## Three's a crowd, a suite crowd!
A new day, a new security threat. This time, it's all around the driver of delivery itself, Santa's sleigh. It seems someone was able to get through the authentication.
Authentication is the process of verifying the identity of a user; whether that's via credentials, or more modern tools like one-time passwords, or even a social media account.
There is also authorisation, which is the process of verifying that the user has the right to perform a certain action, rather than authenticating who they are. The sad reality is cybersecurity is that authentication hacks are common due to human error. Having easily guessable credentials is a common way to gain access to a system, as well as default credentials.
Sometimes, you buy a printer. You connect to the printer with the username and password they give you, such as
pass. If a hacker knew which printer model you had, they can just search for the default credentials, and log themselves right on into your printer! We wouldn't want that to happen, who knows what they'd print out.
You can use word lists like SecLists to generate a list of default credential. A famous password list known as
rockyou.txt can be used to brute force the default credentials.This is commonly known as dictionary attacks, and it's quite simple to perform one using tools like Burpsuite.
## Dictionary Attacks
Combining tools like Hydra, which is a fast network "login cracker", and BurpSuite, which helps monitor, intervene, or launch dictionary attacks on a network, you can essentially affect 15% of Iot devices that still use default passwords (as of 2017). In this case, I'm guessing Santa's smart sleigh is a device with default creds.
We can launch BurpSuite, change our browser settings to proxy traffic to BurpSuite1, and visit the day challenge's website. We are greeted with the amazing "Santa Sleigh Tracker", and a login form. With BurpSuite enabled, I can submit some dummy username and password, which I will pick up the response on BurpSuite, and send it into inruder mode. There I can set positions around the username and password fields to let BurpSuite know that I want to inject new credentials in those fields, before sending the request to the server.
I provide a few potential usernames, like
santa, and passwords like
christmasIstheBEST. I set the attack as a clusterbomb attack, which iteratively sets each payload, using every potential combination. The attack results in lots of 302 redirects, and the same length of 309. All except onem
username: admin & password: 12345. Its length it 255. So I try logging in myself to see what that gives us.
Despite the 302 redirect, I was curious as to why the length was different. And turns out that's a key way of looking at these things. Just because the status looks the same, doesn't mean it wasn't a successful attack! I was greeted with the Tracker App page and the flag, and a sad date of when Santa was last airborne.. Oh no, it's been quite some time!