My Pentest Secret: Password Guessing

Dave G. | January 8th, 2009 | Filed Under: Industry Punditry

Since we have seen a couple of cases where low tech mechanisms were used for real breakins (see Sarah Palin and most recently Twitter), now is a good time to reveal a practice I commonly employ use that frustrates co-workers to no end: password guessing on administrative interfaces. It isn’t glamourous, it isn’t exciting, but it is unbelievably effective.

A high percentage of pentesters see a login prompt, look for input validation flaws like XSS or SQLi, try some auth bypass like forced browsing, and typically move on. I will almost always try some basic account and password guessing, along with doing some research on the system to see if there might be some default accounts.

In 2008 alone, I used this at least 5 times to game-over systems OVER THE INTERNET. Without fail, management interfaces indirectly allow code execution or arbitrary file read/write (90% with admin privs). Application admins on website invariably have access to all of the users on the system, and lets face it, if there is one area that your dev’s didn’t think about sql injection it’s the code only admin’s get to see.

If you are responsible for these systems, I have some advice:

  1. SEGMENTED INTERFACES. For the love of all things holy, do not, DO NOT, DO NOT, DO NOT expose management interfaces over the internet. If you can’t do that, perhaps utilize:

  2. CLIENT-SIDE CERTS. Sure, it’s not as smooth as just removing the interface, but at least now it isn’t everyone on the internet knocking on your door.

  3. REMOVE DEFAULTS. A lot of 3rd party software comes with multiple accounts, of which, you probably only use one of them. Disable the rest. Can’t disable? Change the password to something ridiculously long and complicated.

  4. PASSWORD SECURITY. Choose better passwords. I think everyone generally falls down here. I hate to say it, but maybe multifactor/keyfob is the way to go.

  5. FAILED LOGIN DELAYS. What to do when someone is grinding passwords on the same account? Account lockout is pretty unpopular as it can lead to a denial of service attack. Doing nothing is pretty unpopular because attackers can grind forever. Enter the exponentially increasing login delay. Every failed login on an account causes the system to delay more and more on that account until a reset on that counter after a reasonable period of time or a valid login.

  6. LAST LOGIN NOTIFICATION. It is a longshot, but if you display the last time an account was logged in and from where to the user after login, they may notice suspicious activity.

I think everyone does a bad job at this, but for more advice, see Adam’s ZDNet article.

Viewing 14 Comments

Trackbacks

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus