Network traffic analysis for IR: Credential capture
Introduction to leaked credentials
The concept of leaked or breached credentials is nothing new, with data breaches occurring on a daily basis. Most of these breaches involve theft of data from unsecured repositories.
However, credentials can also be leaked in network traffic. Many protocols are not configured to be secure by default and can leak authentication credentials in plaintext in their traffic. The ability to identify these protocols and any credentials leaked is important for determining if authentication information could have been lost to an eavesdropper and to identify misconfigured or unauthorized services running on the network.
Learn Incident Response
Capturing leaked credentials
Many of the internet protocols still in use today were designed as plaintext protocols, where all commands and data are sent in human-readable ASCII text. The protocols don’t have encryption by default, meaning that authentication information is not protected.
TLS can wrap these protocols in encryption. However, if any of these protocols are used on the network without this secure wrapper, sensitive user authentication information can be leaked to an eavesdropper.
FTP
FTP is a file transfer protocol. As a result, it often is configured to require authentication, as a computer owner doesn’t want unauthorized people to read from or write to their machines. However, the authentication protocol on FTP is insecure by default.
The image above is a screen capture from an FTP session in Wireshark. As shown, the USER command (which provides the username) and the PASS command (for the password) are sent in plaintext over the network.
This can be an asset to both a hacker and an incident responder. A hacker with the ability to eavesdrop on FTP authentication traffic can steal user credentials and use them to upload malware to FTP servers. An incident responder can use the plaintext nature of the FTP protocol to identify the accounts that are compromised by a hacker and determine the actions taken on the FTP server.
IRC
Internet Relay Chat (IRC) isn’t a protocol that isn’t used for legitimate purposes in most organizations. IRC is designed to allow easy many-to-many chats and is a precursor to modern communications platforms like Slack.
However, one modern use for IRC is command-and-control for botnets. Some malware authors will use IRC for C2 communications, since it is easy for a botnet herder to issue commands to the malware (by posting in an IRC channel) and receive responses back from its bots. Since IRC uses the concept of usernames, it is easy to differentiate bots operating on different systems.
The image above shows an authentication session for IRC in Wireshark. Like the FTP protocol, the PASS command is sent in plaintext, making it easy to identify and intercept login credentials for IRC. While you can’t see IRC messages sent while you’re not authenticated to a session, an incident responder who intercepted a bot’s IRC credentials could log in and see future messages, which can give insight into the botnet’s operations.
SMTP
Simple Mail Transfer Protocol (SMTP) is one of the email protocols. (POP2 and IMAP are the other two.) Like the other protocols discussed here, SMTP is a plaintext protocol where all commands and data are sent in human-readable ASCII text.
In the Wireshark screenshot above, the authentication credentials used for the SMTP service are not as easily readable as for FTP or IRC. However, the credentials are leaked and can be easily extracted from the traffic sample.
SMTP uses Base64 encoding to provide some level of obfuscation of login credentials sent over the network. Decoding the two commands with arguments 334 produce the strings “Username” and “Password.” The responses to these commands reveal a username of gurpartap@patriots.in and a password punjab@123.
While Base64 encoding login credentials prevents simple string matching for login credentials, it provides no security. NetworkMiner, a network traffic analysis tool, will extract and decode SMTP credentials that it finds in a packet capture.
Telnet
Telnet is a notoriously insecure predecessor to SSH. The protocol is widely considered deprecated. However, it is commonly available on IoT devices. Open Telnet ports and poor default passwords powered the Mirai botnet and have recently left over a million IoT radios open to attack.
The Wireshark image above demonstrates why Telnet is considered an insecure protocol. Like the other protocols described here, Telnet sends its credentials in the clear over the network. As a result, an attacker sniffing network traffic can easily intercept them and gain remote terminal access to the device.
Conclusion: Credential capture for incident response
The potential to capture leaked credentials over the network is primarily seen as a benefit for hackers. If an eavesdropper has the ability to intercept a legitimate user’s login credentials, then they have the same level of authenticated access to the machine as the legitimate user. If any of these protocols is being used in a network in a way that allows sniffing (i.e., not wrapped in TLS), then there are probably other issues that the hacker can exploit as well.
