Introduction
*hacker voice* “I’m in” is a Hollywood-esque phrase you’ve probably heard before. But how does someone actually do that? Do you wear a hoodie and change your terminal text to bright green? You could, but that won’t be of much help. Bypassing authentication is when an attacker gains access to an application, service, or device with the privileges of an authorized user by evading the checks of an authentication mechanism [1]. There are many different ways to bypass authentication mechanisms in modern environments. It could be anything from unsanitized input to exploiting the underlying authentication protocol. Authentication methods rely on the premise that each user is unique: Thus, no login can be duplicated. We will be taking a look at the some of the different types of authentication bypasses that you are likely to see in a modern environment.
Injection
When you input a username and a password to an application all that occurs is a query to a server that will check if those parameters are equal to what has been registered and stored in a backend database. By adding certain characters like a close quote and a database command to the username or password being used for the check, you can control the statements used to query the database. This is known as injection. The Open Web Application Security Project (OWASP) is an organization whose focus is on improving application security. They are also known for their Top 10 report, in which they detail common application security vulnerabilities. According to the most recent OWASP Top 10 report, injection is at the top of the list[2]. This can take forms like SQL, NoSQL, or LDAP injection. The query entered by the malicious actor is able to execute due to improper input sanitization. These malicious statements can be used to bypass authentication by tricking the application into thinking that the correct username and password pair has been entered. With the complexity of applications today, it’s possible that there was a mistake made that would allow for such execution.
Golden Ticket Attack
Unlike it’s old use case of taking a tour of the famous chocolate factory, golden tickets allow you to impersonate any user on a domain. If the malicious actor gets domain or local administrator access on an Active Directory domain server, it can generate legitimate tickets than can be used to gain access across the domain. This attack eliminates all trust of the domain entirely, as you won’t know the difference between a legitimate kerberos ticket and the ticket that the malicious actor generated. What makes golden ticket attacks especially dangerous is that the malicious actor can generate a kerberos ticket for an account that doesn’t even exist on the domain, but will still be valid and acceptable when logging in [3].
Pass The Hash
Pass the Hash is a common way to pivot around a network. This occurs during the Lateral Movement phase of the MITRE ATT&CK Matrix [4]. In its simplest form, Pass the Hash is when you authenticate to a system without knowing the plaintext password of the user. When the malicious actor gains its initial access to a Windows host, it can dump the hashes of that host. The malicious actor could then use these hashes to move laterally to another host on the network, all without having to crack the hashes you obtain. This is extremely useful in gaining further access to other systems as it doesn’t require advanced exploitation techniques and appears as if it was just a normal login.
Session ID Prediction
Depending on how they are generated, session IDs (or Cookies) can be predicted. Using a tool like Burp Suite [5], you can gather a lot of data on the different session IDs that are given to you each time you login. Burp can then run entropy analysis to determine the randomness of each session ID. Each session ID should be completely unique, with no possibility of repeating a session ID. Getting a result of low entropy could mean that your sessions IDs are likely to be predicted or even duplicated at some point. An attacker could then pass a compromised session ID and impersonate the user for whom this session ID belongs to. A cryptographically secure pseudorandom number generator should be used for creating a unique session ID. This will prevent the session ID from being too predictable.
Physical
In recent years there has been a rise in the use of biometrics for authentication of everyday devices. Facial recognition and fingerprint scanners are being implemented into newer smartphones and laptops today. Naturally, researchers began looking into how to bypass these forms of authentication. Some have proven that a gelatin fingerprint can be used to unlock devices with a fingerprint scanner [6]. In this case, a pin or password may be more effective. These authentication methods need to be perfected, ensuring that it’s extremely difficult to nearly impossible to spoof a fingerprint.
Conclusion
There are many ways to bypass authentication in up-to-date environments. The majority of authentication bypasses aren’t that complex either, meaning access can be gained as a result of a small logic error, an error in processing login data, or just the design of the authentication system. These are just a few of the many different types of authentication bypasses that exist. With more complex systems, more issues like these can arise.
References
[1] “CAPEC-115: Authentication Bypass,” Common Attack Pattern Enumeration and Classification. The MITRE Corporation, 31 July 2018. [Online]. Available: https://capec.mitre.org/data/definitions/115.html. [Accessed 29 March 2019].
[2] “OWASP Top 10 - 2017 The Ten Most Critical Web Application Security Risks.” OWASP. OWASP Foundation, 2017. [Online]. Available: https://www.owasp.org/images/7/72/OWASP_Top_10-2017_en).pdf.pdf. [Accessed 29 March 2019].
[3] Hart, Matan. “Kerberos Attacks: What You Need to Know.” CyberArk. CyberArk, 9 October 2015. [Online]. Available: https://www.cyberark.com/blog/kerberos-attacks-what-you-need-to-know/. [Accessed 29 March 2019].
[4] MITRE ATT&CK™, The MITRE Corporation, 2018. [Online]. Available: https://attack.mitre.org/. [Accessed 29 March 2019].
[5] Burp Suite Scanner, PortSwigger Ltd., 2019. [Online]. Available: https://portswigger.net/burp. [Accessed 29 March 2019].
[6] Ekaterina Maro and Maksim Kovalchuk. 2018. Bypass Biometric Lock Systems With Gelatin Artificial Fingerprint. In Proceedings of the 11th International Conference on Security of Information and Networks (SIN ‘18). ACM, New York, NY, USA, Article 23, 2 pages. DOI: https://doi.org/10.1145 / 3264437.3264439