Authentication is the act of confirming the trust of one's identity. This might involve confirming the identity of a person, program, or hardware, such as verifying Joseph Muniz is a government employee, as well as his laptop is issued by the government agency. As a Penetration Tester, it is valuable to be able to gain the trust of a system and bypass security as an authorized entity.
The Certified Information Systems Security Professional (CISSP) curriculum classifies authentication based on three factor types, as follows:
The most common method by which people confirm their identity is using something they know, such as a password. We covered various ways to crack passwords in Chapter 4, Client Side Attacks, while attacking host systems. Cracking a password will get you access to some systems however, many targets will leverage multifactor authentication, meaning a combination of authentication steps to prove one's identity.
It is common that user authentication involves the use of a username and password combination. It becomes cumbersome for a user to enter this information every time authentication is required. To overcome this, single sign-on was created as a means to authenticate one to a central authority that is trusted by other websites. The central authority will verify trust on behalf of the user or device, so the user can access multiple secured systems without having to be prompted at each security gateway. A common trusted authority is a Windows domain controller, providing authentication for internal users to intranet resources. In such cases, compromising a trusted authority or account with high privileges could mean access to many other internal resources in this type of system.
Many government agencies leverage a Personal Identity Verification (PIV) or Common Access Card (CAC) along with a password, to meet something users have and know. It is common for remote workers to use a digital token that produces a fresh number every few seconds along with a PIN to represent something they have and know. High security physical locations may require fingerprint scanning along with PIN for access. Network access control technology may verify how a user is authenticated into a laptop, as well as seek out a hidden certificate to verify the identity of system and user prior to providing network resources. It is critical to identify the method of authentication used by your target during the reconnaissance phase of a Penetration Test, so you can plan out a strategy to bypass that trust.
The focus of this chapter is around how users and devices authenticate to web applications with the goal of compromising that trust. We will start by attacking the process of managing authentication sessions, which is how trust is established between the client and the server. Next, we will focus on clients by attacking how data is stored on host systems through cookie management. From there, we will look at hiding in between the client and server using man-in-the-middle attack techniques. The last topics will be identifying and exploiting weakness in how web applications accept authentication data through SQL and cross-site scripting (XSS) attacks.
Authentication and session management make up all aspects of handling user authentication and managing active sessions. With regards to web applications, a session is the length of time users spend on a website. Best practice is managing authorized sessions (that is, what you are permitted to access), based on how people and devices authenticate as well as, controlling what and how long resources are available during the active session. This makes authentication a key aspect of managing authorized sessions.
The goal for a Penetration Tester is to identify accounts that are permitted access to sessions with high-level privileges, and unlimited time to access the web application. This is why session management security features, such as session timeout intervals and SSL certificates, were created. Either way, tools available in Kali can identify flaws in how sessions are managed, such as capturing an active session on a web application post user logout, and using that session for another person (also known as a session fixation attack).
Session management attacks can occur using vulnerabilities in applications or how users access and authenticate to those applications. Common ways attackers do this is through cross-site scripting or SQL injection attacks to a web server, which will be covered later in this chapter. Attackers can also take advantage of session cookies in web browsers or vulnerabilities in web pages to achieve similar results. Let's start off by looking at a technique used to trick users into divulging sensitive information, or exposing themselves to attacks through modified hyperlinks and iFrames.
Clickjacking is a technique where an attacker tricks a user into clicking something other than what they believe they are clicking. Clickjacking can be used to reveal confidential information, such as the login credentials, as well as permitting an attacker to take control of the victim's computer. Clickjacking usually exposes a web browser security issue or vulnerability using embedded code or script that executes without the victim's knowledge. One example of performing clickjacking is having the hyperlink text to a trusted site different than the actual site. The average user doesn't verify hyperlinks prior to clicking, or notices changes associated with common clickjacking attempts, making this a very effective form of attack.
In the following example, the user will see Visit us on Facebook.com however, when they click on the text, they will actually be redirected to www.badfacebook.com.
<a href="http://www.badfacebook.com">Visit Us on Facebook.com</a>
Clickjacking can be more malicious and complicated than changing hyperlinks. Attackers who use clickjacking normally embed iFrames into a webpage. The content of the iFrames contains data from the target website and usually placed over a legitimate link making it difficult to detect.
To craft your own clickjacking attack, you can use the clickjacking tool by Paul Stone, which can be downloaded at: http://www.contextis.com/research/tools/clickjacking-tool/.
Once you have downloaded the tool, you can use it to take code from another website, such as a voting button or a like button. The clickjacking tool works with Firefox 3.6. The tool by Paul Stone will not work with newer versions of Firefox; however, you can run multiple versions of Firefox on the Kali arsenal including Firefox 3.6 or older.