The main reason why passwords should not be reused is the attack we are now learning about.

Trying leaked username-password pairs from data breaches onto various services is called "credential stuffing", I can't even attempt to come up with a Finnish equivalent for it. "Stuffing credentials"?

Service A has a data leak and all email addresses and passwords of its users end up on the internet.

Service B does not have a data leak, but many users of service A also use service B.

The attacker tries all the service A credentials on service B.

All accounts that used the same password in service A will be hijacked.

Your task at the exercise location is to hack into at least ten different accounts on DefaceBook. You can download a file from the exercise's front page that contains leaked usernames from another service. Start by copying the link address so that you can then use the wget command to download the file in the attacker's terminal.

We are using THC Hydra again for performing the attack. If you haven't done the previous module yet, please do it first as we go through the basics of Hydra there.

Let's first inspect with the head command what format the data leak "dump" is.

The format is "username:password". Good, hydra supports this format directly. This time we are not using -l/-L (username/username list) or -p/-P (password/password list), but we are using -C (credentials) which means that we use a file where username-password pairs are one per line, separated by a colon.

The steps are otherwise the same as in the previous module.

It is easy to protect oneself from such attacks, you just need to use a password manager. In addition, it is advisable to subscribe to the notifications of the Have I Been Pwned service when your credentials leak in a data breach. You can subscribe to them here: 

Protecting the service is actually a more challenging issue. In practice, the situation we are trying to prepare for is that the attacker has the user's login information for the service.

One important thing is to encourage users to enable multi-factor authentication, and warn about the risks of password reuse.

It is also advisable to request additional information from the user, such as two-factor authentication, whenever a login attempt occurs from an unusual location, a new device, or under otherwise suspicious circumstances.

) include functions for automatically detecting compromised passwords in a data breach. You can also implement such a feature yourself using the 

Tällaisilta hyökkäyksiltä on helppo suojata itsensä, ei tarvitse kuin käyttää salasananhallintaohjelmaa. Lisäksi kannattaa tilata Have I Been Pwned -palvelun ilmoitukset kun sinun tunnuksesi vuotaa jossain tietovuodossa. Voit tilata ne täältä: 

Palvelun suojaaminen onkin sitten haastavampi juttu. Käytännössä tilanne johon koitetaan varautua on se, että hyökkääjällä on palvelun käyttäjäjän tunnus ja salasana tiedossa.

Yksi tärkeä asia on kehottaa käyttäjiä ottamaan monivaiheinen tunnistautuminen käyttöön, ja varoittaa salasanan uudelleenkäytön riskeistä.

Käyttäjältä kannattaa myös pyytää lisätietoja, esimerkiksi sitä kaksivaiheista tunnistautumista, aina kun kirjautumisyritys tapahtuu epätavalliselta alueelta, uudelta laitteelta, tai muuten epäilyttävissä olosuhteissa.

) sisältävät toimintoja joilla voidaan automaattisesti havaita tietovuodossa vaarantuneita salasanoja. Voit myös toteuttaa tällaisen toiminnon itse 

Protection against Credential Stuffing Attacks

Suojautuminen Credential Stuffing -Hyökkäyksiltä

On the homepage is a list of leaked username-password pairs that you can try.

In this lab, you get to try how criminals exploit user credential pairs compiled from data breaches and test them on different services.

Exploiting Leaked Passwords (Credential Stuffing)

## Do not reuse passwords!

The main reason why passwords should not be reused is the attack we are now learning about.

Trying leaked username-password pairs from data breaches onto various services is called "credential stuffing", I can't even attempt to come up with a Finnish equivalent for it. "Stuffing credentials"?

---

## Attack process

- Service A has a data leak and all email addresses and passwords of its users end up on the internet.
- Service B does not have a data leak, but many users of service A also use service B.
- The attacker tries all the service A credentials on service B.
- All accounts that used the same password in service A will be hijacked.

---

## Exercise

Your task at the exercise location is to hack into at least ten different accounts on DefaceBook. You can download a file from the exercise's front page that contains leaked usernames from another service. Start by copying the link address so that you can then use the wget command to download the file in the attacker's terminal.

![](sanity:image-50765aa6f80b7f248090b05628420f673e4719a2-880x753-png)

![](sanity:image-529aa643825002653fa3a4798c06417fd9ab3387-962x275-png)

---

## Configuring Hydram

We are using THC Hydra again for performing the attack. If you haven't done the previous module yet, please do it first as we go through the basics of Hydra there.

Let's first inspect with the head command what format the data leak "dump" is.

![](sanity:image-f2582c9ed01fe208741e7b2e0afbf8eaee8855d9-493x197-png)

The format is "username:password". Good, hydra supports this format directly. This time we are not using -l/-L (username/username list) or -p/-P (password/password list), but we are using -C (credentials) which means that we use a file where username-password pairs are one per line, separated by a colon.

The steps are otherwise the same as in the previous module.

---

## Attack

```sh
Hydra -t4 -C breach.txt www-6uxmwrlrqe.ha-target.com https-post-form "/login:email=^USER^&password=^PASS^:F=Invalid"
```

![](sanity:image-9454c4944ded1449d465ee3d29381a6f178fc9fb-1229x322-png)

@embed 9fe81ccbc536

@exercise 6860e8dfbe72


Tällaisilta hyökkäyksiltä on helppo suojata itsensä, ei tarvitse kuin käyttää salasananhallintaohjelmaa. Lisäksi kannattaa tilata Have I Been Pwned -palvelun ilmoitukset kun sinun tunnuksesi vuotaa jossain tietovuodossa. Voit tilata ne täältä: [https://haveibeenpwned.com/NotifyMe](https://haveibeenpwned.com/NotifyMe)

Palvelun suojaaminen onkin sitten haastavampi juttu. Käytännössä tilanne johon koitetaan varautua on se, että hyökkääjällä on palvelun käyttäjäjän tunnus ja salasana tiedossa.

Yksi tärkeä asia on kehottaa käyttäjiä ottamaan monivaiheinen tunnistautuminen käyttöön, ja varoittaa salasanan uudelleenkäytön riskeistä.

Käyttäjältä kannattaa myös pyytää lisätietoja, esimerkiksi sitä kaksivaiheista tunnistautumista, aina kun kirjautumisyritys tapahtuu epätavalliselta alueelta, uudelta laitteelta, tai muuten epäilyttävissä olosuhteissa.

Jotkut tunnistuspalvelut (esim. [Auth0](https://auth0.com/)) sisältävät toimintoja joilla voidaan automaattisesti havaita tietovuodossa vaarantuneita salasanoja. Voit myös toteuttaa tällaisen toiminnon itse [HaveI Been Pwned](https://haveibeenpwned.com/) -rajapinnalla.

Credential Stuffing attacks in data breaches

Passwords are terribly insecure for an awful lot of reasons, but still necessary. A dangerous combination!

Passwords are unbelievably insecure for a number of horrifying reasons, but still necessary. A dangerous combination!

Credential Stuffing attacks in data breaches

Do not reuse passwords!

Learn to hack — start here