Objective
Learn how to exploit Broken Cryptography caused by insecure password storage practices, such as storing passwords in plaintext or using weak hashing algorithms (MD5, SHA1). Understand how to secure password storage using strong hashing algorithms like bcrypt, scrypt, or Argon2 with salting and proper password policies.
Scenario
You are testing a web application that stores user passwords insecurely using weak cryptographic methods. An attacker who gains access to the database can easily retrieve or crack these passwords using password-cracking tools.
Lab Setup
Prerequisites:
- Basic knowledge of PHP and databases.
- XAMPP/LAMP/WAMP stack installed (or any web server with PHP and MySQL support).
- Tools like John the Ripper or Hashcat for password cracking.
Step 1: Create the Vulnerable Web Application
- Database Setup
- Create a database and users table:
CREATE DATABASE insecure_password_lab; USE insecure_password_lab; CREATE TABLE users ( id INT AUTO_INCREMENT PRIMARY KEY, username VARCHAR(50) NOT NULL, password VARCHAR(255) NOT NULL ); INSERT INTO users (username, password) VALUES ('alice', MD5('password123')); INSERT INTO users (username, password) VALUES ('bob', 'password456');
- Create a database and users table:
- PHP Script for Login (Vulnerable)
- Create a file
login.php
:<?php $conn = mysqli_connect("localhost", "root", "", "insecure_password_lab"); if (isset($_POST['login'])) { $username = $_POST['username']; $password = $_POST['password']; $hashed_password = md5($password); $query = "SELECT * FROM users WHERE username='$username' AND password='$hashed_password'"; $result = mysqli_query($conn, $query); if (mysqli_num_rows($result) > 0) { echo "<h2>Login Successful!</h2>"; } else { echo "<h2>Invalid Credentials!</h2>"; } } ?> <h2>Login</h2> <form method="POST" action=""> Username: <input type="text" name="username" required><br> Password: <input type="password" name="password" required><br> <button type="submit" name="login">Login</button> </form>
- Create a file
- Running the Application
- Start the Apache server.
- Place
login.php
in the web server’s root directory (htdocs
for XAMPP). - Open
http://localhost/login.php
in your browser.
Exploitation Steps
Step 1: Dumping the User Table
- Assume the attacker has gained access to the database:
SELECT * FROM users;
Expected Result:
- The attacker sees:
id | username | password -------------------------- 1 | alice | 482c811da5d5b4bc6d497ffa98491e38 (MD5 of 'password123') 2 | bob | password456
Step 2: Cracking Passwords
- Save the hash into a file
hashes.txt
:482c811da5d5b4bc6d497ffa98491e38
- Use John the Ripper or Hashcat to crack the hash:
john --format=raw-md5 hashes.txt
Expected Result:
- The tool cracks the password as
password123
.
Step 3: Exploiting Plaintext Passwords
- The second user (
bob
) has their password stored in plaintext. - Expected Result:
- The attacker directly retrieves Bob’s password as
password456
.
Solution and Prevention
Problem Analysis
- Passwords are stored insecurely using plaintext and weak hashing (MD5).
Fixing the Vulnerability
- Use Strong Hashing Algorithms (bcrypt)
- Securely store passwords with
bcrypt
:$hashed_password = password_hash($password, PASSWORD_BCRYPT);
- Securely store passwords with
- Verify Passwords Securely
- Replace the login check with:
$query = "SELECT * FROM users WHERE username='$username'"; $result = mysqli_query($conn, $query); $user = mysqli_fetch_assoc($result); if (password_verify($password, $user['password'])) { echo "<h2>Login Successful!</h2>"; } else { echo "<h2>Invalid Credentials!</h2>"; }
- Replace the login check with:
- Implement Salting and Peppering
- Add a random salt and a server-side secret (pepper) to the password.
- Enforce Strong Password Policies
- Require complex passwords and regular updates.
- Regular Security Audits
- Periodically audit password storage methods.
Testing After Fix
- Attempt to dump and crack the password hashes.
- Expected Result:
- Hashes generated with
bcrypt
are resistant to cracking.
- Hashes generated with
- Attempt SQL injection or brute-force attacks.
- Expected Result:
- The system rejects unauthorized access.
Conclusion
In this lab, you exploited Broken Cryptography by retrieving insecurely stored passwords. You also learned how to prevent this vulnerability by using strong hashing algorithms (bcrypt), implementing salting, and enforcing strong password policies.
0 Comments