What is Bypassing Authentication?

What is Bypassing Authentication? – In computer security, authentication is the process of attempting to verify the digital identity of the sender of a communication. A common example of such a process is the log on process. Testing the authentication schema means understanding how the authentication process works and using that information to circumvent the authentication mechanism.

What if we could bypass all authentication mechanisms entirely? We can! This technique is called browser pivoting—essentially, we use our access to the target workstation to inherit permissions from the doctor’s browser and transparently exploit his or her permissions to do exactly what we want.

To accomplish this attack, we need to be able to do three things:

  • Inject code into the IE process accessing the medical database.
  • Create a web proxy Dynamic Link Library (DLL) based on the Microsoft WinInet API.
  • Pass web traffic through our SSH tunnel and the newly created proxy.

Let’s look at all three stages. None of them is as complex as they might initially appear.

What is Bypassing Authentication

Stage 1: DLL Injection

DLL injection is the process of inserting code into an existing (running) process (program). The easiest way to do this is to use the LoadLibraryA() function in kernel32.dll . This call will pretty much take care of the entire workflow in that it will insert and execute our DLL for us. The problem is that this function will register our DLL with the target process, which is a big antivirus no-no (particularly in a well monitored process such as Internet Explorer).

There are other, better ways we can do this. Essentially it breaks down into four steps:

  1. Attach to the target process (in this case Internet Explorer).
  2. Allocate memory within the target process.
  3. Copy the DLL into the target process memory and calculate an appropriate memory addresses.
  4. Instruct the target process to execute your DLL.

Each of these steps is well documented within the Windows API.

Attaching to a Process

hHandle = OpenProcess( PROCESS_CREATE_THREAD |
PROCESS_QUERY_INFORMATION |

Allocating Memory

PROCESS_VM_OPERATION |
PROCESS_VM_WRITE |
PROCESS_VM_READ,
FALSE,
procID );

Allocating Memory

GetFullPathName(TEXT(“proxy.dll”),
BUFSIZE,
dllPath,
NULL);
hFile = CreateFileA( dllPath,
GENERIC_READ,
0,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL );
dllFileLength = GetFileSize( hFile,
NULL );
remoteDllAddr = VirtualAllocEx( hProcess,
NULL,
dllFileLength,
MEM_RESERVE|MEM_COMMIT,
PAGE_EXECUTE_READWRITE );

Insert the DLL and Determine the Memory Address

lpBuffer = HeapAlloc( GetProcessHeap(),
0,
dllFileLength);
ReadFile( hFile,
lpBuffer,
dllFileLength,
&dwBytesRead,
NULL );
WriteProcessMemory( hProcess,
lpRemoteLibraryBuffer,
lpBuffer,
dllFileLength,
NULL );
dwReflectiveLoaderOffset = GetReflectiveLoaderOffset(lpWriteBuff);

Execute the Proxy DLL Code

rThread = CreateRemoteThread(hTargetProcHandle, NULL, 0,
lpStartExecAddr, lpExecParam, 0, NULL);
WaitForSingleObject(rThread, INFINITE);

I suggest you become familiar with these API calls, as understanding how to migrate code between processes is a core skill in APT modeling and there are many reasons why we might we want to do this, including to bypass process whitelisting, for example, or to migrate an attack into a different architecture or even to elevate our privileges in some way. For instance, should we want to steal Windows login credentials, we would inject our key logger into the WinLogon process. We’ll look at similar approaches on UNIX-based systems later.

In any event, there are a number of existing working attacks to perform process injection if you don’t want to create your own. This functionality is seamlessly integrated into the Metasploit framework, the pros and cons of which we will examine in future chapters.

What is Bypassing Authentication

Stage 2: Creating a Proxy DLL Based on the WinInet API

Now that we know what we have to do to get code inside the IE process, what are we going to put there and why?

Internet Explorer uses the WinInet API exclusively to handle all of its communications tasks. This is not surprising given that both are core Microsoft technologies. Any program may use the WinInet API and it’s capable of performing tasks such as cookie and session management, authentication, and so on.

Essentially, it has all the functionality you would need to implement a web browser or related technology such as an HTTP proxy. Because WinInet transparently manages authentication on a per process basis, if we can inject our own proxy server into our target’s IE process and route our web traffic through it, then we can inherit their application session states. This includes those authenticated with two-factor authentication.

IMPLEMENTING PROXY SERVER FUNCTIONALITY

Building a proxy server is beyond the scope of this work; however, there are third parties that sell commercial proxy libraries for developers. They are implemented solely using the WinInet API that can be integrated according to your needs.

What is Bypassing Authentication

Stage 3: Using the Injected Proxy Server

Assuming that the proceeding steps went according to plan, we now have an HTTP proxy server running on our target machine (we’ll say TCP port 1234) and restricted to the local Ethernet interface. Given that our Command and Control infrastructure is not sufficiently advanced to open remote tunnels on the fly, we will need to hardcode an additional tunnel into our payload.

At present, the only tunnel back into the target workstation is for accessing the SSH server. We need to add a remote tunnel that points to 1234 on the target and creates an endpoint (we’ll say TCP port 4321) on our C2 server.

At this point, we can add new patients and prescribe them whatever they want. No ID is required when picking meds up from the pharmacy, as ID is supposed to be shown when creating an account. Of course, this is just a tick box as far as the database is concerned. All we’ll be asked when we go to pick up our methadone is our date of birth.

“There is no cloud, it’s just someone else’s computer.

Bypass Authentication Vulnerability Owasp click here

If You Like This Blog Please It Down

For More Bug Bounty Blog Click Here

Related posts

Leave a Comment