Attacks Types & Hashing & Encryption
important points:
Rate limit --> how many request handles in one minute.
Account block --> Block brute force login attack (IP block).
1. Brute force-
When attacker tries every possible password combination repreatedly until one works.
Normal bruteforce --> Many password for one user.
Reverse bruteforce --> One weak password for many users.
2. Dictionary attack-
Using common password wordlist
SOC detection:
Attempts follow common password pattern
Login attempts across many systems
Moderate speed attempts
3. Spraying attack-
Uses one password on many users.
SOC defence:
One password attempt per account
Spread over many usernames
Attempt spaced over time
No lockout detected
4. Hybrid attack-
Combination of dictionary + variation, for target
e.g. Company@123, Company@1234, Company@12345
SOC Detection:
slight password variation
Targeted to comany name
5. Rainbow table attack-
Use precomputed raibow tables to reverse hashes into plaitext passes.
Precomputed rainbow table --> table of hash's password stored.
SOC detection: SOC may not directly see this but DFIR might.
6. Credential Stuffing-
Attacker uses previously leaked username/ password combination from breach.
SOC detection:
Login attempts from multiple IPs.
Valid username + valid password but unusual location
Impossible travel alert
High login successafter many failure
7. MFA fatigue attack-
So many multifactor authentication notification user frustrate and approve.
SOC detection:
Multiple MFA requests
Followed by success login
Very common in Azure Active Directory environments.
About password attacks
Targets:
RDP - port 3389
SSH - port 22
VPN - portal
Webapps
Database login panel
Router login panel
Attack chain example
Phishing email
Credential stolen
Attacker tries VPN
Attacker attempt password spray
MFA enable-fail
Find weak service account
Gain intenal access
SOC L1 investigation workflow
Alert : multiple failed login attempt
You must check :
Source IP
Geolocation
Username targeted
Success or many failure
Time frequency
Account lockout triggered
Any success login after failure
Important logs to master
Windows:
4625 - failed login attempt
4624 - success login
4776 - NTLM authentication
4740 - Account lockout
Linux:
$: /var/log/auth.log ---> ssh login attempts
Firewall:
Repeated connection attempts
Blocked connection spikes
Hashing
A hash is one-way mathematical transformation of data into a fixed-length string. It saves integrity of data.
password ---> hash function(bcrypt) ---> hash password
Properties:
One way (cannot reverse easily)
Deterministic (same input --> same output)
Fixed length output
Small inout change --> complete different output
MD5 - Not secure
SHA1 - Not secure
SHA256 - Strong
SHA512 - Strong
Bcrypt - Very strong (Design for password)
Argon - Very strong (Modern standards)
Salting(without salting big problem)-
Hashing is not enough
# If two or more passwords are same then hash also same.
Salting ---> any random string added to password before hashing.
We use salting to protect password from "Rainbow table attack"
password + salt
e.g. password + 3x424----------> random string
Another user with same password get different salt and different hash.
How salting stored
Database stores: username, salt, hash
When user logs in:
System retrieves salt
Add salt to entered password
Hash it
Compares with stored hash
if match = login successful. ( websites generates hash)
SOC perspective:
If database leak, you must ask:
Was hashing used?
Was salting used?
Which algorithm used?
Was it bcrypt or MD5?
If weak hashing ----> high risk of credential stuffing later.
if:
Weak hashing then after breach
Attacker crack hash in minutes
Users reuse same password on email, VPN, banking
Massive credential stuffing campaign begins
SOC sees:
Login attempt from multiple IPs
Account takeover
Impossible travel alerts
Root cause?: weak hashihng practice.
Advance concept: Pepper
Secret value stored outside database(e.g. server configuration)
instead of: password + salt
it becomes: password + salt + pepper
If database leak --> attacker does not know pepper( extra layer of protection).
Working-
Salting
Hashing
Pepper
Encryption
Encryption is the process of converting readable data into unreadable data using a cryptographic key, so authorized parties can read it. it save confidentiality of data.
Basic flow -
plaintext --> encryption algorithm + key --> cyphertext
cyphertext --> decryption algorithm + key --> plaintext
Common uses:
HTTPS website traffic
VPN communication
Disk encryption
Secure messaging
File encryption
Database encryption
Email encryption
Symmetric Encryption-
Uses single key forboth encryption and decryption.
e.g. Plaintext + secretkey ---> cyphertext
cybertext + secret key ---> plaintext
Common uses:
Disk encryption
VPN tunneling
File encryption
Problem---> Key sharing must be secure.
popular algorithm:
AES - most common modern algorithm
DES - old and insecure
3DES - legacy
ChaCha20 - modern secure algorithm
Assymetric Encryption-
It is called public key cryptography.
Uses two keys:
Public key(shared with everyone)
Private key(kept private)
Process:
Public key encryption
Private key decryption
Common uses:
HTTPS website
SSL/TLS handshake
Email encryption(PGP/pretty good privacy)
popular algorithm:
RSA - SSL/TLS
ECC - Modern Secure Communication
Diffie Hellman
HTTPS example:Encryption
When you visit a website
Browser--->Server
steps:
Browser gets public key from server
Browser encrypt session key
Server decrypts using private key
Secure Communication begins
Thats how HTTPS works.
SOC perspective: understand this helps in,
Investigate data breach
Analyze password dumps
Understanding credential theft
Investigating encrypted traffic
Malware analysis