During penetration assessments the pen tester attempts to compromise systems in an effort to penetrate into client networks. The pen tester tries various methods from exploiting web application vulnerabilities, network layer vulnerabilities, common misconfiguration and users. But this is about what is more effective guessing passwords or exploits.
Currently the Exploit Database
has 15,873 exploits. Is this all the exploits in the world? No, these
are just many of them in one place that’s all. Even if we add another
14,478 to make an even 30,000 public exploits is that truly a large
surface area when compared to the millions of systems on the Internet
today. If we pretend there are only 1 million systems on the Internet
that is only 3 percent of systems that can be exploited.
In contrast, as of December 31, 2011 there are 2,267,233,742 users on the Internet according to internetworldstats.com.
We can even subtract a billion users for good measure and that is still
over a billion users remaining. We use passwords in everything from
corporate/personal email, Facebook, banking, taxes and anything else you
can imagine. How many of these users have weak or guessable passwords
like password, 123456, Password1 or the real hard one to guess P@ssw0rd .
The big problem lies in these same users make passwords for their
corporate systems too and they put your corporation at risk. In data
collected 2% of users select a base word of password and 12% use a base
word of a season such as summer, winter, spring and fall. This was from a
total user count of 38,148 and across multiple corporate industries not
just random website breaches. In essence 5,340 users could be
compromised with an attacker guessing passwords like Password1,
Summer11, Winter12, and Fall2011. While these passwords conform to the
term complex as defined by Microsoft, they are still weak. Many users
take short cuts, this is because they feel they are not a target, not
important, their access doesn’t matter, or even out of spite to the
organization. Penetration testers know this and so do the attackers.
Passwordmeter.com in the screenshot above says some of these
passwords are strong but this is rated strong because the amount of time
it would take a computer to crack your password. A standard desktop
computer would take 10 days to crack “Fall2011” according to howsecureismypassword.net, and we wont even talk about how fast GPU cracking could crack this password.
How do attackers use this information? This type of attack is normally
executed by using a username brute force. A username brute force tries
one password such as Password1 across multiple usernames. This technique
avoids lockouts and if run slowly enough it can go unnoticed by system
administrators. Especially if executed against a web mail server,
everyone has access to email. However, against a small user base this
wouldn’t be very effective but attacking over a hundred users can prove
to be very lucrative. Once the attacker can access email which is
generally controlled by Active Directory and depending on the systems
available the possibilities are endless… VPN, Citrix, maybe remote
In closing use spaces, use symbols, use phrases changing your password
from “Fall2011” to “I love fall!!” makes it harder to guess and now
takes 1 billion years to crack on a desktop PC. Eventually pass phrases
will have easily guessed phrases too but the clock is ticking.