Published on February 24, 2023
Some of the most common techniques adversaries use to capture credentials include finding or guessing credentials, and passing or relaying password hashes.
Password storage targets on Windows after a compromise include operating system memory, user files such as Excel spreadsheets, and email inboxes and sent boxes, various system files like powershell history, the registry, and sticky notes.
Attackers might try harvesting credentials stored in webserver configuration files and application files, operating system memory, a web browsers' autocomplete history or password manager, hard-coded in applications, and in cloud applications.
The two most common ways for an adversary to intercept passwords is via an on-path attack, also known as Man in the Middle (MitM) attack, and via exploiting promiscuous protocols, such as LLMNR and NetBIOS, IPv6, and MDNS.
An example of the first is poisoning Address Resolution Protocol (ARP) tables in a network switching device, getting it to forward traffic to an unauthorised port before being forwarded to its intended destination, waiting for a password hash, then pulling the hash offline for cracking it. Promiscuous protocols that can be tricked into sending a password hash to an unvetted recipient can result in a breach if the password is not long enough and is not difficult to guess.
Insecure web applications in general can be abused to bypass application access control lists (ACLs) or forge valid tokens.
Adversaries confronted with a secure web application which does not leak platform, patch or configuration information; with code that protects against injection and scripting attacks; and with strong account access and lockout controls, may still try password guessing. Password lockout policies can sometimes be bypassed with password spraying.
And social engineering is still one of the most effective ways adversaries can use.
Phishingseems to be the most popular choice. These attacks use persuasion techniques such as impersonating technical support personnel, name-dropping a person of authority, communicating a sense of urgency, and using plenty of technical jargon and alphabet soup to confuse users and elicit compliance. "For verification purposes, please give us the code we just sent to you."
Adding fingerprint on top? FaceID? What if you are sleeping and someone uses your biometrics to unlock the device? What if someone knocks you out?
People, and companies and nations of all sizes have to defend against multiple threat events like ransomware, attacks going after personally identifiable information (PII) and the associated identity theft and possible further compromise, and scenarios in nation-state-sponsored global cyberwarfare, including boots-on-the-ground warfare contexts that involve digital communications. High time to really think things through.
Raw magic crackled from their spines, earthing itself harmlessly in the copper rails nailed to every shelf for
that very purpose. Faint traceries of blue fire crawled across the bookcases and there was a sound, a
papery whispering, such as might come from a colony of roosting starlings. In the silence of the night the
books talked to one another. A student