COMM036 : Web Hacking Countermeasures

Lab Exercise 8 – Password Attacks

Introduction

In this lab session you will be given a simple web application and you will see how various
common techniques to attack passwords are performed. You will also see some ways in
which these attacks can be prevented and will implement some changes to the web
application.

Going back – SQL Injection

1) In the first lab exercise you used SQL Injection to bypass authentication. Try SQL
Injection in the web application for the login page (don‟t damage anything – you will need the
database intact later!).

2) Now, using your knowledge, prevent SQL Injection from being possible by updating the
application.

Simple Password Guessing

Password guessing is a simple technique and relies on a user using generic login credentials
or not changing the default values. Common usernames include „admin‟, „administrator‟,
„root‟, „demo‟ and so on. Common passwords include „root‟, „pass‟, null and so on. Garry
McKinnon was able to gain access to the systems of the Pentagon, NASA and US Army and
Navy by simply attacking programs with blank passwords [1]. The context of an application
can also provide clues as to the value of login credentials.

3) How would you prevent a simple password attack?

1
COMM036 : Web Hacking Countermeasures

Password Restrictions – The Good and the Bad

When you create user accounts online there are often restrictions placed on passwords. For
example, “Please make sure that the length is between 8 and 12 characters and includes at
least 2 numbers”. This is a good measure for preventing weak passwords but also creates
problems.

4) Calculate the number of different passwords that could be generated when the above
restrictions are placed. Can you see a possible vulnerability?

5) Identify two other problems with password restrictions.

Brute Force Attacks and Finding Life in the Other World

Password restrictions result in fewer password combinations. This means that a brute
force attack, which tries every combination, is likely to be faster. This attack sends a
request to the target website using every possible combination that is defined in its
rules. There are a number of scripts and programs available on the Internet (there
isn‟t time to run one successfully in the lab but in your own time try adapting a script
to attack the web application).

6) Extract and Run the executable in wwwhack.zip. Can you see how this would
penetrate the web application? (By the way, your virus blocker might block extracting
the executables as they are hacker tools).

7) One common method to prevent brute force attacks is to only enable human users
to login to the system. Implement a simple captcha [2] in the login page. For
example, a randomly generated simple calculation such as 1 + 1. (Make sure that the
resulting HTML source code does not give away any answers!).

8) From the number of possible results that the captcha is able to generate can you
calculate how much longer a brute force attack would take? (e.g. if there are 100
different possible values accepted by the captcha then the success rate of a hacker for
each request would be 1/100). How does this effect the number of combinations you
calculated for task 4?

9) Identify two other methods to prevent brute force attacks.

2
COMM036 : Web Hacking Countermeasures

Dictionary Attacks

A brute force attack produces many passwords that are very unlikely used by actual users.
Often attackers use a dictionary to make their guesses more intelligent and thus reduce the
time needed.

10) Examine the file, dictattack.php. This is designed to attack a MySQL password. If this is
combined with dict.txt, a simple dictionary, it could be quite powerful. Try changing it to

i) read the text file

ii) send a GET request to hack the web application.

11) How would you prevent dictionary attacks?

Ageing Encryption

Examine the file, exposeddatabase.csv, which is a database of users that was accidently
exposed to us by a Government website. The passwords are encrypted. However, can these
be decrypted by us?

12) There are encryption methods that have been broken. Did the Government use a broken
encryption technique? The answer is yes. It appears that they used the MD5 cryptographic
hash [3] to create the value. If you copy some of the hashes into
http://www.md5decrypter.co.uk/ or a similar tool you could reveal the passwords. Using up-
to-date encryption is vital.

13) Identify two encryption techniques that are currently known to be secure.

One Way is the Bad Way – Add a Pinch of Salt

14) Examine the file, anotherexposeddatabase.csv, another user database but this time leaked
by a large search engine company called Ping. If you analyse the hashes you may notice that
some of them are the same. What could this mean?

15) Suppose we know the password of „Bill‟. What are the consequences?

16) What countermeasures can be used? (Hint: see sub title)

3
COMM036 : Web Hacking Countermeasures

Discussion

This lab exercise highlighted some issues with passwords and various attacks and solutions.
There are many more issues that are related.

With the increasing popularity of internet-wide login credentials, such as OpenID, do you
think there are some major security issues that could arise?

What do you think is the ideal restriction that should be placed on users setting their
password?

With the number of security issues related to login credentials do you think that usability is
effected? Do you think that username and password combinations should be replaced with
another technique?

Discuss your answers on the forum in ULearn.

References

[1] http://news.bbc.co.uk/1/hi/programmes/click_online/4977134.stm

[2] http://en.wikipedia.org/wiki/CAPTCHA

[3] http://en.wikipedia.org/wiki/MD5

Related Reading Material

http://en.wikipedia.org/wiki/Salt_(cryptography)

http://blog.moertel.com/articles/2006/12/15/never-store-passwords-in-a-database

http://www.456bereastreet.com/archive/200512/captcha_is_bad_for_accessibility/

http://www.webhostgear.com/240.html