User credentials can be invaluable to an attacker. With a set of credentials, an attacker can expand and deepen their access to target systems, achieve persistence, and make their activities more difficult for a defender to detect.
The MITRE ATT&CK framework includes 15 techniques for Credential Access, as shown in Figure 7.1.
In this chapter, we'll look at two very different means of capturing user credentials. The first part of the chapter will explore how to dump login credentials for online accounts from web browsers, which is one of the sub-techniques under the Credentials from Password Stores technique. The rest of the chapter discusses the use of Python's scapy library to sniff credentials from unencrypted network traffic (called Network Sniffing in MITRE ATT&CK).
User credentials are cached in a variety of locations and a few different formats. Many applications will store password hashes for authentication purposes, and these hashes can potentially be cracked to learn the associated passwords.
However, applications may ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month, and much more.
