However, the goal is to get administrator, or even better, system access. So I’m learning about how Windows keeps track of that sort of thing.

Starting with Security Accounts Manager (SAM), the database of where password hashes are stored. At this point, I’m guessing it’s akin to the /etc/shadow file. Now to figure out where it is and how to access it, because it appears that only the system level user actually has access.

Continue reading

159 total views, no views today