Join us at the Rocky Mountain Hackfest, Live Online!! Virtual summit and courses take place June 4-13.

Webcasts

To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right.Once you register, you can download the presentaion slides below.

Time is on your side: username harvesting via timing attacks

  • Wednesday, August 10, 2016 at 1:00 PM EDT (2016-08-10 17:00:00 UTC)
  • Eric Conrad

You can now attend the webcast using your mobile device!

  

Overview

You are faced with a seemingly well-designed authentication form: it returns the same error for good username/bad password and bad username/bad password, and it also uses a slow hash algorithm such as bcrypt. Username guessing should be impossible, and password cracking impractical. Many penetration testers will move on: what do you do?

This webcast will describe a practical approach for using timing attacks to harvest valid usernames, including a live demo using Burp Suite.

Speaker Bio

Eric Conrad

Certified SANS instructor Eric Conrad's career began in 1991 as a Unix sysadmin for a small oceanographic communications company. He gained experience in a variety of industries, including research, education, power, Internet, and healthcare, and has worked with companies such as Mitsubishi Electric Research Labs, Boston University, The Open Group, Navipath, and Caritas Christi Health Care. He is now an independent information security consultant focusing on intrusion detection, incident handling, and penetration testing. He is a graduate of the SANS Technology Institute with a Master of Science degree in information security engineering. In addition to the CISSP, he holds the prestigious GIAC Security Expert (GSE) certification as well as the GIAC GPEN, GCIH, GCIA, GCFA, GAWN, and GSEC certifications. He is a contributing author to SANS HIPAA Security Implementation. Eric also blogs about information security at http://www.ericconrad.com.

Need Help? Visit our FAQ page or email webcast-support@sans.org.

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.