This Wikipedia help page is outdated. Please update this Wikipedia help page to reflect recent events or newly available information. Please see the talk page for more information. The user can customize fonts, colors, positions of links in the… … Wikipedia
Digest access authentication - HTTP Persistence · Compression · HTTPS Request methods OPTIONS · GET · HEAD · POST · PUT · DELETE · TRACE · CONNECT Header fields Cookie · ETag · Location · Referer DNT · … Wikipedia
Code injection - is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by an attacker to introduce (or inject) code into a computer program to change the course of execution. The results of a code injection… … Wikipedia
Windows Live ID - An example of a Windows Live ID sign in page Type Single sign on … Wikipedia
Anti-spam techniques - To prevent e mail spam (aka unsolicited bulk email), both end users and administrators of e mail systems use various anti spam techniques. Some of these techniques have been embedded in products, services and software to ease the burden on users… … Wikipedia
Anti-spam techniques (e-mail) - To prevent e mail spam, both end users and administrators of e mail systems use various anti spam techniques. Some of these techniques have been embedded in products, services and software to ease the burden on users and administrators. No one… … Wikipedia
SOCKS - is an Internet protocol that allows client server applications to transparently use the services of a network firewall. SOCKS is an abbreviation for SOCKetS [ ]… … Wikipedia
E-mail address - An e mail address identifies a location to which e mail messages can be delivered. An e mail address on the modern Internet looks like, for example, [email protected] and is usually read as jsmith at example dot com . Many earlier e mail systems … Wikipedia
Privilege (computing) - In computing, privilege is defined as the delegation of authority over a computer system. A privilege is a permission to perform an action. Examples of various privileges include the ability to create a file in a directory, or to read or delete a … Wikipedia
Password - For other uses, see Password (disambiguation). A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource (example: an access code is a type of password). The password… … Wikipedia
about URI scheme - about:blank redirects here. For the spyware variant aboutblank , see CoolWebSearch#Variants. About: redirects here. For other uses, see about; for the Wikipedia about page, see Wikipedia:about. about is an internal URI scheme (also known as a URL … Wikipedia
Эта же заметка посвящена вопросу как установить BeEF на Linux Mint или Ubuntu. В таких дестрибутивах как Kali Linux и BlackArch BeEF уже присутствует. Для других ОС Linux в официальной документации имеется сразу два руководства по установке BeEF:
- https://github.com/beefproject/beef/blob/master/INSTALL.txt
- https://github.com/beefproject/beef/wiki/Installation
Также имеется установочный скрипт BeEF:
В этой же заметке я покажу мой способ по установке BeEF на Linux Mint или на Ubuntu.
Всю установку можно выполнить следующим набором команд, которые нужно вводить в консоли:
Sudo apt install build-essential openssl libreadline6 libreadline6-dev zlib1g zlib1g-dev libssl-dev libyaml-dev libsqlite3-0 libsqlite3-dev sqlite3 libxml2-dev libxslt1-dev autoconf libc6-dev libncurses5-dev automake libtool bison subversion ruby git nodejs ruby-dev sudo gem update --system sudo gem install bundler rake rubocop git clone git://github.com/beefproject/beef.git cd beef sudo bundle install # up cd .. sudo mv beef/ /opt/ echo -e "#!/bin/bash\ncd /opt/beef/\n/opt/beef/beef "$@"" > ./beef && sudo mv ./beef /bin/beef && sudo chmod +x /bin/beef
Возможно, при вводе команды
Sudo bundle install
появится следующая ошибка:
/usr/local/bin/bundle:23:in `load": cannot load such file -- /usr/lib/ruby/gems/2.3.0/gems/bundler-1.16.1/exe/bundle (LoadError)
from /usr/local/bin/bundle:23:in `
Это ошибка Rubygems 2.7.5. Разработчики про неё знают и, конечно же, исправят. В качестве временного решения предлагается понижение до предыдущей версии:
Sudo gem update --system 2.7.4
Для запуска BeEF в Linux Mint или на Ubuntu выполните в терминале:
Sudo beef
После этого (не закрывая окно консоли) откройте в веб-браузере адрес http://localhost:3000/ui/panel , вы увидите панель входа BeEF:
По умолчанию логином и паролем являются beef /beef .
