A photograph of the author, Alex Kharouk

Alex Kharouk

Advent of Cyber's Prequel: Day 3.

## Three's a crowd, a suite crowd!

A new day, a new security threat. This time, it's all around the driver of delivery itself, Santa's sleigh. It seems someone was able to get through the authentication.

Authentication is the process of verifying the identity of a user; whether that's via credentials, or more modern tools like one-time passwords, or even a social media account.

There is also authorisation, which is the process of verifying that the user has the right to perform a certain action, rather than authenticating who they are. The sad reality is cybersecurity is that authentication hacks are common due to human error. Having easily guessable credentials is a common way to gain access to a system, as well as default credentials.

Sometimes, you buy a printer. You connect to the printer with the username and password they give you, such as printer and pass. If a hacker knew which printer model you had, they can just search for the default credentials, and log themselves right on into your printer! We wouldn't want that to happen, who knows what they'd print out.

You can use word lists like SecLists to generate a list of default credential. A famous password list known as rockyou.txt can be used to brute force the default credentials.This is commonly known as dictionary attacks, and it's quite simple to perform one using tools like Burpsuite.

## Dictionary Attacks

Combining tools like Hydra, which is a fast network "login cracker", and BurpSuite, which helps monitor, intervene, or launch dictionary attacks on a network, you can essentially affect 15% of Iot devices that still use default passwords (as of 2017). In this case, I'm guessing Santa's smart sleigh is a device with default creds.

We can launch BurpSuite, change our browser settings to proxy traffic to BurpSuite1, and visit the day challenge's website. We are greeted with the amazing "Santa Sleigh Tracker", and a login form. With BurpSuite enabled, I can submit some dummy username and password, which I will pick up the response on BurpSuite, and send it into inruder mode. There I can set positions around the username and password fields to let BurpSuite know that I want to inject new credentials in those fields, before sending the request to the server.

I provide a few potential usernames, like admin, or santa, and passwords like password, or christmasIstheBEST. I set the attack as a clusterbomb attack, which iteratively sets each payload, using every potential combination. The attack results in lots of 302 redirects, and the same length of 309. All except onem username: admin & password: 12345. Its length it 255. So I try logging in myself to see what that gives us.

Despite the 302 redirect, I was curious as to why the length was different. And turns out that's a key way of looking at these things. Just because the status looks the same, doesn't mean it wasn't a successful attack! I was greeted with the Tracker App page and the flag, and a sad date of when Santa was last airborne.. Oh no, it's been quite some time!


  1. FoxyProxy is a tool that can help you proxy traffic to BurpSuite.