Enumeration techniques and their value
A version of this post originally appeared at https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/june/username-enumeration-techniques-and-their-value/
One of the first steps when looking to gain access to a host, system, or application is to enumerate usernames. Once usernames are enumerated, targeted password-based attacks can be launched against them.
A number of useful techniques for enumerating valid usernames currently exist; they can be categorised into two broad categories: web application and infrastructure-based username enumeration. The following examples are by no means exhaustive; they serve as examples of the type of issues that provide consultants and threat actors alike the ability to enumerate usernames. While these techniques are not new, there is still some value in discussing them, as they are such an important part of the process of gaining access to systems.
Web Application
Standard Authentication
In standard authentication, a user is required to enter a username and password into a form to gain access to the web application. When entering an invalid username along with a password, a generic message such as “incorrect password” is often returned, suggesting that the username does not exist. However, when entering a valid username and an incorrect password, we will often see a message such as "password incorrect for this user", suggesting that the username is valid. A malicious user can use automated tools to gather a list of valid usernames using this method. Once valid usernames have been successfully enumerated, a brute-force attempt to retrieve passwords can be made against those usernames.
Forgotten Password
When using a recovery facility such as a forgotten password function, a vulnerable application might return a message that reveals if a username exists or not. Entering a valid username or email address may return something along the lines of:
Your password has been successfully sent to the email address you registered with
An invalid username or email address, however, might return something along the lines of:
email address is not valid or the specified user was not found
Predictable Username Formats
In some cases user IDs are created with specific predictable sequences or formats. For example, users might have IDs created in sequential order:
CN000100
CN000101
Armed with this information, an attacker can increment the value and use a technique such as the forgotten password functionality discussed above to determine if a username is valid.
It is worth noting that that these methods can be expanded to include more than simply the message that is returned; other factors should also be analysed, including the error code received on login pages, URLs and URL redirections, and web page titles, all of which may differ for valid and non-valid credentials.
WordPress
WordPress is an open source content management system, with features including a plugin architecture and a template system. WordPress is the most popular blogging system in use on the Web, and is used by more than 60 million websites, including 23.3% of the top ten million websites as of January 2015
It is possible to enumerate usernames on a default Wordpress install, using tools such as wpscan. Below is an example of the type of output received from wpscan’s “enumerate users” module:
+----+---------------+------+ | Id | Login | Name | +----+---------------+------+ | 1 | administrator | | | 2 | edward | | | 3 | gareth | | | 5 | dylan | | | 6 | dafydd | | | 7 | sarah | | +----+---------------+------+
There are, however, instances when standard tools like wpscan do not work when looking to enumerate usernames. When this occurs it is worth taking the time to look at the structure of the website, as it is often possible to enumerate usernames using bespoke scripts.
Infrastructure-Based Enumeration
Default/Common Usernames
A number of common, well-known, usernames exist on default installations of operating systems and software. For example, it is reasonable to assume, unless there is evidence to the contrary, that a Windows host will have an account called administrator. Common usernames include:
administrator
root
guest
backup
test
Service accounts, such as:
o SophosManagement
o SophosUpdateMgr
Username Enumeration through Port Identification
It is sometimes possible to profile hosts through a port scan, as open ports can often indicate a user associated with popular software. For example, identifying TCP port 1521 on a host will, in more cases than not, indicate that the host has an oracle user. Similarly, an open TCP port of 5432 will often have a user named postgres.
Guessable Usernames
It is often the case that usernames are guessable, because they are all created using a common well-known format. After discovering the format it would be possible to generate a list of possible usernames.
Common examples of username formats include:
Username Format Example
firstname edward
firstname.surname edward.williams
Firstname.surname edwardwilliams
first letter of first name and surname ewilliams
surname and first letter of firstname williamse
incremental number 00001
RID Cycling
It is possible to enumerate all domain users from a Windows 2003 domain controller by RID cycling. On Windows 2003 domain controllers the SID of the “domain users” group can be enumerated; the same technique will not work on Windows 2008 domain controllers. With this information it is possible to iterate through the RIDs to enumerate users. Below is an example of this, using GetAcct from a Windows 2003 domain controller:
Kerberos Username Validation
It is possible to elicit valid usernames from the Kerberos service of a domain controller. When an invalid username is requested, the server will respond using the Kerberos error code KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; valid usernames will elicit either the TGT or an AS-REP response or the error KRB5KDC_ERR_PREAUTH_REQUIRED, signalling that the user is required to perform pre-authentication and that the user is valid.
OpenSSH Username Enumeration
Certain versions of OpenSSH suffer from a timing vulnerability: if a valid username with a long password is given, the time taken to return is noticeably longer than for an invalid username with a long password.
The following is an example of this, for which a custom script was written; as can be seen both the “root” and “ed” users have been enumerated. The figure on the right-hand side is the time it took to respond, and for the enumerated usernames the time is significantly greater than for non-enumerated users:
Figure 4: OpenSSH Username Enumeration
SMTP Username Enumeration
Several methods exist that can be used to abuse SMTP to enumerate valid usernames and addresses:
VRFY
This command will request that the receiving SMTP server verify that a given email username is valid. The SMTP server will reply with the login name of the user. This feature can be turned off in Sendmail.
EXPN
EXPN is similar to VRFY, except that when used with a distribution list, it will list all users on that list. This can be a bigger problem than the "VRFY" command, since sites often have an alias such as "all".
RCPT TO
This identifies the recipient of the email message. This command can be repeated multiple times for a given message, in order to deliver a single message to multiple recipients. The RCPT TO: technique is extremely effective at enumerating local user accounts on most Sendmail servers.
ACF2
ACF2 (Access Control Facility) is a commercial, discretionary, access control software security system for IBM mainframe OSes. Through the responses received when connecting to the mainframe, it is possible to enumerate valid usernames.
Generic Mitigations
For web applications, create a generic message, preventing users from eliciting usernames.
When creating Active Directory usernames, consider an element of randomness; for example;
dylan.williams could be dylan.williams3280 and
dafydd.williams could be dafydd.williams6782
For WordPress, there exist a number of plugins that can be used to stop the enumeration of usernames:
Restrict access to /wp-admin by means of IP restriction.
Implement two-factor authentication (Authy, Google)
Change easily-guessable and default usernames to more complex, less guessable values.
Ensure all software is running at the latest, stable release.
Harden services such that null binds cannot be established and remote root authentication is not allowed.
The importance of being able to enumerate usernames from a security consultant’s or threat actor’s perspective cannot be underestimated; while mitigating username enumeration is by no means a silver bullet, it should be included within an organisation’s risk assessment along with strong passwords, robust patching, and appropriate segregation.
About NCC Group
NCC Group is a global information assurance specialist providing organisations worldwide with expert escrow, verification, security consulting, website performance, software testing and domain services.
Through an unrivalled range of services, we give organisations across the world freedom from doubt that their most important assets are protected and operating as they should be at all times.
With our knowledge, experience and global footprint we are committed to ensuring that organisations have access to a total information assurance solution that works for them.
We are passionate about changing the shape of the Internet and making it safer.
About Security Consulting
NCC Group’s security consulting services strengthen your position in the cyber arms race by helping you to identify risk and formulate a robust security strategy.
With our unique set of skills, expertise and services we are on hand to help you to quickly understand, contain and mitigate any breach.
With the world’s largest security assurance team and top level accreditations, we are the trusted advisor to over 1,750 organisations worldwide.
Contact
For more information from NCC Group Contact:
response@nccgroup.trust
www.nccgroup.trust
0161 209 5111
