PAGE 02 - AUTHENTICATION

AUTHENTICATION &
LOGIN SECURITY

IAAA Framework - Auth Factors - Enumeration - Brute Force - Hydra

IAAA Framework Login Attacks Hydra Tool
01

IAAA FRAMEWORK

// WHAT IS IAAA?

Authentication is part of the IAAA framework which governs how we manage who gets access to protected resources. IAAA stands for:

Identification, Authentication, Authorization, and Accountability. Think of it as the security guard and rulebook for your digital doorways. These four components work together, typically in order, to manage access securely.

1

IDENTIFICATION

Who are you? Your name, username, ID number, employee number, SSN, etc.

"I am Tinus" - Claiming an identity
2

AUTHENTICATION

Prove it! - Should always be done with Multifactor Authentication.

"Prove you are Tinus" - Verifying the identity
3

AUTHORIZATION

What are you allowed to access? We use Access Control models.

"I can access the admin panel" - Permissions granted
4

ACCOUNTABILITY

Also referred to as Auditing. Trace an action to a subject's identity - non-repudiation.

Proving who performed a given action (logs, audit trails)

// IAAA APPLIED TO WEB APPS

Identification
Entering my username
Authentication
Providing my password + approving a 2FA prompt
Authorization
Once I log in, my profile page shows - that's authorization
Accountability
Server logs proving I visited my profile page
02

AUTHENTICATION FACTORS

// 5 TYPES OF AUTHENTICATION

Modern authentication relies on multiple factors. The more factors used together (MFA), the stronger the authentication. No single factor is foolproof - combining them is key.

TYPE 1: SOMETHING YOU KNOW

Knowledge-based authentication - something only the user should know.

Passwords Passphrases PINs Security Questions
? Vulnerable to: brute force, phishing, social engineering

TYPE 2: SOMETHING YOU HAVE

Possession-based authentication - a physical item the user possesses.

Smart Cards Tokens/Hardware Keys Phone (OTP) ID/Passport
? Vulnerable to: theft, loss, cloning

TYPE 3: SOMETHING YOU ARE

Biometric authentication - inherent physical or behavioral characteristics.

Fingerprint Iris Scan Facial Geometry Voice
? Cannot be changed if compromised; false positives possible

TYPE 4: SOMEWHERE YOU ARE

Location-based authentication - uses network or geographic context.

IP Address MAC Address GPS

TYPE 5: SOMETHING YOU DO

Behavioral authentication - how the user performs an action.

Signature Typing Pattern Gesture Unlock

MFA IS ESSENTIAL

Multifactor Authentication combines 2+ factors from different types. Even if one is compromised, the attacker still can't authenticate.

Best Practice: Combine Type 1 (password) + Type 2 (TOTP/hardware key) for strong auth
03

ATTACKING LOGIN SYSTEMS

// USERNAME ENUMERATION

A vulnerability that allows an attacker to determine whether a specific username exists within an application. This occurs when a system responds differently depending on whether a provided username is valid or invalid.

Once valid usernames are identified, attackers can use them as a foundation for further attacks such as password guessing, credential stuffing, or social engineering. The real risk isn't guessing one username - it's automating the process to discover many.

Different Error Messages
"User does not exist" vs "Incorrect password" - attacker learns the username is valid.
Different Response Times
Systems may take longer when a username exists (additional password checks). Time-based enumeration.
Password Reset Leakage
"Account not found" vs "Password reset link sent" - reveals if an email has an account.
HTTP Response Differences
Different status codes, content length, or page structure for valid vs invalid usernames.

// NO ACCOUNT LOCKOUT

When an application does not limit the number of failed login attempts, attackers can repeatedly try different passwords until they find the correct one.

Brute Force Attack

Many passwords against a single username. Tries every possible combination.

hydra -l admin -P rockyou.txt ssh://target
Password Spray Attack

A single password against many usernames. Avoids lockouts by trying each account only once per round.

Password123 ? user1, user2, user3, ...

// WEAK PASSWORD POLICY

When an application allows passwords that don't meet sufficient security requirements. The most important factor: password length. Anything less than 12 characters is a bad idea.

