Multi-featured Approach to Crack HTTP Authentication

Authors

Name Email
Duy (Dave) Nguyen nguyend2@carleton.edu
Kaung Thant (John) Win winj@carleton.edu

Poster - Final

Contents

Overview

Although two-factor authentication (2FA) and multi-factor authentication (MFA) have become more widespread within the past few years, single-factor authentication (SFA) still continues to be the default authentication method for a number of websites. Among many, password spraying is a commonly used technique to break into such weak authentication systems. Our goal with this project is to demonstrate the effectiveness of such a tool against weak authentication systems and how an attacker can incorporate an Optical Character Recognition (OCR) model with password spraying to bypass text-based CAPTCHA systems in order to create a password-cracking tool. We hope to educate readers the need for “security in depth” as well as for stronger passwords.

Set-up Instructions

There are two ways to run the project: 1) without the OCR model for CAPTCHA translation, 2) with the OCR model. The only difference in set-up are the git clone instruction and the optional OCR model set-up steps.

Step 1: Target Machine

There are two options for setting up the target machine (locally or on AWS [Amazon Web Services])

Local hosting option

  1. Clone the git repository into a folder:
  • Without OCR
git clone https://github.com/CarletonSecurityComps2024/SecurityComps2024.git
  • With OCR
git clone -b read-respond-captcha https://github.com/CarletonSecurityComps2024/SecurityComps2024.git
  1. Install dependencies on the backend:
cd SecurityComps2024/project/TargetMachine/backend
npm install
  1. (Optional) Install dependencies on the frontend to see what the log-in page looks like:
cd SecurityComps2024/project/TargetMachine/frontend
npm install

AWS Hosting Option

  1. Create/ Sign-in to your AWS account.
  2. Create an EC2 Instance
    2.1. Select "EC2" on the AWS dashboard. AWS Instructions 1 2.2. Selecte "Launch an instance". AWS Instructions 2 2.3. Name your instance and select "Ubuntu" for the OS Image. AWS Instructions 3 2.4. For "Key pair", select "Proceed without a key pair". For Network settings, tick the boxes for HTTP and HTTPS traffic. AWS Instructions 4 2.5. Launch instance. AWS Instructions 5
  3. Edit Security Group 3.1. Select "Security Groups" on the AWS dashboard. AWS Instructions 6 3.2. Choose the new security group created (the name may be different from picture). AWS Instructions 7 3.3. Add new inbound rules so that new TCP protocol ports as shown in picture are accepted:. AWS Instructions 8
  4. Attach an elastic IP (so that the server's IP stays static). 4.1. Select "Elastic IPs" on the AWS dashboard. AWS Instructions 9 4.2. Select "Allocate Elastic IP Address". AWS Instructions 10 4.3. Choose "Allocate" to finish allocation. AWS Instructions 11 4.4. Select the newly allocated IP address. Within "Actions" choose "Associate Elastic IP address". AWS Instructions 12 4.5. Choose the recently created EC2 instance.
    For private IP address, select whichever IP address is provided.
    Click "Associate" and your instance now has a static IP address! AWS Instructions 13
  5. Setting up dependencies on the EC2 instance.
    5.1. Select "EC2" on the AWS dashboard.
    5.2. Select the recently created EC2 instance and click on "Connect". AWS Instructions 14 5.3. Choose the "EC2 Instance Connect" option and click on "Connect". AWS Instructions 15 5.4. Install nginx, npm, and psql:
    sudo apt-get update
    sudo apt install nginx -y
    sudo apt install npm -y
    sudo apt install postgresql -y
    5.5. Setup postgres database.
    sudo -u postgres psql
    CREATE USER comps_user WITH PASSWORD 'comps_password';
    CREATE DATABASE comps;
    GRANT ALL PRIVILEGES ON DATABASE comps TO comps_user;
    5.6. Once the "comps" database is set up, set up the "blocked_ips" table.
    \c comps
    CREATE TABLE blocked_ips (
    id SERIAL PRIMARY KEY,
    ip_address INET NOT NULL,
    log_date TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP
    );
    GRANT SELECT, INSERT, UPDATE, DELETE ON TABLE blocked_ips TO comps_user;
    5.7. Relocate to the target machine's backend folder.
    cd SecurityComps2024/project/TargetMachine/backend/
    Create a ".env" file with the following:
    DB_USER=comps_user
    DB_HOST=localhost
    DB_DATABASE=comps
    DB_PASSWORD=comps_password
    DB_PORT=5432
  6. Install dependencies. 6.1. Install dependencies on the backend:
    cd SecurityComps2024/project/TargetMachine/backend
    npm install
    6.2. (Optional) Install dependencies on the frontend to see what the log-in page looks like:
    cd SecurityComps2024/project/TargetMachine/frontend
    npm install

