Exercise 47: Broken Cryptography (Insecure Password Storage)

Objective

Learn how to exploit Broken Cryptography caused by insecure password storage practices, such as storing passwords in plaintext or using weak hashing algorithms (MD5, SHA1). Understand how to secure password storage using strong hashing algorithms like bcrypt, scrypt, or Argon2 with salting and proper password policies.

---

Scenario

You are testing a web application that stores user passwords insecurely using weak cryptographic methods. An attacker who gains access to the database can easily retrieve or crack these passwords using password-cracking tools.

---

Lab Setup

Prerequisites:

• Basic knowledge of PHP and databases.
• XAMPP/LAMP/WAMP stack installed (or any web server with PHP and MySQL support).
• Tools like John the Ripper or Hashcat for password cracking.

Step 1: Create the Vulnerable Web Application

1. Database Setup
   • Create a database and users table: CREATE DATABASE insecure_password_lab; USE insecure_password_lab; CREATE TABLE users ( id INT AUTO_INCREMENT PRIMARY KEY, username VARCHAR(50) NOT NULL, password VARCHAR(255) NOT NULL ); INSERT INTO users (username, password) VALUES ('alice', MD5('password123')); INSERT INTO users (username, password) VALUES ('bob', 'password456');
2. PHP Script for Login (Vulnerable)
   • Create a file login.php: <?php $conn = mysqli_connect("localhost", "root", "", "insecure_password_lab"); if (isset($_POST['login'])) { $username = $_POST['username']; $password = $_POST['password']; $hashed_password = md5($password); $query = "SELECT * FROM users WHERE username='$username' AND password='$hashed_password'"; $result = mysqli_query($conn, $query); if (mysqli_num_rows($result) > 0) { echo "<h2>Login Successful!</h2>"; } else { echo "<h2>Invalid Credentials!</h2>"; } } ?> <h2>Login</h2> <form method="POST" action=""> Username: <input type="text" name="username" required><br> Password: <input type="password" name="password" required><br> <button type="submit" name="login">Login</button> </form>
3. Running the Application
   • Start the Apache server.
   • Place login.php in the web server’s root directory (htdocs for XAMPP).
   • Open http://localhost/login.php in your browser.

---

Exploitation Steps

Step 1: Dumping the User Table

1. Assume the attacker has gained access to the database: SELECT * FROM users;

Expected Result:

• The attacker sees: id | username | password -------------------------- 1 | alice | 482c811da5d5b4bc6d497ffa98491e38 (MD5 of 'password123') 2 | bob | password456

Step 2: Cracking Passwords

1. Save the hash into a file hashes.txt: 482c811da5d5b4bc6d497ffa98491e38
2. Use John the Ripper or Hashcat to crack the hash: john --format=raw-md5 hashes.txt

Expected Result:

• The tool cracks the password as password123.

Step 3: Exploiting Plaintext Passwords

1. The second user (bob) has their password stored in plaintext.
2. Expected Result:

• The attacker directly retrieves Bob’s password as password456.

---

Solution and Prevention

Problem Analysis

• Passwords are stored insecurely using plaintext and weak hashing (MD5).

Fixing the Vulnerability

1. Use Strong Hashing Algorithms (bcrypt)
   • Securely store passwords with bcrypt: $hashed_password = password_hash($password, PASSWORD_BCRYPT);
2. Verify Passwords Securely
   • Replace the login check with: $query = "SELECT * FROM users WHERE username='$username'"; $result = mysqli_query($conn, $query); $user = mysqli_fetch_assoc($result); if (password_verify($password, $user['password'])) { echo "<h2>Login Successful!</h2>"; } else { echo "<h2>Invalid Credentials!</h2>"; }
3. Implement Salting and Peppering
   • Add a random salt and a server-side secret (pepper) to the password.
4. Enforce Strong Password Policies
   • Require complex passwords and regular updates.
5. Regular Security Audits
   • Periodically audit password storage methods.

---

Testing After Fix

1. Attempt to dump and crack the password hashes.
2. Expected Result:
   • Hashes generated with bcrypt are resistant to cracking.
3. Attempt SQL injection or brute-force attacks.
4. Expected Result:
   • The system rejects unauthorized access.

---

Conclusion

In this lab, you exploited Broken Cryptography by retrieving insecurely stored passwords. You also learned how to prevent this vulnerability by using strong hashing algorithms (bcrypt), implementing salting, and enforcing strong password policies.