Weak Policy Signs
  • Allows very short passwords (< 8 characters)
  • No complexity requirements
  • Allows common passwords (password123)
  • No account lockout after failures
  • Doesn't check against breached lists
Strong Policy Signs
  • Minimum 12+ character passwords
  • Passphrase support (longer = better)
  • Account lockout after N failures
  • Rate limiting on login endpoints
  • CAPTCHA after multiple failures
04

HYDRA - BRUTE FORCE TOOL

// WHAT IS HYDRA?

Hydra is a brute force online password cracking program - a quick system login password "hacking" tool. It can run through a list and brute force many authentication services including SSH, FTP, HTTP forms, SNMP, and 50+ more protocols.

HYDRA - SSH BRUTE FORCE

hydra -l <username> -P <wordlist_path> <target_ip> -t 4 ssh
Flag Description
-l Specifies the username for login
-L File containing usernames to try
-p Single password to try
-P File containing passwords to try
-t Number of parallel threads/tasks
Example: hydra -l root -P passwords.txt 10.10.10.10 -t 4 ssh

HYDRA - WEB FORM (POST)

hydra -l <username> -P <wordlist> <target_ip> http-post-form \
"<path>:<login_credentials>:<invalid_response>"
Component Description
<path> Login page URL (e.g., /login.php)
^USER^ Placeholder replaced by the username
^PASS^ Placeholder replaced by the password from list
F=... String that appears in response when login fails
-s <port> Specify non-default port
Example: hydra -l molly -P rockyou.txt 10.10.10.10 http-post-form "/:username=^USER^&password=^PASS^:F=incorrect"

HYDRA - COMMON FLAGS

Flag Description
-l <user> Single username
-L <file> Username list file
-p <pass> Single password
-P <file> Password list file
-t <num> Parallel tasks/threads
-V Verbose - show each attempt
-f Stop after first valid login found
-s <port> Target non-default port

SUPPORTED PROTOCOLS (PARTIAL)

SSH FTP HTTP-POST HTTP-GET HTTPS SMTP IMAP POP3 MySQL MSSQL PostgreSQL SMB RDP VNC Telnet SNMP LDAP Redis ...50+ more

HYDRA COMMAND BUILDER

hydra -l molly -P rockyou.txt MACHINE_IP -t 4 ssh
05

PRACTICE - AUTHENTICATION

SCORE TRACKER 0 / 0 correct
// Q1 - IAAA
"I can access the admin panel" - match this to an IAAA component:
// Q2 - AUTH FACTORS
What do we call authentication that uses two or more factor categories?
// Q3 - ATTACKS
Which attack tries many passwords against a login service?
// Q4 - IAAA
"A picture of me accessing my profile page" - match this to an IAAA component:
// Q5 - IAAA
"I am Tinus" - match this to an IAAA component:
// Q6 - FACTORS
What authentication factor is answering a security question?
// Q7 - ATTACKS
What is the most well-known password list?
// Q8 - ATTACKS
What attack uses one password against many usernames?
06

LINKS & TRAINING

Microsoft - Authentication

Plain-language authentication overview.
Auth0 - Authentication

IAM-focused explanation of authentication.
OWASP Auth Cheat Sheet

Best practices for login and identity controls.
OWASP A07 Auth Failures

Top 10 category for authentication weaknesses.
PortSwigger Authentication

Authentication vulnerability academy material.
Password-Based Attacks

Enumeration, brute force, and password attacks.
Microsoft Login Security

Login security concepts and controls.
Weak Password Policy

OWASP WSTG testing guide.
CWE-521

Weak password requirements weakness entry.
Weak Lockout Testing

Testing account lockout protections.
Rapid7 User Enumeration

Explanation of enumeration risk.
Account Enumeration Testing

OWASP identity testing guidance.
MFA Testing

OWASP guidance for testing MFA controls.
Kali Hydra Tool Page

Hydra install notes and examples.
TryHackMe Basic Pentesting

Guided brute-force and enumeration practice.
Enumeration & Brute Force

Extra TryHackMe practice room.
Brute It

TryHackMe brute-force practice.
All PortSwigger Auth Labs

Authentication labs collection.
Continue to Session Management & Cookies