A frequent issue I identify during a security assessment or audit is the use of default or weak passwords. In SplashData’s sixth annual “Worst Passwords” report, compiled from more than five million passwords leaked during the year, three variations of “password” appear, including “passw0rd” and “password1.” … “Simple numerical passwords remain common, with five of the top 10 passwords on this year’s list comprised of numbers only.” … “Simple numerical passwords remain common, with five of the top 10 passwords on this year’s list comprised of numbers only.” “Just over 10% of people use at least one of the 25 worst passwords on this year’s list, with nearly 4% of people using the worst password, 123456.” (See https://www.teamsid.com/worst-passwords-2016/). Kali Linux is loaded with tools that can help audit default or weak passwords (“Kali Linux Tools,” n.d.).
So when performing a security assessment or audit, I first check for the use of default accounts and passwords and the use of weak login credentials. Websites such as default password list the default credentials for a wide variety of devices. Below I will demonstrate three utilities you can use to audit for the use of default accounts and passwords and the use of weak login credential, using two virtual machines; one running Kali Linux and the other running Metasploitable 2.
In an earlier post I demonstrated how to do basic port scanning with Nmap to identify open ports and services running on host (e.g., Metasploitable 2). Here are the results (This scan took 18 hours):
I am going to use Hydra, Medusa, and NCrack to audit for the use of default accounts and passwords and the use of weak login credentials.
Hydra is a parallelized login audit utility which supports: Cisco AAA, Cisco auth, Cisco enable, CVS, FTP, HTTP(S)-FORM-GET, HTTP(S)-FORM-POST, HTTP(S)-GET, HTTP(S)-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MySQL, NNTP, Oracle Listener, Oracle SID, PC-Anywhere, PC-NFS, POP3, PostgreSQL, RDP, Rexec, Rlogin, Rsh, SIP, SMB(NT), SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP (See https://tools.kali.org/password-attacks/hydra).
Hydra’s basic usage:
|$ hydra -s <port> -l <username> -p <password> -t <number> <target> <protocol>|
Note: the -t option defines the number of parallelized tasks to run.
Hydra also has a GUI interface that is access by typing “xhydra” at the command prompt:
I audit Secure Shell (SSH) for user “root” and password “root.” SSH is a software package that enables secure system administration and file transfers over insecure networks. It is used in nearly every data center, in every larger enterprise (“SSH,” n.d.). Hydra returns “) valid passwords found.
Hydra also allows you to specify a username list and password list. Kali Linux includes many. There are also many username and password lists on the Internet you can download and use (See my post Wordlists).
I select “unix_users.txt” and “unix_passwords” and launch hydra again against SSH. The lists contain 112 usernames and 1008 passwords. This audit will take some time:
If you know the password policy, Hydra has a utility “pw-inspector” that reads passwords in and prints those which meet the requirements:
For instance, in the above example where I used the unix_password list if I knew the policy was eight characters I could have used pw-inspector to trim the file. By using pw-inspector, I cut the list to 155 passwords:
Hydra will stop during the audit if it finds a username and password combination that works. BINGO. As shown below, Hydra found the log on “sys” with a weak password “batman”:
I press start to continue with the audit. But Hydra “burps” and stops the audit short because it encountered an error:
But that is ok. Hydra automatically creates a file called “hydra.restore” in the directory where Hydra is executed. I go to the command line and use the -R option to resume the audit. Hydra completes its tasks:
I try to SSH with the username and password combination Hydra found and I am able to login to Metasploitable 2:
Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. Security professionals also rely on Ncrack when auditing their clients. Ncrack was designed using a modular approach, a command-line syntax similar to Nmap and a dynamic engine that can adapt its behaviour based on network feedback. It allows for rapid, yet reliable large-scale auditing of multiple hosts. Ncrack is included inn Kali Linux (“Ncrack,” n.d.).
Ncrack’s features include a very flexible interface granting the user full control of network operations, allowing for very sophisticated bruteforcing attacks, timing templates for ease of use, runtime interaction similar to Nmap’s and many more. Protocols supported include SSH, RDP, FTP, Telnet, HTTP(S), POP3(S), IMAP, SMB, VNC, SIP, Redis, PostgreSQL, MySQL, MSSQL, MongoDB, Cassandra, WinRM and OWA (“Ncrack,” n.d.).
I use Ncrack to audit telent (See below). Telnet is used to connect to remote computers and issue commands on those computers (“Telnet,” n.d.). But first I try to login to Telnet using “root” and password “root. No luck:
Next, I use Ncrack. Ncrack’s basic usage:
|$ ncrack -u <username> -P <password.txt> 10.0.2.6:23|
As above, I select username “root” and “unix_passwords” and launch Ncrack again against Telnet.
Ncrack returns no valid passwords found.
Medusa is like THC Hydra and Ncrack but because of its stability and fast login ability is often prefer over THC Hydra and Ncrack (Medusa” n.d.). I will use medusa to audit the rlogin service open on Metasploitable 2 (See above).
TCP ports 512, 513, and 514 are known as “r” and can be misconfigured to allow remote access from any host (a standard “.rhosts + +” situation). rlogin is a software utility for Unix/Linux that allows users to log in on another host via a network, using TCP port 513. rlogin was first distributed as part of the 4.2BSD release in 1977 but now because of security issues has been replaced by the slogin and the ssh. However, you may still find it on a system, which is the case with Metasploitable 2 (See above). If you find it running, you should audit it.
