A counting attack is when cybercriminals use gross force methods to check if there is certain data in a web server database.
For simple counting attacks, this data can include usernames and passwords. More sophisticated attacks can reveal hostnames, SNMP and DNS information, and even confirm defective network configuration settings.
Any web application module that communicates with a user’s database could become a counting attack locator if it is not secure.
The two most common targets of counting web applications are:
- Login page
- Password reset page
Because vulnerabilities that facilitate these attacks allow hackers to cross the information security limit, counting is a critical component in intrusion testing.
How do user count attacks work?
During a countdown attack, hackers look for unique server responses that confirm the validity of the certificate sent.
The most obvious response is a field verification message after submitting a web form. To explain this process, we will use an example of a username counting attack – when attackers try to find usernames in a web server database.
Username Count Attacks
This sequence of attacks usually starts with a focus on usernames only. The goal at this point is to find as many valid usernames in the database as possible.
Poor application security web server will detect a non-existent username with an invalid username message similar to:
![Username No error message](https://assets-global.website-files.com/5efc3ccdb72aaa7480ec8179/61a8405b18bc1c437f78da44_Enumeration%20Attacks%202.png)
Because this message only confirms the validity of the username, a threatening player can confirm that the username is not in the web server database.
Next, a cybercriminal will submit the same password with different username variations until a sufficient list of verified usernames is created.
Versions of a username are on purchased lists of certificates that have been leaked or created using coarse-force attack techniques.
Cyber-attackers will then repeat the process with passwords, and perform gross force techniques against all verified usernames until a winning combination is finally achieved.
![There is no error message](https://assets-global.website-files.com/5efc3ccdb72aaa7480ec8179/61a8406b1b2e9c7d2befee61_Enumeration%20Attacks%203.png)
This type of attack can be performed on any web application function that includes database authentication in its processes.
How to Prevent Server Message Counting Attacks
The best way to obscure server confirmation messages is to display a general message after failed login attempts, one that does not indicate which field was incorrect.
Here is an example:
![Error message Username and / or password do not exist](https://assets-global.website-files.com/5efc3ccdb72aaa7480ec8179/61a84092b54712303d193b4c_Enumeration%20Attacks%204.png)
Validation with server response times
The above feedback mechanism is the ideal scenario for cyber attacks. Generally, server responses that verify form records are much more subtle.
A more sophisticated approach is to monitor server response times with intrusion testing tools. Generally, servers take longer to respond to invalid username logins than to respond to valid username records.
Here is an example of a response time verification such a server identified with the test tool Metasploit.
![Verify server response time that enables counting attack - Source: rapid7.com](https://assets-global.website-files.com/5efc3ccdb72aaa7480ec8179/61a46bcced6ded58155e2f77_Figure%205.jpeg)
In the example above, an incorrect username resulted in a failed login message after 30 seconds.
In contrast, when the valid username “admin” was sent, the server responded within 5 seconds, did not forward the meeting, and also included the confirmation message “username valid”.
Even without this explicit authentication message, a hacker can easily differentiate between incorrect submissions and the extended response times of the server they create.
How to prevent count-based attacks while serving
To prevent hackers from detecting links between server response times and valid data entry, Web application developers Expected time sequences should be avoided.
Server responses should be padded with random time frames for correct and incorrect values.
Examples of complex counting attacks
Complex counting attacks are used in patrol missions to identify software vulnerabilities that can be investigated. Some examples of such attacks are listed below.
LDAP count
Light-Weight Directory Access Protocol (LDAP) is a protocol used to access directory services – hierarchical structures of user records.
A successful LDAP counting attack may reveal the following sensitive information:
- Usernames
- Addresses
- Contact Information
- Business sector information
NetBIOS Count
Network Basic Input Output System (NetBIOS) serves as an API that allows endpoints to access LAN resources.
Each NetBIOS protocol consists of a unique 16-character string that identifies network devices using TCP / IP.
To facilitate NetBIOS counting attacks, printer and file services must be enabled. These attacks occur through port 139 in the Microsoft operating system.
A successful NetBIOS countdown attack can make subsequent attacks possible on the hacked computer.
- The hacked endpoint can be recruited to the botnet and used to activate DDoS attacks.
- Cybercriminals were able to perform additional counts of preferred access accounts to gain access to sensitive resources.
SNMP count
A simple network management protocol (SNMP) is a framework for requesting or modifying information on network devices. SNMP is agnostic software, meaning network devices can access regardless of the type of software they are running.
Cyber attacks count SNMP on remote devices to gather the following intelligence:
- Traffic behavior
- Remote device IDs
- Identify information about devices and resources on the network
How to prevent counting attacks
Some cyber security controls that can prevent all types of counting attacks are listed below.
- Multi-factor authentication (MFA) – By requiring MFA with each login attempt, cybercriminals will not have access to any server responses without first sending the correct authentication tokens. It is very unlikely that cyber-attackers have even harmed the separate endpoints that receive these tokens.
- Use CAPTCHA in all forms – CAPTCHAs are not as effective as MFA, but they actually block automatic counting attacks.
- Limit login attempts – CAPTCHAS and MFA interfere with cyber attacks by adding delay time to each login attempt. This frustration can be further exacerbated with a rate limit when the login process is blocked beyond a specified number of failed attempts from the same IP address.
- Use Web Application Firewall (WAF) – WAFs can block suspicious connection attempts coming from a single IP address.
- Implementing Cyber Awareness Training – Training staff to identify common tactics used to steal sensitive information outside of counting methods, such as social engineering and phishing.
- Fog API Comments – If a login form calls the API, make sure that these messages do not reveal the validity of each individual field value.
Prevent counting attacks with UpGuard
UpGuard’s Data Leak Detection Service helps businesses close ignored data leaks, which could facilitate users’ unauthorized access to web applications.
Click here to try UpGuard for 7 days.