However, monitoring for leaked credentials can be valuable to an incident responder for many of the same reasons. If the incident responder can extract credentials from network traffic, then it should be assumed that a hacker can do so as well (assuming that the incident responder doesn’t have access to decrypted TLS traffic). Under these circumstances, the credentials should be considered breached and changed. If the credentials are observed being used for malicious purposes, then it provides the responder with clues regarding the particular accounts and services that the attacker has access to.
Monitoring for credentials breached by these services is also valuable for incident response since they should not be visible in a well-designed and secured network. If the services were using TLS, credentials would not be visible. Therefore, a scan for leaked credentials in network traffic that provides any results indicates a serious problem that needs immediate attention.
Learn Network Traffic Analysis for Incident Response
Sources
Learn Network Traffic Analysis for Incident Response
Get hands-on experience with nine courses covering how to collect, identify, extract and analyze network traffic. What you'll learn:- Traffic analysis case studies
- Common network threats
- Data analysis methods
- Tools like Wireshark
- And more
In this Series
- Network traffic analysis for IR: Credential capture
- Disaster recovery: What's missing in your cyber emergency response?
- How will zero trust change the incident response process?
- How to build a proactive incident response plan
- Sparrow.ps1: Free Azure/Microsoft 365 incident response tool
- Uncovering and remediating malicious activity: From discovery to incident handling
- DHS Cyber Hunt and Incident Response Teams (HIRT) Act: What you need to know
- When and how to report a breach: Data breach reporting best practices
- Cyber Work Podcast recap: What does a military forensics and incident responder do?
- Top 8 cybersecurity books for incident responders in 2020
- Digital forensics and incident response: Is it the career for you?
- 2020 NIST ransomware recovery guide: What you need to know
- Network traffic analysis for IR: Data exfiltration
- Network traffic analysis for IR: Basic protocols in networking
- Network traffic analysis for IR: Introduction to networking
- Network Traffic Analysis for IR — Discovering RATs
- Network traffic analysis for IR: Analyzing IoT attacks
- Network traffic analysis for IR: TFTP with Wireshark
- Network traffic analysis for IR: SSH protocol with Wireshark
- Network traffic analysis for IR: Analyzing DDoS attacks
- Wireshark for incident response 101
- Network traffic analysis for IR: UDP with Wireshark
- Network traffic analysis for IR: TCP protocol with Wireshark
- Network Traffic Analysis for Incident Response: Internet Protocol with Wireshark
- ICMP protocol with Wireshark
- Cyber Work with Infosec: How to become an incident responder
- Simple Mail Transfer Protocol (SMTP) with Wireshark
- Internet Relay Chat (IRC) protocol with Wireshark
- Hypertext transfer protocol (HTTP) with Wireshark
- Network traffic analysis for IR: FTP protocol with Wireshark
- Infosec skills - Network traffic analysis for IR: DNS protocol with Wireshark
- Network traffic analysis for IR: Data collection and monitoring
- Network traffic analysis for Incident Response (IR): TLS decryption
- Network traffic analysis for IR: Address resolution protocol (ARP) with Wireshark
- Network traffic analysis for IR: Alternatives to Wireshark
- Network traffic analysis for IR: Statistical analysis
- Network traffic analysis for incident response (IR): What incident responders should know about networking
- Network traffic analysis for IR: Event-based analysis
- Network traffic analysis for IR: Connection analysis
- Network traffic analysis for IR: Data analysis for incident response
- Network traffic analysis for IR: Network mapping for incident response
- Network traffic analysis for IR: Analyzing fileless malware
- Network traffic analysis for IR: Content deobfuscation
- Traffic analysis for incident response (IR): How to use Wireshark for traffic analysis
- Network traffic analysis for IR: Threat intelligence collection and analysis
- Network traffic analysis for incident response
- Creating your personal incident response plan
- Security Orchestration, Automation and Response (SOAR)
- Top six SIEM use cases
- Expert Tips on Incident Response Planning & Communication
- How to Use AlientVault SIEM for Threat Detection & Incident Response
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Incident response
Disaster recovery: What's missing in your cyber emergency response?
Incident response
Incident response
Incident response
Sparrow.ps1: Free Azure/Microsoft 365 incident response tool