User enumeration is an essential part of the penetration testing process, where the hacker develops a list of all valid usernames on a server or web application. By doing so, the hacker can get an idea of how many accounts exist and use this information to compromise accounts on the target. This is possible for several reasons. For example, some servers are configured to provide this information if the hacker runs a specific command in the command line. In another example, some web applications may be configured to tell the user if the username provided is correct, even if the password doesn’t match. This information unwittingly tells hackers if they have guessed a valid username. In this article we’ll be discussing how user enumeration works, why it’s valuable to a hacker and how it can be prevented.
As mentioned above, there are several ways that applications allow for user enumeration. The most common way this can be done is for the hacker to use the feedback given by the application itself. For example, if a hacker enters a username, he may receive a message like this:
In the screenshot above, the application tells us that the username doesn’t exist. This is valuable information to a hacker because it confirms that we can brute force usernames, and the application will inform us when we have a valid username.
In this example, we used a legitimate password and got a response saying only the password was incorrect. By trying commonly used usernames, a hacker can use this feedback to compile a list of valid usernames.
The feedback doesn’t need to be in the form of a text reply. It can be more complicated. One example is using the response time it takes to receive a failed login as an indicator. An article by rapid7 showed how, when using an invalid username, it took an application over 30 seconds to respond (because it needed to check all accounts). However, when using a correct username and incorrect password, the failed response took less than half a second. This is another method hacks can use to identify valid usernames.
Source @ rapid7
The last method we’ll discuss here is using password reset forms. If not correctly configured, hackers can go to an application, select the option for a password reset and continuously enter email addresses into that form until a link for a password reset is sent. This will allow hackers to identify legitimate email addresses linked to the account and act as another method for user enumeration.
The ultimate goal of user enumeration is to gather a list of legitimate and active user accounts. Once the hacker has this list, they can use it to perform several different types of attacks against an organization or an individual. These are commonly known as password based attacks, which are attacks where the hacker attempts to acquire the legitimate password to a user account. The most common one is known as a brute force attack, which is where a hacker continuously tries random password combinations to find the correct password. A more efficient method is using a dictionary attack, this is where a hacker will compile a list of commonly used passwords and use those to try and guess the correct password of a user account. By using user enumeration, hackers gain usernames that they can use to perform these password based attacks and ultimately gain control of user accounts.
Using methods like the password reset method we discussed earlier, hackers can steal lists of valid email addresses belonging to users. By doing so, they can create their contact lists of users. This list can be sold to marketing firms for money, used for phishing campaigns or for any other purpose the hacker wants. Many companies will pay for contacts lists in order to poach clients from other businesses or simply to have a larger contact list for their marketing campaigns, which make this a very lucrative business.
Credential stuffing is an automated injection of stolen pairs of usernames and passwords into website login forms to gain access to user accounts. Using user enumeration, the hacker already has a list of valid usernames. They simply need to compile a list of commonly used passwords and combine them with the valid usernames to perform this attack. This is the reason that many applications have a limit on the amount of password guesses that you are allowed before an account is locked and a user must reset their password for login.
This is the psychological manipulation of people into performing malicious actions or divulging information to an attacker. In a situation where hackers can gather email addresses for legitimate accounts, phishing emails can be sent to these accounts and used to target individuals using that service. Since the hacker knows what service the users are using, they can create phishing emails tailored to the users and therefore are more convincing, resulting in a higher success rate for the hacker.
Multi-factor authentication helps to ensure that the person on the other side of the screen is the legitimate account holder rather than a hacker trying to gain information. For example, rather than allowing anyone to attempt a password reset with a given email, you can add a feature where the person must authenticate using MFA before attempting a password reset. This extra step reduces the ability of a hacker to exploit this feature. Some common examples of MFA options include:
- Google Authenticator
- Text Message
- Push Notifications
- Automated Phone Calls
- Face Scans
Captcha is a challenge-response test used to tell if a user is a human or a computer. Captcha on websites is great for identifying computer bots that may be probing the website and attempting to perform enumeration attacks. Computer bots can perform brute forcing and other malicious tasks much faster than a human can, and by inserting a captcha on your website, you can filter out bots from your legitimate users and block them.
One way to limit user enumeration attacks is to use generic messaging on login pages. Password resets forms or other input pages on websites. Hackers often use the messaging from login attempts or password resets to identify active usernames/emails. By using generic messaging such as “username or password is incorrect” rather than specifying “password is incorrect” prevents hackers from being able to identify usernames via these pages.
Rate limiting controls the rate of requests that can be sent to an application. Reducing the number of requests a hacker can make to an application or server makes it increasingly difficult for hackers to use requests to gain information on what usernames are valid. For example, limiting failed login attempts to 3-5 tries before locking out an account. This helps to mitigate the risk of hackers using automated tools to guess thousands of passwords in a short period of time and protects accounts from compromise.
User enumeration is a technique used to identify valid usernames on a server or application. Hackers like using user enumeration to find a list of usernames they can use to compromise user accounts. The compromise of accounts can be done through many different methods, but some common ones include password-based attacks or phishing emails aimed at the account holder. To defend against user enumeration, you can use a few different techniques, including implementing MFA, captcha, generic messaging, and rate limiting. All of these techniques are effective in preventing user enumeration on your applications/servers.