Blog Post

Ya Basic

When reading through the results of Microsoft’s recent report, the first thing to come to grab my attention was plaintext credentials. You may be thinking to yourself, “who sends creds in plaintext?” Well, just about everyone. There is one authentication protocol that I witness and report constantly, typically to an underwhelming response: Basic Authentication (Basic Auth). I often joke internally that Basic Auth is the gift that keeps on giving, within a threat detection context. Reason being? It is easy to identify, often indicative of a misconfiguration (at the very least) and potentially a serious security concern. Basic Auth is also helpful in identifying interesting and unmanaged processes, such as those to and from IoT devices.

The level of concern a network administrator should have regarding plaintext Basic Auth traffic depends on the types of credentials being sent. If an individual is logging into a third-party service that cannot be controlled, perhaps there is not much to worry about. Unfortunately, the reality is many employees tend to use corporate passwords for personal accounts and, outside of blocking trafficking to the destination in question, there is not much that can be done.

To no surprise, there have been several instances where I’ve seen corporate credentials being sent in plaintext, , which led our team to create an adversarial model skill that only detects Basic Auth traffic using corporate credentials. This is often pre-proxy traffic in CONNECT requests before switching over to HTTPS (oops!). It could be an internal site or service that uses corporate credentials for authentication, but either the process on the host or the destination site are not configured to handle Basic Auth correctly. As you might expect, even if the site forces HTTPS or if the client sends the credentials in plaintext first, the damage has already been done. Isn’t this exactly the type of behavior an attacker would be interested in?

I stopped keeping count of how many times this type of activity has been reported only to be dismissed as uninteresting. The excuse given? That is what firewalls are for. The risk you deem acceptable is up to you, but if you’re wondering if plaintext Basic Auth traffic is a security concern, consider the recent MSFT report a cautionary tale of what could happen if you don’t take plaintext transmission of credentials seriously.

To drive this point home, let me take two minutes to demonstrate how simple it would be to leverage credentials being sent in the clear.

Assuming you have access to a device on a subnet and are able to sniff traffic in promiscuous mode (likely what they were able to do). Then you could use tcpdump (like they did) to specifically capture Basic Auth plaintext traffic if that is the goal.

Basic Auth TCPDUMP

Basic Auth TCPDUMP

If it is not clear (pun intended), that is base64 encoding – it is still plaintext.

Basic Auth Decode

Basic Auth Decode

I realize that I run the risk of becoming the Basic Auth guy (we come a far way since then!), but the fact remains a malicious actor was literally just seen employing tcpdump to sniff the network for data that may provide more access. Next time you hear someone share you have plaintext corporate creds in transit on your network, please think about this recent report. Avoid having to admit if you updated a server to use HTTPS or advised a client to only send creds after encryption has been established the attack could have been mitigated.

Keep in mind that the attack vectors in the MSFT report did not appear to be complex or difficult to employ, as is often the case — but if they work otherwise the nation state actor in question wouldn’t be using them.

 

Troy Kent
Troy Kent

Threat Researcher