What Are Enumeration Attacks and How Can You Prevent Them?
Reading Time: 4 minutesAttackers often need access to your network before they can do damage. Enumeration attacks offer both blunt and sneaky ways to get in.
Many cyberattacks begin with attackers gaining access to your network. They may not be welcome, but cybercriminals don’t need your permission to break in.
With techniques such as enumeration attacks, they can slip by your defenses. The onus is on you to make it difficult for them, if not impossible. What really are enumeration attacks? How do they work? And how can you prevent them?
What Are Enumeration Attacks?
Enumerations attacks are hacking techniques attackers use to gain unauthorized access into a system by guessing users’ login credentials. A form of brute force attack, the hacker tries out various usernames and passwords until they get the correct combinations.
How Do Enumeration Attacks Work?
An average system has an inbuilt authentication or authorization that users have to undergo to gain access. This is often in the form of a login window for existing users, a registration window for new users to sign up, and a ‘Forgot Password’ tab for existing users who may have forgotten their passwords.
The hacker takes advantage of the aforementioned features to launch enumerations attacks in the following ways.
1. Guessing Existing Usernames With Brute Force
The first stage of an enumeration attack has the hacker enter any login credentials to get feedback from the system. For instance, let’s say Username A exists in your web application’s database. If the attacker enters it along with a password, they’ll get a notification that the password they entered is correct but the password isn’t. And if Username A isn’t in your database, they’ll get a notification that neither the username nor the password exists.
The attacker aims to get as many valid usernames as possible. For every invalid username they get, they try various variations of the username with brute force.
Since web users normally create usernames that people are familiar with or can relate to, out of the many username variations the attacker enters into the system, some will be valid.
2. Pairing Existing Usernames With Possible Passwords
Guessing the username correctly is just half of the job. To access your system, the attackers must provide the username’s correct password too. They use brute force to generate several password variations, hoping to find a match for each username.
3. Using Credential Stuffing to Find Valid Usernames and Passwords
Attackers leverage credential stuffing to execute enumerations attacks by making use of the username and password pairs they stole from other networks to access your network.
Using the same username and password on more than one web application is unhealthy and can expose you to multiple hacks. If your login credentials get into the wrong hands, all they have to do is try them out on other web applications you use.
While all the login credentials an attacker retrieves from other websites may not be valid, some turn out to be valid, especially as some people repeat the same username and password.
4. Using Social Engineering to Collect Complete Login Credentials
A determined hacker can leverage social engineering to execute an enumeration attack. How? After using brute force to gain valid usernames on a web application, if other efforts to get the correct passwords for those usernames fail, they may resort to social engineering to get the passwords directly from the users.
With valid usernames at hand, the hacker could send malicious messages to the users via email or text messages, impersonating the operators of the platform. They could trick the users to provide their passwords by themselves. Such messages could seem legitimate to unsuspecting victims because the cybercriminal already has their correct usernames.
How Can You Prevent Enumeration Attacks?
Enumeration attacks thrive on the response they receive from web applications when users try to log in. If you take that information out of the equation, they are more difficult to execute as cybercriminals will have little or no information to work with. So, how can you prevent these attacks or reduce their occurrence to the barest minimum?
1. Prevent Login Feedback With Multi-Factor Authentication
All an attacker needs to do to know the validity of a username on a web application is to enter just about any username, and the server will give them the information they need. You can prevent them from having that information easily by implementing multi-factor authentication.
When a user, or an attacker in this case, enters their login credentials to access your application, have them verify their identity in multiples ways such as providing One-Time Passwords (OTPs), email codes, or using authentication apps.
2. Reduce Login Attempts With CAPTCHAs
Cybercriminals have the liberty to launch enumeration attacks when they have unlimited login attempts. It’s rare for them to guess the correct username and password pairs with just a few login attempts.
Implement CAPTCHA to slow them down and thwart their efforts. Since they can’t bypass CAPTCHA automatically, they’ll most likely get frustrated verifying that they are human after a few attempts.
3. Adopt Rate-Limiting to Block Multiple Logins
Enumeration actors thrive on the multiple login attempts available on web applications. They could guess the usernames and passwords all day until they find a match.
If you have a rate limit on your network, they can only try to log in a specific number of times. If they aren’t successful in those attempts, your network will block their IP addresses or usernames.
The downside of rate-limiting is that it affects legitimate users who may genuinely not remember their login credentials. You can mitigate this by providing alternatives for such users to regain access.
4. Install a Web Application Firewall
A web application firewall is a tool that blocks multiple login attempts from malicious or suspicious IP addresses. It works with a set of security standards to examine traffic to your network servers, meeting outlined HTTPS and SSL security requirements.
With a web application firewall in place, enumeration actors don’t have the luxury of time to hack your system.
Secure Your Login Credentials to Prevent Enumeration Attacks
Enumeration attacks raise concerns about network access and usability. You would want your network users to be able to gain access without any hassle. But in doing so, you must take measures that won’t expose your network to cyber threats and attacks.
Don’t shoot yourself in the foot by aiding cyber actors with your network login credentials. Make it a point of duty to hide such information as much as you can. If they don’t know it, they’ll be in the dark where they deserve to be.
Reference: https://www.makeuseof.com/what-are-enumeration-attacks-and-how-can-you-prevent-them/
Ref: makeuseof
MediaDownloader.net -> Free Online Video Downloader, Download Any Video From YouTube, VK, Vimeo, Twitter, Twitch, Tumblr, Tiktok, Telegram, TED, Streamable, Soundcloud, Snapchat, Share, Rumble, Reddit, PuhuTV, Pinterest, Periscope, Ok.ru, MxTakatak, Mixcloud, Mashable, LinkedIn, Likee, Kwai, Izlesene, Instagram, Imgur, IMDB, Ifunny, Gaana, Flickr, Febspot, Facebook, ESPN, Douyin, Dailymotion, Buzzfeed, BluTV, Blogger, Bitchute, Bilibili, Bandcamp, Akıllı, 9GAG