Network traffic analysis for IR: Credential capture
Introduction to leaked credentials
The concept of leaked or breached credentials is nothing new, with data breaches occurring on a daily basis. Most of these breaches involve theft of data from unsecured repositories.
However, credentials can also be leaked in network traffic. Many protocols are not configured to be secure by default and can leak authentication credentials in plaintext in their traffic. The ability to identify these protocols and any credentials leaked is important for determining if authentication information could have been lost to an eavesdropper and to identify misconfigured or unauthorized services running on the network.
Capturing leaked credentials
Many of the internet protocols still in use today were designed as plaintext protocols, where all commands and data are sent in human-readable ASCII text. The protocols don’t have encryption by default, meaning that authentication information is not protected.
TLS can wrap these protocols in encryption. However, if any of these protocols are used on the network without this secure wrapper, sensitive user authentication information can be leaked to an eavesdropper.
FTP is a file transfer protocol. As a result, it often is configured to require authentication, as a computer owner doesn’t want unauthorized people to read from or write to their machines. However, the authentication protocol on FTP is insecure by default.
The image above is a screen capture from an FTP session in Wireshark. As shown, the USER command (which provides the username) and the PASS command (for the password) are sent in plaintext over the network.
This can be an asset to both a hacker and an incident responder. A hacker with the ability to eavesdrop on FTP authentication traffic can steal user credentials and use them to upload malware to FTP servers. An incident responder can use the plaintext nature of the FTP protocol to identify the accounts that are compromised by a hacker and determine the actions taken on the FTP server.
Internet Relay Chat (IRC) isn’t a protocol that isn’t used for legitimate purposes in most organizations. IRC is designed to allow easy many-to-many chats and is a precursor to modern communications platforms like Slack.
However, one modern use for IRC is command-and-control for botnets. Some malware authors will use IRC for C2 communications, since it is easy for a botnet herder to issue commands to the malware (by posting in an IRC channel) and receive responses back from its bots. Since IRC uses the concept of usernames, it is easy to differentiate bots operating on different systems.
The image above shows an authentication session for IRC in Wireshark. Like the FTP protocol, the PASS command is sent in plaintext, making it easy to identify and intercept login credentials for IRC. While you can’t see IRC messages sent while you’re not authenticated to a session, an incident responder who intercepted a bot’s IRC credentials could log in and see future messages, which can give insight into the botnet’s operations.
Simple Mail Transfer Protocol (SMTP) is one of the email protocols. (POP2 and IMAP are the other two.) Like the other protocols discussed here, SMTP is a plaintext protocol where all commands and data are sent in human-readable ASCII text.
In the Wireshark screenshot above, the authentication credentials used for the SMTP service are not as easily readable as for FTP or IRC. However, the credentials are leaked and can be easily extracted from the traffic sample.
SMTP uses Base64 encoding to provide some level of obfuscation of login credentials sent over the network. Decoding the two commands with arguments 334 produce the strings “Username” and “Password.” The responses to these commands reveal a username of firstname.lastname@example.org and a password punjab@123.
While Base64 encoding login credentials prevents simple string matching for login credentials, it provides no security. NetworkMiner, a network traffic analysis tool, will extract and decode SMTP credentials that it finds in a packet capture.
Telnet is a notoriously insecure predecessor to SSH. The protocol is widely considered deprecated. However, it is commonly available on IoT devices. Open Telnet ports and poor default passwords powered the Mirai botnet and have recently left over a million IoT radios open to attack.
The Wireshark image above demonstrates why Telnet is considered an insecure protocol. Like the other protocols described here, Telnet sends its credentials in the clear over the network. As a result, an attacker sniffing network traffic can easily intercept them and gain remote terminal access to the device.
Conclusion: Credential capture for incident response
The potential to capture leaked credentials over the network is primarily seen as a benefit for hackers. If an eavesdropper has the ability to intercept a legitimate user’s login credentials, then they have the same level of authenticated access to the machine as the legitimate user. If any of these protocols is being used in a network in a way that allows sniffing (i.e., not wrapped in TLS), then there are probably other issues that the hacker can exploit as well.
However, monitoring for leaked credentials can be valuable to an incident responder for many of the same reasons. If the incident responder can extract credentials from network traffic, then it should be assumed that a hacker can do so as well (assuming that the incident responder doesn’t have access to decrypted TLS traffic). Under these circumstances, the credentials should be considered breached and changed. If the credentials are observed being used for malicious purposes, then it provides the responder with clues regarding the particular accounts and services that the attacker has access to.
Monitoring for credentials breached by these services is also valuable for incident response since they should not be visible in a well-designed and secured network. If the services were using TLS, credentials would not be visible. Therefore, a scan for leaked credentials in network traffic that provides any results indicates a serious problem that needs immediate attention.
We've encountered a new and totally unexpected error.
Get instant boot camp pricing
A new tab for your requested boot camp pricing will open in 5 seconds. If it doesn't open, click here.