Possible credential attack vectors

and ways to prevent credential based attacks

Posted by d3k0y on 2017-03-26 06:37:33

Password combined with username form credentials, nearly everything we do online require credentials in our modern world.

To be secure, you’re relied upon to give each of these accounts a solid, unique password that you change consistently and store such that attacker couldn’t make use of it if stolen. Furthermore, you should make a unique username too.

But in practical it is hard to remember username and password.Strong unique passwords are harder to create and to remember, researchers from Paloalto released a White paper on Credential based attacks, which summarize the possible password attacks and defense mechanism we are to see here.

Stealing credential doesn’t require any technical skills, zero-day attack or to be an advanced persistent threat (APT) to empty a bank account, compromise a network, or cripple a company.

Just the right credentials, attackers even rent keyloggers, Trojans from darkweb to complete their job. Ppublically announced, high-profile breaches support the idea that stolen credentials are much more typical a reason for an effective attack than zero days or APTs.

Possible credential attack vectors and ways to prevent credential based attacks Source PaloAlto Networks How attackers steal Credentials

It’s is no big surprise, that these are the five essential systems that attackers use for stealing credentials.

Social engineering. Phishing and spam. Reusing stolen passwords or shared credentials. Brute force. Security question reuse Social Engineering

Social engineering refers to the strategy for influencing and convenience people to uncover sensitive data to play out some malicious activity.

With the assistance of social designing traps, attackers can acquire confidential data, and get confidential information, authorization details and access details of people by deceiving and manipulating them.

Oxford English Dictionary refers Social Engineering as the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. Phishing and spam

Phishing is one of the most common methods of stealing the credentials, malicious links lead to websites that look the same as the legitimate site, and often use a similar URL with one or more typos.

The Victims who open malicious attachments, the malware itself will often employ a keylogger, which records every keystroke made and sends them to the attacker as shown.

Beyond simple keyloggers, attackers will also use a credential harvesting program, such as Mimikatz or gsecdump, to steal any additional credentials stored in memory on the device.

It doesn’t make a difference if yours is a 35-character arbitrary password with letters, numbers and developed characters or just “password”; once it’s stolen in this way.

Reusing stolen passwords or shared credentials

The attacker doesn’t simply take credentials to use for themselves any longer; they take them to sell that access to others.

In an expansion, it’s turning out to be increasingly basic for hackers to basically, present stolen passwords on the web for anybody to utilize.

The chief reason credentials have any monetary value is that most people rarely change them and often reuse passwords across multiple accounts. That means these credentials can remain valid for months or years.

Once attackers acquire credentials, they begin “credential stuffing”: putting as many credentials as possible into as many sites as possible, to gain access to as many accounts as possible, as quickly as possible.

Brute force

Bruteforce is simply a program tries every possible combination characters until the password is broken.

In some cases, the lack of strong passwords is the fault of the organization, when it doesn’t enforce the use of strong passwords and instead allows accounts to have weak passwords.

There are software programs to both help create and store strong, unique passwords, which have gone far in securing accounts for those who use them.

In any case, they aren’t perfect and can be prime focuses for hackers; one of these projects, LastPass, was itself hacked in 2015, with client account data stolen.

Security question reuse

Security questions have settled in, turning into a layer of validation in addition to, or rather than, passwords.Security questions are an almost feature of account recovery capabilities.

If you’ve ever lost or overlooked a username or, particularly, a password, chances are you’ve needed to answer a security question to reset or recover your username and password.

Unfortunately, security questions are a weak lack of Authentication.

To begin with, it’s a similar class of authentication factor as passwords: something you need to know. Second, security questions tend to ask questions whose answers attackers can gather from online research, especially in an era of social media. Typical security questions are predictable and their answers, easy to research. Since security inquiries are intended to be simple things for individuals to recall, it additionally tends to make them static, similar to school mascots or attendance dates, and essential occasions or individuals in a man’s life, making them much more prone to be archived on the web.

What attackers can do with Passwords

With stolen credentials grant attackers the power to do everything and access everything the legitimate user can.

Some ransomware attackers, such as those behind Samsa, also rely on stolen credentials to gain access, move laterally and then encrypt only the most valuable data.

There are also some other ways attacker use stolen credentials.

Remote Access – Attackers can use stolen credentials to gain remote entry into networks using Virtual Private Networks (VPN) and Remote Access Protocols, like RDP and VNC.

Lateral Movement – Stolen credentials (especially domain admin credentials) are a massive benefit to attackers who need deeper penetration into a network.

Cloud Access – Cloud services are often defended only by user credentials, and the data inside them is invaluable, especially as organizations move more and more information off-premises and into the cloud.


Prevention theft can be avoided by focusing the following areas.

Password need to be changed frequently and used should be blocked with a number of attempts. It should be important to keep password lengthy, complex and don’t share your passwords. An effective training to be conducted for employees, whereas effective background check and proper termination policy are important. Instead of fixed password use TFA or 2FA for highly secured networks. Phishing Emails need to be detected, hover the mouse cursor over the link to see the link type before clicking. Secure all documents containing sensitive information. Don’t reveal your sensitive details over the telephone. Conclusion

It is important to understand that technology alone cannot solve the problem of credential theft, and that people and processes are critical elements in the defense plan.

Organizations need to adopt and enforce processes as well as people-readiness programs to ensure a complete approach to defending against these attacks.

It is essential to perceive that a comprehensive defense approach is required and that organizations should be set up to shield against these risk.