Skip to end of banner
Go to start of banner

Credential Harvesting

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 20 Next »

Credential Harvesting

Dictionary Term

Alternative Forms

  • Harvesting

Definitions

Definition 1

Credential harvesting is a class of cyberattacks characterized by the collection of information on authentication options (e.g.: identity attributes, certificates, credentials, and sessions) with the objective of leveraging this information to compromise an information security domain and/or abuse identities.

Credential harvesting targets indiscriminate authentication options within a target scope in the hope of finding vulnerable ones and eventually exploiting them. In this respect, credential harvesting is distinct from attacks targetting specific authentication options, especially targetted identities.

Credential harvesting may be used during various attack stages, including reconnaissance, initial exploitation, and lateral movement.

Information that is collected by the credential harvesting process may pertain to any information types related to authentication options that may be leveraged for exploitation such as identity attributes, credentials, or session information. This comprises:

  • Email address

  • Login ID

  • Password

  • Password hash

  • Private key

  • Session ID

  • SSH key

The collected information may be insufficient for exploitation and may need to be complemented with other techniques (e.g. executing a dictionary attack on collected password hashes).

Example data sources used to harvest credentials include:

  • Computer memory (e.g. login ids, plaintext passwords, session tokens)

  • Configuration files

  • Databases

  • Documents (e.g. email addresses, login ids, passwords)

  • Email or application services that allow guessing attributes/dictionary attacks

  • Identity repositories (e.g. LDAP, Windows Active Directory)

  • People (through social engineering)

  • Phishing websites (e.g. login ids, passwords, second authentication factor)

  • Reusable identity attributes or credentials obtained from previous data breaches

  • Web cookies,

  • Web query parameters

  • Web sites, social networks, and forums (e.g. email addresses via web scraping)

  • Windows registry

Among these, some information may be publicly or easily available (e.g. email addresses that may be collected by web scraping on public websites or forums while others may be confidential and difficult to obtain, e.g. plaintext passwords in cached credentials stored in computer memory.

Credential harvesting may be designated by the identity attribute or credential that is being harvested, e.g.: email address harvesting or password harvesting. Email harvesting is a specialized and limited form of credential harvesting frequently used for phishing purposes.

Information collection may be performed by accessing the Information may be collected or guessed, e.g. guessing login ids from naming conventions.

Information collection may be executed by accessing the information directly (e.g.: when it is publicly or easily available (e.g. email addresses collected by web scraping or configuration files), by hacking (e.g. accessing live memory to read plaintext passwords in cached credentials) to or by guessing it (e.g. email addresses or login ids by . Examples of guessing approaches are the

Example classes of threat actor classes who may engage in credential harvesting include:

  • Bots

  • Humans

  • Worms (ex: Nimba)

Example countermeasures that may be effective against credential harvesting include:

  • Access controls / need-to-know

  • Deception (canary identities, honeypots)

  • Disabling credential caching

  • Digital Rights Management (DRM)

  • Encryption

  • Hardware Security Module (HSM)

  • Multi-Factor Authentication (MFA)

  • Password Managers

  • Privileged Access Management (PAM)

  • Security awareness programs

  • System hardening

Sample Sentences

Eve, the hacker, tricked Bob, the user by cleverly forging a spearphishing email. When Bob clicked on that link, he didn’t notice anything unusual when his laptop got compromised. Once in, Eve started to harvest credentials. Luckily for her, she quickly found the cached credential of Alice, an engineer from the IT support team who previously logged in on Bob’s laptop to help with a technical issue.

Conceptual Diagram

Related Terms

  • Password

  • Worm

Quotes

 Doe, 2050, p. 1
Unable to render {include} The included page could not be found.

Bibliography

See Also

  • No labels

Follow us on LinkedIn | Discuss on Slack | Support us with Patreon | Sign-up for a free membership.

This wiki is owned by Open Measure, a non-profit association. The original content we publish is licensed under a Creative Commons Attribution 4.0 International License.