Authentication Hacking Attacks

Authentication Hacking Attacks
1. What is an Authentication Hacking attack?
Authentication plays a critical role in the security of web applications. When a user provides his login name and password to authenticate and prove his identity, the application assigns the user specific privileges to the system, based on the identity established by the supplied credentials.
HTTP can embed several different types of authentication protocols. These include:
• Basic - Cleartext username/password, Base-64 encode (trivially decoded)
• Digest - Like Basic, but passwords are scrambled
• Form-based - A custom form is used to input username/password (or other credentials) and is processed using custom logic on the backend.
• NTLM - Microsoft's proprietary authentication protocol, implemented within HTTP request/response headers.
• Negotiate - A new protocol from Microsoft that allows any type of authentication specified above to be dynamically agreed upon by the client and server. Also adds Kerberos for clients using Microsoft's IE v5+.
• Client-side Certificates - Although rarely used, SSL/TLS provides an option that checks the authenticity of a digital certificate present by the Web client, essentially making it an authentication token.
• Microsoft Passport - A single-sign-in (SSI) service run by Microsoft Corporation that allows web sites (called "Passport Partners") to authenticate users based on their membership in the Passport service. The mechanism uses a key shared between Microsoft and the Partner site to create a cookie that uniquely identifies the user.
These authentication protocols operate right over HTTP (or SSL/TSL), with credentials embedded right in the request/response traffic.
This kind of attack is not a technological security hole in the Operating System or server software. It depends rather on how securely stored and complex the passwords are and on how easy it is for the attacker to reach the server (network security).
Preventing Authentication hacking attacks:-
To verify whether an attack phase has succeeded or not, automated tools assess the returned error codes and page information from the host web server. A secure practice is to force any error or unexpected request to generate a HTTP 200 OK response, instead of the numerous 400 type errors. This will make it more difficult for the attacker to distinguish between valid and invalid login attempts.
An important measure in stopping automated brute-force authentication attacks is by adding random content on the page presented to the authenticating client browser. The client must be capable of successfully submitting this random content as part of the authentication process to proceed further in the web site or application. The best way to do this is to present the random phrase in a graphic GIF, JPG or PNG format using random fonts or colours each time. This can make it almost impossible for an automated process to succeed. See screenshot below for an illustration.



How to test any pages
Here are some common Username/Passwords used by attackers in authentication guessing attacks:
Username Guesses Password Guesses
[NULL] [NULL]
root, administrator, admin [NULL], root, administrator, admin, password, [company_name]
operator, webmaster, backup [NULL], operator, webmaster, backup
guest, demo, test, trial [NULL], guest, demo, test, trial
member, private member, private
[company_name] NULL], [company_name], password
[known_username] [NULL], [known_username]