An enumeration attack occurs when cybercriminals use brute-force methods to check if certain data exists on a web server database.
For simple enumeration attacks, this data could include usernames and passwords. More sophisticated attacks could uncover hostnames, SNMP, and DNS details, and even confirm poor network setting configurations.
Every web application module that communicates with a user database could potentially become an enumeration attack vector if left unsecured.
The two most common web application targets for enumeration attacks are:
- The login page
- Password reset page
Because vulnerabilities that facilitate these attacks allow hackers to cross an information security border, enumeration is a critical component of penetration testing.
How Do User Enumeration Attacks Work?
During an enumeration attack, hackers are looking for unique server responses confirming the validity of a submitted credential.
The most obvious response is a field authentication message after a web form submission. To explain this process, we will use an example of a username enumeration attack - when attackers try to find usernames in a web server database.
Username Enumeration Attacks
This attack sequence usually begins by focusing on usernames only. The objective at this stage is to find as many valid usernames in a database as possible.
A webserver with poor application security will identify a non-existent username with an invalid username message similar to this:
Because this message only confirms the validity of the username, a threat actor can confirm that the username is not found on the webserver database.
A cybercriminal will then submit the same password with different username variations until a sufficient list of validated usernames is established.
Username variants are either found in purchased lists of leaked credentials or generated with brute force attack techniques.
Cyberattackers will then repeat the process with passwords, performing brute force techniques against all validated usernames until a winning combination is finally achieved.
This type of attack can be performed on any web app function that includes database verifications in its processes.
How to Prevent Server Response Message Enumeration Attacks
The best method of obfuscating server confirmation messages is to display a generic message after failed login attempts, one that does not specify which field was incorrect.
Here's an example:
Validating Entries with Server Response Times
The above feedback mechanism is the ideal scenario for cyberattacks. Usually, server responses validating form entries are a lot more subtle.
A more sophisticated approach is to monitor server response times with penetration testing tools. Usually, servers take longer to respond to invalid username entries than they do responding to valid username entries.
Here's an example of such server-response time authentication detected with the pentesting tool Metasploit.
In the above example, an incorrect username resulted in a failed login message after 30 seconds.
Conversely, when the valid username "administrator" was submitted, the server responded within 5 seconds, didn't redirect the session, and also included the confirmation message "username is valid."
Even without this explicit validation message, a hacker could easily differentiate incorrect submissions from the extended server response times they generate.
How to Prevent Server Time Response-Based Enumeration Attacks
To prevent hackers from identifying relationships between server response times and valid data entries, web application developers should avoid predictable time sequences.
Server responses should be padded with randomized time frames for both correct and incorrect entries.
Examples of Complex Enumeration Attacks
Complex enumeration attacks are used in reconnaissance missions to identify explorable software vulnerabilities. Some examples of such attacks are listed below.
LDAP Enumeration
Light-Weight Directory Access Protocol (LDAP) is a protocol used to access directory services - hierarchical structures of user records.
A successful LDAP enumeration attack could reveal the following sensitive information:
- Usernames
- Addresses
- Contact information
- Business sector information
NetBIOS Enumeration
Network Basic Input Output System (NetBIOS) is used as an API that enables endpoints to access LAN resources.
Each NetBIOS protocol is comprised of a unique 16-character string that identifies network devices over TCP/IP.
To facilitate NetBIOS enumeration attacks, printer and file services need to be enabled. These attacks occur via port 139 on the Microsoft Operating System.
A successful NetBIOS enumeration attack could make the following attacks possible on the compromised machine.
- The compromised endpoint could be recruited into a Botnet and used to launch DDoS attacks.
- The cybercriminals could execute further enumerate privileged access accounts to gain access to sensitive resources.
SNMP Enumeration
Simple Network Management Protocol (SNMP) is a framework for requesting or modifying information on networked devices. SNMP is software agnostic, meaning networked devices can access regardless of the type of software they are running.
Cyberattacks enumerate SNMP on remote devices to gather the following intelligence:
- Traffic behavior
- Remote device identifiers
- Identifying information about networked devices and resources
How to Prevent Enumeration Attacks
Some cybersecurity controls that could prevent all types of enumeration attacks are listed below.
- Multi-Factor Authentication (MFA) - By requiring MFA with each login attempt, cybecriminals will not have access to any server responses without submitting the correct authentication tokens first. Cyberattackers are very unlikely to also have compromised the separate endpoints receiving these tokens.
- Use CAPTCHA on all forms - CAPTCHAs are not as effective as MFA but they do effectively block automated enumeration attacks.
- Limit login attempts - CAPTCHAS and MFA inconvenience cyberattacks by adding latency to each login attempt. This frustration can be further amplified with rate-limiting, when the login process is blocked beyond a set number of failed attempts from the same IP address.
- Use a Web Application Firewall (WAF) - WAFs can block suspicious login attempts coming from a single IP address.
- Implement cyber awareness training - Train staff to identify common tactics used to steal sensitive information outside of enumeration methods, such as social engineering and phishing.
- Obfuscate API responses - If a login form calls an API, make sure these messages do not reveal the validity of each individual field entry.
