SBN

Network traffic analysis for IR: Credential capture

Introduction to leaked credentials

The concept of leaked or breached credentials is nothing new, with data breaches occurring on a daily basis. Most of these breaches involve theft of data from unsecured repositories. 

However, credentials can also be leaked in network traffic. Many protocols are not configured to be secure by default and can leak authentication credentials in plaintext in their traffic. The ability to identify these protocols and any credentials leaked is important for determining if authentication information could have been lost to an eavesdropper and to identify misconfigured or unauthorized services running on the network.

Capturing leaked credentials

Many of the internet protocols still in use today were designed as plaintext protocols, where all commands and data are sent in human-readable ASCII text. The protocols don’t have encryption by default, meaning that authentication information is not protected. 

TLS can wrap these protocols in encryption. However, if any of these protocols are used on the network without this secure wrapper, sensitive user authentication information can be leaked to an eavesdropper.

FTP

FTP is a file transfer protocol. As a result, it often is configured to require authentication, as a computer owner doesn’t want unauthorized people to read from or write to their machines. However, the authentication protocol on FTP is insecure by default.

The image above is a screen capture from an FTP session in Wireshark. As shown, the USER command (which provides the username) and the PASS command (for the password) are sent in plaintext over the network.

This can be an asset to both a hacker and an incident responder. A hacker with the ability to eavesdrop on FTP authentication traffic can steal user credentials and use them to upload malware to FTP servers. An incident responder can use the plaintext nature of the FTP (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Chris Sienko. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/bZyLmlNRnRE/