Alibaba had a problem. Over the span of two week in late 2015, over 20 million accounts were compromised from an on-going brute force attack. While a portion of the compromised accounts were due to password reuse, there were likely many accounts which simply used weak passwords. In attacks like this, many times hackers only need to use small variations on a few common passwords in order to gain access to a large number of accounts. While many services demand pseudo-complex passwords (e.g. minimum eight characters including at least one capital letter, one number and one special character), users often make predictable substitutions to their default password to meet these requirements.
As security professionals, it is critical that we identify systems that can easily be compromised due to weak credentials. While there are several stand-alone tools that are commonly used to brute force access for various protocols, I want to focus on Nmap's brute library. The advantage here is that any password mutation updates we make to this library will automatically take effect in all of the NSE scripts within the brute category (currently 125 scripts). Brute force tools are as effective as the username / password lists that you provide them. Simply put, the difference between having the string password, but not common iterations of the same string, such as p@ssword, p@ssw0rd and Password1, can be the difference between success and failure when brute forcing credentials.
Paulino Calderon created an incredibly useful patch for Nmap's brute.lua library that adds basic password mangling to all Nmap brute scripts. I added more sophisticated password mangling cases (based on mutator) to the patch as well as modified the patch to work with the latest version of Nmap. The updated version is available here.
To avoid bloat, Nmap only comes with a handful of default usernames and around 5000 passwords. For maximum effectiveness, it is important that we choose an appropriate word list. For example, the default MS SQL user sa is not included in Nmap's username list. On the password front, therockyou.txt password dump is often effective when brute forcing accounts belonging to native English speakers. However, you might need to use a language / region specific word list in other cases. The userdb and passdb script arguments can be used to specify alternative word lists. An example of Nmap using password mutation via our updated patch is shown below:
To summarize, although our default password list only contained the string password, we demonstrated that we were able to detect a common variation of this password using our updated brute library. In order to successfully brute force credentials, we may need to mangle our word list to modify case or substitute, prepend or append characters. Passwords (or slightly modified versions of passwords) are often reused across multiple services. By collecting a diverse set of password dumps and running a robust set of password mangling rules on them, we can alert clients who use weak passwords before an attack occurs.
No comments:
Post a Comment