49
Authentication Lock-piking by Nazar Tymoshyk, SoftServe & Bohdan Serednyskyj,, SoftServe @Symphony-Solutions

Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

Embed Size (px)

Citation preview

Page 1: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

Authentication Lock-piking

by Nazar Tymoshyk, SoftServe

& Bohdan Serednyskyj,,

SoftServe

@Symphony-Solutions

Page 2: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

This is more educational topic, not motivational

Page 3: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

About me

Page 4: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

Feel free to ask me anything :)

Page 5: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

Best SoftServe Team – R&D

Page 6: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

Security Team

Nazar TymoshykCEH, HP FSTS, CIW WSS, Cisco SS, ZSS, CLE, DCTS, DCATS,NAI,CLP,NLTS,CNA,NCLA,MCTS

Bohdan SerednytskyiCEH, MSTC Security, ZSS

Page 7: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

Certifications

Ph.D in Security

Identity & Security

SoftServe experts are certified in HP Fortify Security Testing solution

Page 8: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

QA Engineer Security Analyst

In functional and performance testing,

the expected results are documented

before the test begins, and the quality

assurance team looks at how well the

expected results match the actual results

In security testing, security

analysts team is concerned

only with unexpected results

and testing for the unknown

and looking for weaknesses.

VS.

Page 9: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

Time for fun. Just relax

Page 10: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

Target – Authentication

Page 11: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

Key authentication problems• Authentication Technologies

• Design Flaws in Authentication

Mechanisms

• Bad Passwords

• Brute-Forcible Login

• Verbose Failure Messages

• Vulnerable Transmission of Credentials

• Password Change Functionality

• Forgotten Password Functionality

• “Remember Me” Functionality

• User Impersonation Functionality

• Incomplete Validation of Credentials

• Non-unique Usernames

• Predictable Usernames

• Predictable Initial Passwords

• Insecure Distribution of Credentials

• Implementation Flaws in

Authentication

• Fail-Open Login Mechanisms

• Defects in Multistage Login

Mechanisms

• Insecure Storage of Credentials

Page 12: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

Authentication Technologies

• HTML forms-based authentication

• Multifactor mechanisms, such as those combining passwords and physical

• tokens

• Client SSL certificates and/or smartcards

• HTTP basic and digest authentication

• Windows-integrated authentication using NTLM or Kerberos

• Authentication services

Page 13: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

Findings

Page 14: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

Brute-Forcible Login

• Login functionality presents an open invitation for an attacker to try to guess usernames and passwords and therefore gain unauthorized access to the application.

• If the application allows an attacker to make repeated login attempts with different passwords until he guesses the correct one, it is highly vulnerable even to an amateur attacker who manually enters some common usernames and passwords into his browser.

Many authentication mechanisms disclose usernames either implicitly

or explicitly. In a web mail account, the username is often the e-mail

address, which is common knowledge by design.

Page 15: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

Password problem

Administrative passwords may in fact be weaker than the password policy allows. They may have been set before the policy was in force, or they may have been set up through a different application or interface

Page 16: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

User enumerationSeverity: Critical (C )/P1

Issue detail:

In current login mechanisms, where an application requiresthe user to submit several pieces of information, or proceedthrough several stages, verbose failure messages or otherdiscriminators can enable an attacker to target each stage ofthe login process in turn, increasing the likelihood that hewill gain unauthorized access.

Even if the error messages returned in response to a valid and invalid username are superficially similar, there may be small differences between them that can be used to enumerate valid usernames.

Even if an application’s responses to login attemptscontaining valid and invalid usernames are identical in everyintrinsic respect, it may still be possible to enumerateusernames based on the time taken for the application torespond to the login request. Applications often performvery different back-end processing on a login request,depending on whether it contains a valid username

Recommendation: Report Authentication failure – not Invalid Username. Add additional field to enter some SMS/CVV code.

Verbose error log

Page 17: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

Recommended error messages by OWASP

Incorrect Response Examples

"Login for User foo: invalid password"

"Login failed, invalid user ID"

"Login failed; account disabled"

"Login failed; this user is not active"

Correct Response Example

"Login failed; Invalid userID or password"

https://www.owasp.org/index.php/Authentication_Cheat_Sheet

Page 18: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

Verbose Failure Messages

Identifying subtle differences in application responses using Burp Comparer

Page 19: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

Username enumeration demo

Page 20: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

Same JSESSIONID and Cookie for different sessions

mobiledemo demomob

Page 21: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

Password brute force Demo

Page 22: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

Password guessing attack

Password limit: 10 alpha-numeric symbols

Window limit: 13 alpha-numeric symbols

Required: 4 alpha-numeric symbols

1, 727 604 combination

Bruteforce - up to 5 minutes

No brute force prevention. Positions for 4 elements of

simple alpha-numeric password if password was wrong

remain the same!

Recommendation: Change password input approach. Or

server should send new position to device if wrong part of

password was submitted. Use more symbols than 4. Use 2

factor authentication as Google use (SMS to account owner

with temporary access code).

Page 23: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

WEAK PASSWORDS

Severity: Critical (C )/P1

Business impact: Critical (C )/P1

Page 24: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

Developer team face palm

v

v v

Login:***devpass: ***123

Page 25: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

Cookie testing

Page 26: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

Why so simple?

Page 27: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

Weak password reset

Password reset implemented here is weak as it has questions withinformation that can be easily obtained by 3rd party side

Page 28: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

WEAK CHANGE USER PASSWORD MECHANISM

Severity: Critical (C )/P1

Business impact: Critical

Page 29: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

Password change functionality

If the password change form is accessible only by authenticated users and does not contain a username field, it may still be possible to supply an arbitrary username.

The form may store the username in a hidden field, which can easily be modified.

If not, try supplying an additional parameter containing the username, using the same parameter name as is used in the main login form.

This trick sometimes succeeds in overriding the username of the current user, enabling you to brute-force the credentials of other users even when this is not possible at the main login.

Tricks

Page 30: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

Weak password reset – clear text

Page 31: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

Insecure Storage of CredentialsIt is common to encounter web applications in which user credentials are stored insecurely within the database. This may involve passwords being stored in clear text. But if passwords are being hashed using a standard algorithm such as MD5 or SHA-1, this still allows an attacker to simply look up observed hashes against a pre-computed database of hash values.

Some online databases of common hashing functions are available here:

http://passcracking.com/index.php

http://authsecu.com/decrypter-dechiffrer-cracker-hash-md5/script-hash-

md5.php

Page 32: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

Securing Authentication

• Use Strong Credentials

• Handle Credentials Secretively

• Validate Credentials Properly

• Prevent Information Leakage

• Prevent Brute-Force Attacks

• Prevent Misuse of the Password

Change Function

• Prevent Misuse of the Account

Recovery Function

Page 33: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

Recommended Book

Page 34: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

OWASP WebGoat, DVWA -Train yourself in Security

Page 35: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

Hope you like it!

Page 36: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Page 37: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

Now ask!

Thank You!

Email: [email protected]

Skype: root_nt

Page 38: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

Now attention

Page 39: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

More complex authentication

In more complex login mechanisms, where an application requires the user to submit several pieces of information, or proceed through several stages, verbose failure messages or other discriminators can enable an attacker to target each stage of the login process in turn, increasing the likelihood that he will gain unauthorized access.

Page 40: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

Step 1

Page 41: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

Step 2

Page 42: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

DEMO

Page 43: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

Shodan – camera scanner

Try this too:

http://178.165.59.13/

Page 44: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

THIS IS More COOL

http://77.52.149.88:8080/

Page 45: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

Big Boss is Watching you http://82.144.209.95/

Page 46: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

Consequences

• Stolen Developer Cloud access Certificates

• Malware and Spyware on PC and mobile

• Key loggers

• Money Lost – Paypal, webmoney, etc.

• Email – recovery and steal accounts

• SHAME!

Page 47: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

Recommendations

• Up to date JAVA and all other software

• Antivirus – Kasper rocks!

• Encrypted keys to infrastructure

• 2 factor authentication everywhere (email first)

• Verify yourself and your browser on …

•Attention

Page 48: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

adasdasd

Page 49: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"

Attempt to discover any rules regarding password quality:

1. Review the website for any description of the rules.

2. If self-registration is possible, attempt to register several accounts with different kinds of weak passwords to discover what rules are in place.

3. If you control a single account and password change is possible, attempt to change your password to various weak values.