Credential Access - secuguru/security-terms GitHub Wiki

In the credential access phase of an attack, attackers attempt to steal or obtain credentials (such as usernames, passwords, tokens, and other authentication secrets) that provide access to systems, services, and sensitive information. Access to credentials enables attackers to move laterally within a network, escalate privileges, and maintain persistence. Here’s a breakdown of common methods for credential access, including brute force attacks, keylogging, and accessing password managers, as well as specific techniques like accessing password files on Linux, DCSync attacks, and Kerberos ticket attacks on Windows systems.

1. Brute Force, Accessing Password Managers, Keylogging

  • Brute Force: Attackers use automated tools to systematically try multiple password combinations for a given username, eventually cracking weak or commonly used passwords.
  • Accessing Password Managers: If attackers compromise a device or an account, they may access password managers stored locally or in the cloud to retrieve stored credentials.
  • Keylogging: Attackers install keyloggers to capture keystrokes, including passwords and sensitive data, as users type them. Keyloggers can be hardware devices or software programs.
  • Security Implications: These methods provide direct access to credentials without needing complex exploitation, especially if passwords are weak or password manager vaults are insufficiently protected.

2. /etc/passwd and /etc/shadow (Linux)

  • /etc/passwd: This file on Unix and Linux systems contains basic user account information, including usernames and user IDs. Historically, it also held password hashes, but for security, most modern systems have moved password hashes to a separate file.
  • /etc/shadow: This file contains password hashes and is typically accessible only to users with root or privileged access. Attackers who gain access to /etc/shadow can extract these hashes and attempt to crack them offline.
  • Forensic and Security Implications: Access to /etc/shadow significantly compromises system security, as password hashes can be brute-forced or cracked using tools like John the Ripper or Hashcat.

3. Windows DCSync, Kerberos Golden & Silver Tickets

  • DCSync Attack:
    • Definition: DCSync is a method where attackers use the replicate privilege to request password hashes from a domain controller by impersonating the behavior of a domain controller.
    • Purpose: It allows attackers to retrieve password hashes for any user in the Active Directory (AD), including sensitive accounts like krbtgt (Kerberos Ticket Granting Ticket) and domain administrators.
  • Kerberos Golden & Silver Tickets:
    • Golden Ticket: A Golden Ticket is a forged Kerberos Ticket Granting Ticket (TGT) created using the hash of the krbtgt account, which is responsible for Kerberos authentication. With a Golden Ticket, attackers can authenticate as any user in the AD environment, effectively gaining unrestricted access.
    • Silver Ticket: A Silver Ticket is a forged Kerberos Ticket Granting Service (TGS) ticket, which allows attackers to authenticate to specific services within the AD domain rather than the entire domain.
  • Security Implications: DCSync, Golden Ticket, and Silver Ticket attacks give attackers the ability to control or impersonate high-privilege accounts in AD environments. This level of access enables them to bypass most security controls and maintain persistent, high-level access.

4. Clear-Text Credentials in Files, Pastebin, etc.

  • Clear-Text Credentials in Files:
    • Definition: Attackers may find credentials stored in plaintext within configuration files, scripts, or documentation, either on local machines or accessible shared drives.
    • Common Locations: Configuration files for web servers, database connections, or other services are often found in plaintext if proper security practices weren’t followed.
  • Credentials in Pastebin and Public Repositories:
    • Attackers may search for credentials accidentally exposed on public platforms like Pastebin or GitHub, where developers may unknowingly upload sensitive information.
  • Security Implications: Clear-text credentials are a major security risk, as they provide immediate access without requiring decryption or cracking. If attackers find these credentials in publicly accessible locations, they can gain access to systems with minimal effort.

Summary

  • Brute Force, Keylogging, and Accessing Password Managers allow attackers to capture passwords and other authentication information by directly interacting with user inputs or stored credentials.
  • /etc/passwd and /etc/shadow Files on Linux contain user account information and password hashes, which attackers can extract and crack for access to user accounts.
  • Windows DCSync and Kerberos Golden/Silver Tickets are advanced techniques that allow attackers to impersonate users in an Active Directory environment, gaining extensive privileges and persistence.
  • Clear-Text Credentials in Files and Online Platforms provide attackers with easy access to sensitive information if credentials are improperly stored or shared publicly.

By understanding these methods, organizations can take countermeasures, such as enforcing strong password policies, securing access to sensitive files, and training employees on credential management best practices. Monitoring for unusual access patterns and securing credential storage are key to mitigating the risks associated with credential access.