Enumeration & Brute Force

Introduction

• Purpose: Authentication enumeration is a crucial part of security testing, focusing on identifying and exploiting vulnerabilities in authentication mechanisms.
• Importance: Helps organizations understand and improve the security of their authentication systems.
• Scope: Includes testing various authentication components, such as username validation, password policies, and session management.

Authentication Enumeration

• Definition: A systematic process of inspecting authentication components to identify weaknesses.
• Importance:
  • Helps identify valid usernames, password policies, and other authentication vulnerabilities.
  • Provides valuable information for planning and executing brute-force attacks.

Identifying Valid Usernames

• Techniques:
  • Observing application responses during login attempts.
  • Analyzing password reset mechanisms.
  • Exploiting verbose error messages.
• Importance: Reduces the search space for brute-force attacks.

Password Policies

• Purpose: Define guidelines for creating strong passwords.
• Analysis: Understanding password policies helps attackers estimate password complexity and tailor their attacks.
• Information Leakage: Error messages or application responses can sometimes reveal password policy details (e.g., minimum length, required character types).

Common Enumeration Points

• Registration Pages: Error messages during registration can confirm the existence of usernames or email addresses.
• Password Reset Features: Variations in application responses can reveal valid usernames.
• Verbose Errors: Detailed error messages can expose sensitive information, including usernames, internal paths, and database details.
• Data Breach Information: Reusing credentials from previous breaches can be tested to identify valid usernames and potential password reuse.

Understanding Verbose Errors

• Definition: Error messages that provide excessive details about the system or application.
• Risks: Can expose sensitive information unintentionally.
• Information Leakage:
  • Internal paths and filenames
  • Database details (table names, column names)
  • User information
• Inducing Verbose Errors:
  • Invalid login attempts
  • SQL injection
  • File inclusion/path traversal
  • Form manipulation
  • Application fuzzing

Enumeration in Authentication Forms

• Verbose Errors: Error messages that distinguish between invalid usernames and invalid passwords can aid in user enumeration.
• Example: An application responding with "Email does not exist" vs. "Invalid password."

Automation

• Purpose: Automating the enumeration process to improve efficiency.
• Example: A Python script that checks for valid emails based on error messages.

  import requests
  import sys
  
  def check_email(email):
      url = 'http://enum.thm/labs/verbose_login/functions.php'  # Location of the login function
      headers = {
          'Host': 'enum.thm',
          'User-Agent': 'Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0',
          'Accept': 'application/json, text/javascript, */*; q=0.01',
          'Accept-Language': 'en-US,en;q=0.5',
          'Accept-Encoding': 'gzip, deflate',
          'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
          'X-Requested-With': 'XMLHttpRequest',
          'Origin': 'http://enum.thm',
          'Connection': 'close',
          'Referer': 'http://enum.thm/labs/verbose_login/',
      }
      data = {
          'username': email,
          'password': 'password',  # Use a random password as we are only checking the email
          'function': 'login'
      }
  
      response = requests.post(url, headers=headers, data=data)
      return response.json()
  
  def enumerate_emails(email_file):
      valid_emails = []
      invalid_error = "Email does not exist"  # Error message for invalid emails
  
      with open(email_file, 'r') as file:
          emails = file.readlines()
  
      for email in emails:
          email = email.strip()  # Remove any leading/trailing whitespace
          if email:
              response_json = check_email(email)
              if response_json['status'] == 'error' and invalid_error in response_json['message']:
                  print(f"[INVALID] {email}")
              else:
                  print(f"[VALID] {email}")
                  valid_emails.append(email)
  
      return valid_emails
  
  if __name__ == "__main__":
      if len(sys.argv) != 2:
          print("Usage: python3 script.py <email_list_file>")
          sys.exit(1)
  
      email_file = sys.argv[1]
  
      valid_emails = enumerate_emails(email_file)
  
      print("\nValid emails found:")
      for valid_email in valid_emails:
          print(valid_email)
  

Password Reset Flow Vulnerabilities

• Predictable Tokens: Tokens used in password reset links or SMS messages can be guessed or brute-forced.
• Token Expiration Issues: Tokens that remain valid for too long can be exploited.
• Insufficient Validation: Weak verification mechanisms (e.g., security questions) can be bypassed.
• Information Disclosure: Error messages can reveal valid usernames or email addresses.
• Insecure Transport: Transmitting reset tokens over unencrypted connections can lead to interception.

Exploiting Predictable Tokens

• Example: Brute-forcing a 3-digit numeric token using Burp Suite Intruder. cruch 3 3 -o otp.txt -t %%% -s 100 -e 200 > Generates a list from 100 to 200

Basic Authentication

• Mechanism: A simple authentication scheme that uses base64-encoded credentials (username:password). The Authorization header format Authorization: Basic <credentials> where <credentials> is the base64 encoding of username:password.
• Vulnerability: Susceptible to brute-force attacks if credentials are weak.
• Exploitation: Brute-forcing base64-encoded credentials using Burp Suite Intruder. Make sure you add two processing rules: Also remove the character "=" (equal sign) from the encoding because base64 uses "=" for padding.

Wayback URLs and Google Dorks

• Wayback Machine: An archive of past versions of websites, which can reveal old files or directories that might still be accessible.
• Waybackurls: A tool for extracting URLs from the Wayback Machine. https://github.com/tomnomnom/waybackurls
• Google Dorks: Specialized search queries that can uncover sensitive information (e.g., administrative panels, log files, backup directories).
  • To find administrative panels: site:example.com inurl:admin
  • To unearth log files with passwords: filetype:log "password" site:example.com
  • To discover backup directories: intitle:"index of" "backup" site:example.com

Conclusion

• Importance of Enumeration: Essential for identifying vulnerabilities and planning attacks.
• Brute Force Optimization: Creating targeted wordlists and managing attack parameters can improve brute-force efficiency.
• Ethical Considerations: Always obtain proper authorization before conducting security assessments.