The Art Of User Enumeration

ℙ𝕣𝕚𝕞𝕚𝕕𝕒𝕔 ℂ𝕠𝕕𝕖𝕤 — Mon, 02 Nov 2020 10:07:44 +0000

Ok! Yet another big term User Enumeration and you might be asking yourself, what the heck is user enumeration anyways. Well you're in luck because I'm here to tell you all about User Enumeration and how to prevent it.

What is user Enumeration

First thing first, you should know that User Enumeration is a Cyber Security term and now that you know that, the big question now is What is user enumeration?

User enumeration is a malicious act of using special hacking techniques to guess or confirm valid users in a system server.

Special hacking techniques often used for user enumeration is bruteforce which enables the hacker to obtain some sensitive information to know the validity of a user on a particular system.

According to Wikipedia, In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.

User enumeration is a vulnerability that is often found on websites and one of the places where it's usually present is a website login and forgot password functionality.

How it works

The key to user enumeration is to know the validity of a user on a particular system. So the hacker looks for differences in server response based on the details given by him to the server.

For example, when we try to login into a website and we input a user name and a password and the server returns with "user does not exist", this would tell the hacker that what's wrong here is the "user's name" and not the password and by giving such information to the hacker, he/she can now plan the next phase of attack. This also applies to when he puts a correct user but invalid password. This techniques also applies to the "forgotten password" functionality of a website, when a hacker input a username,email, or phone number in the forgotten password field and the server responds with a "does not exist", this would tell the hacker on how plan its next phase of attack. Usually the hacker uses some kind of advanced bruteforcing attack to gain access to the user's account.

Ways to Prevent User Enumeration Attack

Send a generic message to the user - Instead of telling the user what's wrong with the field like saying "Invalid username" or saying "Invalid password", send a generic message like "Invalid username or password"
Make your server response time same for all request - Ok you might be thinking how server response time would hint the hacker that a field is correct or not well hackers are intelligent and I would tell you how server response time hint the hacker. When a server respond faster for a valid input and take a long while for an invalid input and vice versa, this hint the hacker on which input is correct or not so to fix this you have to give your server a hard coded time the server returns it response to the user, that way both invalid and valid requests both have the same response time and by so doing the hacker doesn't get any hint.
Using a Web Application Firewall (WAF) - Let's say the hacker wants to perform a bruteforce attack on a user and starts trying a list of random username at a sequence, the firewall will block the hacker's IP because a normal user cannot input a username at such sequence.
Use 2 Factor Authentication - Using 2FA makes the end goal of the hacker fruitless so it's advised to use 2FA.

As a general rule it's advised to always cross check your server response for any sort of vulnerabilities.

Peace ✌🏼✌🏼✌🏼

Primidac

What is Cyber Security

ℙ𝕣𝕚𝕞𝕚𝕕𝕒𝕔 ℂ𝕠𝕕𝕖𝕤 — Mon, 05 Oct 2020 09:23:10 +0000

Okay, Cyber Security!!!. A lot of us have heard the word Cyber Security and I'm pretty sure only few know what it really means and what it entails. Many people refer to Cyber Security as hacking but that is not the case. Let's get down to what is Cyber Security, what it entails and how to get started.

What is Cyber Security

Cyber Security refers to the act of defending networks, devices, data and software from malicious attacks, damages or unauthorized access. Most people confuse Information Security and Cyber Security.

Information Security is the process of securing information data from unauthorized access or leak regardless of being digital or analogue, while Cyber Security on the other hand is the protection of data, software and servers in the Cyberspace. Cyber there referring to thing connected to the internet

Please note that Cyber Security is a body meaning that it contains different components.

Types Of Cyber Security

Application Security
Network Security
Critical Infrastructure Security
Cloud Security

Listed above are the types of Cyber Security we have each having a broad field of implementation.

Fields in Cyber Security

Security Analyst
Security Architect
Security Administrator
Security Software Developer
Cryptographer
Cryptanalyst
Security Consultant
Pentester

Getting Started with Cyber Security

Cyber Security is a very nice field to go into and with huge demand in the market also with a very good pay. The more things are becoming digital the more the demand for Cyber Security, but with such broad field in Cyber Security, how would one get started?. Well i laid down some steps [Not professional but is sure to work for anyone that follows it. 😅 worked for me though.]

Steps in Getting Started with Cyber Security

Note that these steps are from the ground up and the good news is they work provided you are dedicated, hardworking and have lots of study time 😅.

Step 1 - Getting to know Cyber Security by reading more of my article😅.
Step 2 - Pick up a field of Choice. [This would make you more focused in your journey.
Step 3 - Learn a Programming Language, I know programming is not a must in most areas of Cyber Security but knowing it is a huge bonus to you in the field of Cyber Security
Participate in Hackathons, this would help you network and solve real world problems
Begin a Project related to your chosen field
Enroll in a course - Well this works very well but [yes there is a but], you have to up your game and work really hard if not you won't gain much from a course. If you need a Cyber Security course to enroll in, you can enroll in mine by click on this link.
Practice! Practice!! Practice!!! - Yes you have to practice to be good at anything and Cyber Security is no different. Spend time studying, asking questions and reading articles like mine 😉 [Every Mondays].
Look out for a mentor - This would really help you and is really helpful, search for a mentor and follow his/her lead.

That's it guys until next time, I hope this was really helpful and would love to hear from you guys.

Peace✌🏼

Forem: ℙ𝕣𝕚𝕞𝕚𝕕𝕒𝕔 ℂ𝕠𝕕𝕖𝕤

The Art Of User Enumeration

What is user Enumeration

How it works

Ways to Prevent User Enumeration Attack

What is Cyber Security

What is Cyber Security

Types Of Cyber Security

Fields in Cyber Security

Getting Started with Cyber Security

Steps in Getting Started with Cyber Security

Primidac Codes