User enumeration is when a malicious actor uses brute force techniques (such as guessing or confirming valid usernames on a system) to rule out invalid login details – and eventually gain access to a system. User enumeration is often found in web applications, but it can also exist for any authentication-required system. It is specifically common in a site’s login page and its ‘Forgot Password’ functionality.
A common web application vulnerability that results from the use of user enumeration is the usage of a system vulnerable to brute force or dictionary attacks. Brute-force or dictionary attacks are implemented through a program or script that will generate possible user account names (passwords) for the target website. Many user enumeration techniques can be thwarted by the use of CAPTCHA. According to the NIST (National Institute of Standards and Technology), a CAPTCHA is not considered a foolproof mitigation and is only a mitigation for a specific instance of user enumeration.
Just as user enumeration takes place in an information system, user enumeration can also take place in an IT network. In network security, user enumeration can be defined as a process by which a malicious user is able to identify valid user accounts. This process can be both active and passive.
User enumeration in a network setting can be performed through the use of a port scanner, or an application-specific tool such as a bruteforcer. In the case of a port scanner, the scanner will identify active ports and the corresponding protocols running on each port. Thereafter, the malicious user running the port scanner will make an attempt to telnet or SSH to the port and protocol of their choosing. If the port and protocol are vulnerable to user enumeration, the malicious user will be able to identify valid accounts on the system, as the user will be presented with a login screen. In some instances, the malicious user may also be able to identify which systems are active within the subnet.
In the context of wireless networks, user enumeration is the process of identifying valid users through either active or passive means. In a wireless network, a malicious user can identify valid user accounts by collecting and/or analyzing wireless network packets for information about the 802.11 standard, Credential Management (802.1x), WEP, WPA, WPA2, and SNMP.
Information gathered from the above sources can let malicious users identify valid user accounts on the network. The process of gathering information from wireless network packets is the process known as wireless sniffing.
Credential management (802.1x) is the process by which a computer authenticates the user to the IT network. Credential management can be performed in two ways, either with an identity or with a credential. Credentials are machine-specific, and an identity is user-specific. Both of these methods can leave the network vulnerable to user enumeration. The first is through the use of a brute force or dictionary attack. A brute force or dictionary attack is performed by attempting to authenticate to the network with various combinations of user account names (identities) and passwords (credentials). The second method of user enumeration can be performed by analyzing the EAPOL frames for various data such as the source and destination MAC addresses, the BSSID, and the SSID. If a malicious user is able to enumerate valid user accounts from the information gathered from the EAPOL frames, they can attempt to authenticate to the network with those credentials.
Every network device has a unique Media Access Control address, or MAC address. The MAC address is unique to every machine. A malicious user may be able to identify valid user accounts by gathering the MAC address of the network devices and using a brute force or dictionary attack.
Preventing user enumeration should be a key focus of any login-based website build. Any digital agency that you partner should have a solid understanding of what kinds of user enumeration your website may be vulnerable to. Even better, they should be prepared to talk about CAPTCHAs, login attempt limits, login notifications, password reset protocols, and more.
Ready to learn more about user enumeration and how you can keep your website protected? Reach out to us at any time – we’re Right Here!