Tuesday, June 5, 2012

Guessable Passwords the Unpatchable Exploit

During penetration assessments the pen tester attempts to compromise systems in an effort to penetrate into client networks. The pen tester tries various methods from exploiting web application vulnerabilities, network layer vulnerabilities, common misconfiguration and users.  But this is about what is more effective guessing passwords or exploits.

Currently the Exploit Database has 15,873 exploits. Is this all the exploits in the world? No, these are just many of them in one place that’s all. Even if we add another 14,478 to make an even 30,000 public exploits is that truly a large surface area when compared to the millions of systems on the Internet today.  If we pretend there are only 1 million systems on the Internet that is only 3 percent of systems that can be exploited.

In contrast, as of December 31, 2011 there are 2,267,233,742 users on the Internet according to internetworldstats.com. We can even subtract a billion users for good measure and that is still over a billion users remaining. We use passwords in everything from corporate/personal email, Facebook, banking, taxes and anything else you can imagine.  How many of these users have weak or guessable passwords like password, 123456, Password1 or the real hard one to guess P@ssw0rd ;) .

The big problem lies in these same users make passwords for their corporate systems too and they put your corporation at risk. In data collected 2% of users select a base word of password and 12% use a base word of a season such as summer, winter, spring and fall. This was from a total user count of 38,148 and across multiple corporate industries not just random website breaches. In essence 5,340 users could be compromised with an attacker guessing passwords like Password1, Summer11, Winter12, and Fall2011. While these passwords conform to the term complex as defined by Microsoft, they are still weak. Many users take short cuts, this is because they feel they are not a target, not important, their access doesn’t matter, or even out of spite to the organization. Penetration testers know this and so do the attackers.

Passwordmeter.com in the screenshot above says some of these passwords are strong but this is rated strong because the amount of time it would take a computer to crack your password.  A standard desktop computer would take 10 days to crack “Fall2011” according to howsecureismypassword.net, and we wont even talk about how fast GPU cracking could crack this password.

How do attackers use this information? This type of attack is normally executed by using a username brute force. A username brute force tries one password such as Password1 across multiple usernames. This technique avoids lockouts and if run slowly enough it can go unnoticed by system administrators. Especially if executed against a web mail server, everyone has access to email. However, against a small user base this wouldn’t be very effective but attacking over a hundred users can prove to be very lucrative.  Once the attacker can access email which is generally controlled by Active Directory and depending on the systems available the possibilities are endless… VPN, Citrix, maybe remote desktop.

In closing use spaces, use symbols, use phrases changing your password from “Fall2011” to “I love fall!!”  makes it harder to guess and now takes 1 billion years to crack on a desktop PC.  Eventually pass phrases will have easily guessed phrases too but the clock is ticking.

No comments:

Post a Comment