User Tools

Site Tools


en:threats:fruit:enumeration
 
 

Enumeration

In enumeration an adversary collects information on applications and hosts on the network and on the user accounts used on the network. Protocols such as ICMP and SNMP offer a good view of the network for either protection or hacking purposes.

Mitigation

  • Protect network resources and services
    • Remove network services that are running but are not being used.
    • Remove default user accounts that have no passwords.
    • Remove guest accounts.
  • Protect user accounts on web sites
    • Return a generic “No such username or password” message when a login failure occurs.
    • Make sure the time taken to respond are no different when a username does not exist, and an incorrect password is entered.
    • A “forgotten password” page is not to reveal usernames.
    • If the password reset process involves sending an email with a password reset link, have the user enter their email address and not a username for requesting the reset.
    • Do not have the site tell people that a supplied username is already taken.
    • If usernames are email addresses, send a password reset email if a user tries to register an existing address.
    • If usernames are not email addresses, protect the login and registration page with, for example, a CAPTCHA. CAPTCHA's can be bypassed with Optical Character Recognition (OCR) software and other complementary mechanisms, but the username can be verified after a submission and the CAPTCHA is updated if the username is already taken. This at least should slow down any automated process.
    • If users have profile pages, make sure they are only visible to already logged in other users.
    • Ensure a hidden profile is indistinguishable from a non-existent profile.

en/threats/fruit/enumeration.txt · Last modified: 2019/10/21 17:31 by Digital Dot