Вначале вы увидите, что доступно всего несколько действий, поскольку ещё ни один браузер не был подцеплен. Чтобы потренироваться в работе с BeEF, вы можете открыть в вашем браузере демо страницу (адрес должен быть http://localhost:3000/demos/basic.html и http://localhost:3000/demos/butcher/index.html)
Использование:
Beef [опции]
Доступные опции:
X, --reset Сбросить базу данных -v, --verbose Показать отладочную информацию -a, --ascii_art Напечатать арт BeEF ascii -c, --config ФАЙЛ Загрузить иной конфигурационный файл: если он назван custom-config.yaml, git автоматически игнорирует его. -p, --port ПОРТ Изменить порт по умолчанию, который BeEF прослушивает -w, --wsport WS_ПОРТ Изменить порт по умолчанию, который прослушивает BeEF WebSocket
Решение проблемы с ошибкой «ERROR: invalid username or password»: не подходят учётные данные, неверное имя пользователя или пароль
Как сказано выше, учётными данными по умолчанию являются beef/beef.
Тем не менее, эти учётные данные могут не работать, т.е. при попытке входа в панель управления BeEF будет показываться сообщение:
ERROR: invalid username or password
При запуске BeEF обратите внимание на следующие предупреждения:
[!] Warning: Default username and weak password in use! |_ New password for this instance:
В них сказано, что используется стандартное имя пользователя и слабый пароль. По этой причине без нашего ведома пароль был заменён на (у вас будет своё значение). Логином (именем пользователя) по-прежнему является beef.
Для изменения пароля (и имени пользователя) отредактируйте конфигурационный файл /opt/beef/config.yaml .
Login attempts fail because computer users can"t remember their email or didn"t input the right password. Most websites on the Internet won"t tell you which one is actually incorrect.
Hacker News:
If you tell an attacker the email address is wrong, they"ll try a different one. If you tell them the password is wrong, then an attacker knows that the username is correct, and can go on to try a bunch of passwords for that username until they hit the right one. So sites won"t tell you which one is wrong, to try and avoid the information disclosure.
Unfortunately this assumes that there"s no other way for an attacker to discover whether a username/email address is registered for a service . This assumption is incorrect.
99.9% of websites on the Internet will only let you create one account for each email address. So if you want to see if an email address has an account, try signing up for a new account with the same email address.
Here are all of the websites above, confirming that an account exists with my email address/username:
Hacker News:
So what we"ve done by promoting "Invalid username or password" is made our login form UX much, much worse, without increasing the security of our product.
If people don"t log in to your site every day (every site on the web except Facebook or Google), not remembering credentials is a huge barrier to accessing your site. Don"t make it harder by adding a vague error message that doesn"t increase your site"s security at all.
But there"s a tradeoff there between security and UX , I hear you say. I am trying to show you there is no tradeoff, as presented above; you are choosing between a better user experience and a worse user experience.
What should I do instead?
Here is an actual UX/security tradeoff: you can make the signup process email based. When someone attempts to sign up with an email address, you send them an email to complete the registration process. If they don"t control the email inbox, they can"t see whether the email address has an account already. This is much more arduous and requires two context switches (go into your email, avoid distraction, wait for email to arrive, click link in email, remember what you were doing on site). I don"t recommend this, because of the context switches, though you can implement it.
Otherwise, accept that your login page and your signup pages are targets for malicious behavior, and design appropriately.
Rate limiting can go a fair way to preventing brute force attacks. To find email addresses, an attacker is going to need to try a lot of email addresses and/or a lot of passwords, and get a lot of them wrong. Consider throttling invalid login attempts by IP address or subnet. Check submitted passwords against a dictionary of common passwords (123456, monkey, etc) and ban that traffic extra hard. Exponential backoff (forcing attackers to try again after 1, 2, 4, 8, 16.. seconds) is useful.
Give guidance to users about creating strong passwords. Allow easy integration with LastPass or 1Password.
Add a 2-factor auth option to your website. Encourage users to use it.
Warn users about malicious behavior ("someone is trying to snoop your password") and contact them about suspicious logins.
Yep, doubly so if you have a non-form submission way of checking user existence, e.g. /user/:user/ as a route.
Thanks for correcting that misinformation in my mind.
Heh, after an independent security review we are being forced to take this even further;
We lock people out for five minutes after three invalid login attempts. We are no longer allowed to tell users they have been locked out. So, even if they do remember their password (or even does a reset) we just have to tell them their uid/pwd is wrong when they try to log in. And for “forgot password”? Just tell the user “we have sent you an email – IF we recognised the email you put in”.
As for rate limiting; Doing it well can be a fair bit of work. I simply put an artifical one second delay into any response where the uid or password was wrong. Short enough to not annoy real users, long enough to effectively prevent brute force attacks. And even if someone did try brute force, monitoring would pick that up long before they tried a meaningful number of combinations.
I was just having this discussion with a co-worker recently and neither of us thought of the fact that the sign up process bleeds this information anyway!
I disagree with adding two factor authentication as a general recommendation outside of very sensitive data. (On the flip side, its appalling that none of the banks or financial institutions I’ve worked with won’t even permit two factor authentication.)
I’ve implemented this as you suggest by sending the email either way and not disclosing the existence of the account. For me it was a privacy issue as this was for a job board, and we wanted to be sensitive to job seeker’s privacy.
On top of the concerns about exposing sensitive email addresses for signups to services that might have larger repercussions (hey, just signed up for a subversive website!), the other thing is that you shouldn’t allow people to sign up for an account without confirming that account – I shouldn’t be able to sign you up for fascists weekly without confirmation that I actually own your email address.
Emails are public individually, but correlation between emails and accounts on certain websites can be sensitive information. For example, some people would be very interested in the email addresses associated with underground marketplaces.
So don’t leak email addresses unless you’re comfortable with making a choice for your users on the security tradeoffs of known users of your service in a larger scale, and expect that your users that have shared passwords between sites are going to be ok with their accounts being trivially compromisable on a short basis. (AKA, anytime someone decrypts/discovers a password, expect a pass of trying that password anywhere that username is confirmed is going to take place). If you’re storing any sort of sensitive information, or information that could be used to compromise other accounts, best not to affiliate those usernames with your service. See Mat Honen’s stream of service compromises to lead to ownage of his twitter account.
The goal isn’t to be un-ownable, it’s to increase the cost of attack, and making sure that attackers cannot identify who your users are increases that cost.
Honeypots are also very useful in detecting malicious behavior and have very few repercussions on real users.
Note that if you do go the rate-limiting path, be careful not to implement it in such a way that a malicious individual can easily lock the rightful owner of the account out by spamming login attempts.
It is not useless if you have different rate-limiting and security monitoring for login and new user registration.
The bank I work at is an excellent example. Creating an account is a heavyweight process with several controls, and we do NOT want to leak information about what accounts exist to everyone capable of attempting logins.
Dude, thanks for posting this and “correcting that misinformation in minds”.
I chuckle at how widely held this reasoning is among developers who think they know what they’re doing (like me, having made this argument to clients and UX people) and yet they never thought twice about the signup page!
Conventional wisdom shattered… Nice article!
Great post – agree in full. Question: any tips on how to “allow easy integration with LastPass or 1Password”?
A security method that identifies a specific, authorized user of a computer system, a network, or a resource by a unique string of characters. In general, passwords should be a mixture of upper and lowercase letters and numbers and should… … Dictionary of networking
Password - For other uses, see Password (disambiguation). A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource (example: an access code is a type of password). The password… … Wikipedia
Infobox company company name = U3 LLC. company company type = Private company slogan = Your digital universe in your pocket. foundation = 2004 location = Redwood City, CA industry = Computer homepage = U3 is a… … Wikipedia
EncFS - Infobox Software name = EncFS caption = developer = Valient Gough latest release version = 1.4.2 latest release date = April 13 2008 latest preview version = latest preview date = operating system = Linux, FreeBSD platform = genre = filesystem,… … Wikipedia
POP3 - У этого термина существуют и другие значения, см. Pop. POP3 Название: Post Office Protocol 3 Уровень (по модели OSI): Прикладной Семейство: TCP/IP Порт/ID: 110/TCP Назначение протокола: Получение электронной почты Спецификация … Википедия
Secure error messages in software systems - In computer security and usability of software systems, an important issue is the design of error messages in a way that prevents security vulnerabilities. This aspect of software security has only recently begun to receive increased attention.… … Wikipedia
List of Mega Man characters - This is a list of characters from the Mega Man series. In Japan, the Mega Man series is known as Rockman. Contents 1 Main characters 1.1 Mega Man 1.2 Dr. Light … Wikipedia
Anti-spam techniques (e-mail) - To prevent e mail spam, both end users and administrators of e mail systems use various anti spam techniques. Some of these techniques have been embedded in products, services and software to ease the burden on users and administrators. No one… … Wikipedia
Anti-spam techniques - To prevent e mail spam (aka unsolicited bulk email), both end users and administrators of e mail systems use various anti spam techniques. Some of these techniques have been embedded in products, services and software to ease the burden on users… … Wikipedia
HTML element - This article is about the HTML elements in general. For information on how to format Wikipedia entries, see Help:Wiki markup and Help:HTML in wikitext HTML HTML and HTML5 Dynamic HTML XHTML XHTML Mobile Profile and C HTML Canvas element Character … Wikipedia
Digest access authentication - HTTP Persistence · Compression · HTTPS Request methods OPTIONS · GET · HEAD · POST · PUT · DELETE · TRACE · CONNECT Header fields Cookie · ETag · Location · Referer DNT · … Wikipedia
