Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Credential Harvesting

Dictionary Term

Table of Contents
minLevel2
typeflat

Alternative Forms

  • Harvesting

Definitions

Definition 1

Credential harvesting is a class of cyberattacks characterized by the collection of authentication-related information collecting information on available authentication mechanisms (e.g.: identities, identity attributes, certificates, credentials, and sessions) with the objective of leveraging to leverage this information to compromise an information security domaindomains and/or abuse identities.

Credential harvesting targets indiscriminate identities and certificates within a certain scope in the hope of finding vulnerable ones and eventually exploiting them. In this respect, credential harvesting opportunistically seeks to find exploitable authentication solutions. It is distinct from attacks focused on specific identities or certificates.Example information types that are collected by credential harvesting comprise any that target specific identities.

Credential harvesting may be used during various attack stages, including reconnaissance, initial exploitation, privilege escalation, and lateral movement.

Information collected by credential harvesting pertains to authentication-related information types that may be leveraged for exploitation, such as identity attributes, credentials, or session information that may be leveraged for exploitation including. This comprises:

  • Email address

  • Login ID

  • Password

  • Password hash

  • Private key

  • Session ID, key, or token

  • SSH key

The collected data sources from where credential information may be insufficient to succeed for exploitation and may need to be complemented with other techniques (e.g. executing a dictionary attack on collected password hashes).

This class of attack may be used during various attack stages, including reconnaissance, initial exploitation, and lateral movement.

Example data sources used to harvest credentials include:harvested vary. Typical ones are:

  • Address books

  • Browser history

  • Computer memory (e.g., cached credentials, login ids, plaintext passwords, session tokens)

  • Configuration files

  • Databases

  • Documents (e.g., email addresses, login ids, passwords)

  • Email or application services that allow guessing attributes/dictionary attacks

  • Identity repositories (e.g., LDAP, Windows Active Directory)

  • People (through social engineering)

  • Phishing or trojan websites (e.g., login ids, passwords, second authentication factor)

  • Reusable identity attributes or credentials obtained from previous data breaches

  • Web cookies,

  • Web query parameters

  • Web sites, social networks, and forums (e.g., email addresses via web scraping)

  • Windows registry

Among these, some information types may be publicly or easily available , (e.g., email addresses that may be collected by web scraping on public websites or forums while others may be confidential protected and difficult harder to obtainreach, e.g. plaintext passwords in , cached credentials stored in computer memory.

The collected information may be insufficient for exploitation and may need to be complemented with other techniques (e.g., executing a dictionary attack on harvested password hashes).

Credential harvesting may be designated by the identity attribute or credential that is being harvested, e.g.: email address harvesting or password harvesting. Password harvesting specifically focuses on passwords. Email harvesting is a specialized and limited form of credential harvesting frequently used for phishing purposes.

Information collection may be performed by accessing the Information may be collected or guessed, e.g. guessing login ids from naming conventions.Information collection may be executed by accessing the information collected:

  • by accessing it directly (e.g.

:
  • , when it is publicly or easily available (e.g., email addresses collected by web scraping or scanning configuration files),

  • by hacking it (e.g., accessing live memory to read

plaintext passwords in
  • cached credentials)

to or
  • by guessing it (e.g., email addresses or login ids

by . Examples of guessing approaches are the Example classes of threat actor classes who may engage

Threat actors engaging in credential harvesting may vary. They include:

  • Bots, crawlers, scanners

  • Humans

  • Worms (ex: Nimba)

Example countermeasures that may be effective against credential harvesting include:

  • Access controls / need-to-know

  • Deception (canary identities, honeypots)

  • Disabling credential caching

  • Digital Rights Management (DRM)

  • Encryption

  • Hardware Security Module (HSM)

  • Multi-Factor Authentication (MFA)

  • Not reusing passwords

  • Password Managers

  • Privileged Access Management (PAM)

  • Security awareness programs

  • System hardening

Sample Sentences

Eve, the hacker, tricked Bob, the user, by cleverly forging a spearphishing email. When Bob clicked on that link, he didn’t did not notice anything unusual when but his laptop got compromised. Once in, Eve started to harvest credentials with the intention to make a lateral movement within Bob’s corporate network. Luckily for her, she quickly found the cached credential credentials of Alice, an engineer from the IT support team who previously logged in on Bob’s laptop to help him with a technical issue.

Conceptual Diagram

Image Added

Related Terms

  • Password

  • Worm

Quotes

Expand
titleAlbanese and Sonnenreich, 2004, p. 110
Include Page
QUOT:Albanese and Sonnenreich, 2004, p. 110
QUOT:Albanese and Sonnenreich, 2004, p. 110
Expand
titleAlbanese and Sonnenreich, 2004, p. 164-165
Include Page
QUOT:Albanese and Sonnenreich, 2004, p. 164-165
QUOT:Albanese and Sonnenreich, 2004, p. 164-165
Expand
titleDoe, 2050Anderson, 2020, p. 58
Include Page
QUOT:Anderson, 2020, p. 58
QUOT:Anderson, 2020, p. 58
Expand
titleBenantar, 2006, p. 127
Include Page
QUOT:Benantar, 2006, p. 127
QUOT:Benantar, 2006, p. 127
Expand
titleBradley, 2019, p. 1
Include Page
QUOT:DoeBradley, 20502019, p. 1
QUOT:DoeBradley, 20502019, p. 1
Expand
titleBrotherston and Berlin, 2017, p. 189
Include Page
QUOT:Brotherston and Berlin, 2017, p. 189
QUOT:Brotherston and Berlin, 2017, p. 189
Expand
titleCavalancia, 2021, p. 9
Include Page
QUOT:Cavalancia, 2021, p. 9
QUOT:Cavalancia, 2021, p. 9
Expand
titleCERT/CC, CA-2001-26, 2001, p. 130
Include Page
QUOT:CERT/CC, CA-2001-26, 2001, p. 130
QUOT:CERT/CC, CA-2001-26, 2001, p. 130

Bibliography

See Also

Filter by label (Content by label)
showLabelsfalse
sorttitle
cqllabel = "credential-harvesting"