Step 2: Attacker Machine

  1. Clone the git repository into a folder:
  • Without OCR
git clone https://github.com/CarletonSecurityComps2024/SecurityComps2024.git
  • With OCR
git clone -b read-respond-captcha https://github.com/CarletonSecurityComps2024/SecurityComps2024.git
  1. Open the folder using VSCode.
  2. Navigate to the spraying tool folder using the terminal:
cd SecurityComps2024/project/PasswordSprayingtool/
  1. Install dependencies:
pip install -r requirements.txt
  1. Add API credentials for proxy rotation. 5.1. Sign up for a free account on Webshare. Proxy API Instructions 1 5.2. After logging in, navigate to the Proxy List section in your dashboard. Proxy API Instructions 2 5.3. Click on the "Create API Key" button to generate a new key. You can assign a label to this key for easy identification. Proxy API Instructions 3 5.4. Go to Settings and retrieve API username and password. Proxy API Instructions 4 5.5. Relocate to the tool's folder.
    cd SecurityComps2024/project/PasswordSprayingtool/
    Add the API credentials in this format:
    APIFY_PROXY_HOSTNAME=proxy.apify.com
    APIFY_PROXY_PORT=8000
    APIFY_PROXY_PASSWORD=***add_apify_account_password_here***
    PROXY_API_KEY = ***add_api_key_here***
    PROXY_API_USERNAME = ***add_api_username_here***
    PROXY_API_PASSWORD = ***add_api_password_here***

Step 3: Training/ Setting up the OCR Model

  • For ease of development, use a Linux-based system like WSL.
  1. Create a virtual environment and start the environment.
  2. Install tensorflow.
  3. Download the CAPTCHA dataset from Kaggle and place the folder containing the images inside this directory:
cd SecurityComps2024/project/OCRModel/
  1. (If necessary) Rename the CAPTCHA image folder.
  2. Run train_ocr_model.ipynb.
  3. (If necessary) Install Keras and make sure the Keras and Tensorflow versions are compatible.
  4. (If necessary) Reopen the VSCode terminal in WSL.

Running Instructions

  1. On the target machine, run the following code to start the server:
cd SecurityComps2024/project/TargetMachine/backend
npm start
  1. On the attacker machine, run the following code to run the tool:
cd SecurityComps2024/project/PasswordSprayingtool/
python3 password_spraying.py

Acknowledgements

We'd like to thank Professor Jeff Ondich for his support and guidance throughout the project. This project would not have been possible without him.

References

  1. AWS, "Amazon EC2", https://aws.amazon.com/ec2/
  2. AWS "Amazon EC2 Auto Scaling", https://aws.amazon.com/ec2/autoscaling/
  3. Badhri Adhikari, “[DL] Some pitfalls to avoid when designing your own convolutional neural network,” YouTube, https://www.youtube.com/watch?v=eTUobNH5fj4
  4. Baoguang Shi, et. al. “An End-to-End Trainable Neural Network for Image-based Sequence Recognition and Its Application to Scene Text Recognition.” https://ar5iv.labs.arxiv.org/html/1507.05717
  5. CrowdStrike, Bart Lenaerts-Bergmans, "Password Spraying", 2022, https://www.crowdstrike.com/en-us/cybersecurity-101/cyberattacks/password-spraying/,
  6. Distill. “Sequence Modeling with CTC.” https://distill.pub/2017/ctc/
  7. Infura, "Python: How to perform batch requests with Infura", https://support.infura.io/building-with-infura/python/how-to-perform-batch-requests
  8. Keras - A_K_Nain. “OCR model for reading Captchas.” https://keras.io/examples/vision/captcha_ocr/
  9. mdn web docs. “HTTP Authentication.” https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication
  10. NetApps, "EC2 Autoscaling: The Basics, Getting Started, and 4 Best Practices", https://spot.io/resources/aws-autoscaling/ec2-autoscaling-the-basics-and-4-best-practices/
  11. Oxylabs, Roberta Aukstikalnyte, "What is proxy rotation and why is it important?", https://oxylabs.io/blog/rotate-proxies-python
  12. Ping Wang, et al. “An Experimental Investigation of Text-based CAPTCHA Attacks and Their Robustness,” https://dl.acm.org/doi/10.1145/3559754
  13. Semperis, Daniel Petri, 2024, "How to Defend Against a Password Spraying Attack, "https://www.semperis.com/blog/how-to-defend-against-password-spraying-attacks/
  14. Splunk, Shanika Wickramasinghe, 2023, "Password Spraying Attacks: What You Need To Know To Prevent Attacks", https://www.splunk.com/en_us/blog/learn/password-spraying.html

Datasets

  1. Server Dataset: https://www.kaggle.com/datasets/greysky/captcha-dataset
  2. Training Dataset: https://www.kaggle.com/datasets/parsasam/captcha-dataset