The rsh package contains a set of programs which allow users to run commmands on remote machines, login to other machines and copy files between machines (rlogin, rsh, and rcp). All three of these commands use rhosts style authentication (“RPM,” n.d.).
Remote login works like Telnet. You run the utility with the host name of the server and you can connect and run commands interactively. Unlike Telnet, rlogin can be configured to log on automatically without a user name and password.
rsh (Remote Shell) allows you to send single commands to the remote server. Whereas rlogin is designed to be used interactively, RSH can be easily integrated into a script. RSH runs over TCP port 514 by default.
rcp (Remote Copy) provides the ability to copy files to and from the remote server without the need to resort to FTP or NFS (Network File System, the UNIX form of folder sharing). RCP can also be used in scripts and shares TCP port 514 with RSH.
First check to see if the “rsh” package is installed:
Second, I check to see if the rsh client is installed:
If it is not you will get this error if you try to rlogin because rlogin defaults the SSH:
This error means that the rsh client is not installed and rlogin is defaulting to SSH. I install the rsh client:
I try again. ROOT. Game over.
I move on to another services. Medusa has many modules:
I try Samba. Samba is the standard Windows interoperability suite of programs for Linux and Unix. Samba is a critical component to seamlessly integrate Linux/Unix Servers and Desktops into Active Directory environments. It can function both as a domain controller or as a regular domain member (“About,” n.d.).
Medusa’s basic usages:
|$ medusa -h <target> -u <username> -P <wordlist> -M <module>|
Note: The “-e ns” instructs Medusa to additionally check if the administrator account has either a blank password or has its password set to match its username (administrator).
Medusa is fast but has no luck. I could try more username and password combinations, but I move on to another service. I work the Postgres service. PostgreSQL is a robust, open source object-relational database system. It has more than 15 years of active development and a proven architecture that has earned it a strong reputation for reliability, data integrity, and correctness. It runs on all major operating systems, including Linux, UNIX (AIX, BSD, HP-UX, SGI IRIX, macOS, Solaris, Tru64), and Windows (“About,” n.d.).
I use Kali’s supplied “postgre_default_user” for usernames, and I use the same list for passwords. As a first step, it is a best practice to check if users are using their usernames as passwords (or no password at all). And this time I include the -F option that instructs Medusa to stop the audit after the first valid username/password found. We get a hit on User postgres, Password: postgres:
I decide to circle back and unleash the full power of Medusa on the SMB again. This time I use a list of 44 usernames that I harvested through a variety of means from Metasploitable 2 (See https://pdrcybersecurity.com/tag/user-enumeration/) and the Top 500 Worst Passwords of All Time list (“Whats,” n.d.).
This time I run Medusa and add the -t option, the -L option. The -t option instructs Medusa to check ten users concurrently. The -L option tells Medusa to parallelize by the user, meaning each of the ten threads targeting a host checks a unique user. I also include the -F option again that instructs Medusa to stop if it finds a valid username and password combination. Medusa finds no username or password combinations:
Next, I use the same username list of 44 usernames that I harvested through a variety of means from Metasploitable 2 but use Kali’s “password.lst” that contains 88,396 passwords. Again Medusa finds no username or password combinations. But the point and process are clear.
Cybersecurity Framework Control Mapping
As per the Framework for Improving Critical Infrastructure Cybersecurity, Version 1, Protect (PR) function: Access Control (PR.AC): Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions, including PR.AC-1: Identities and credentials are managed for authorized devices and users (“Cybersecurity,” 2014).
Informative references include:
- CCS CSC 16
- COBIT 5 DSS05.04, DSS06.03
- ISA 62443-2-1:2009 220.127.116.11.1
- ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3,
- SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9
- ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, A.9.2.4,
- A.9.3.1, A.9.4.2, A.9.4.3
- NIST SP 800-53 Rev. 4 AC-2, IA Family
About the Author
David Zwickl, MSci., CISSP, CEH, has spent over 20 years in information assurance and cybersecurity for companies such as RSA Security and Cisco Systems in a variety of roles. Dave holds a Master’s degree in Information Assurance with a Cybersecurity Specialization from Regis University in Denver Colorado. Regis University’s School of Computer & Information Sciences, designated as a National Center of Excellence in Information Systems Security Education (CAE/IAE) by the National Security Agency (NSA) and the Department of Homeland Security (DHS). Dave is active in industry associations ISSA, OWASP, CSA, among others.
About. (n.d.). Retrieved November 1, 2017 from https://www.postgresql.org/about/
About Samba. (n.d.). Retrieved November 1, 2017 from https://www.samba.org/
Announcing our worst passwords of 2016. (n.d.). Retrieved October 24, 2017 from https://www.teamsid.com/worst-passwords-2016/
Cybersecurity Framework. (2014, February 12). Retrieved October 24, 2017 from https://www.nist.gov/cyberframework
HowTo – rsh, rlogin, rexec– for Red Hat Linux distributions. (n.d.). Retrieved October 24, 2017 from http://people.redhat.com/kzak/docs/rsh-rlogin-howto.html
Hydra. (n.d.). Retrieved October 20, 2017 from https://www.thc.org/thc-hydra/
Kali Linux Tools Listing. (n.d.). Retrieved October 24, 2017 from https://tools.kali.org/tools-listing
Medusa parallel network login auditor feature comparison. (n.d.). Retrieved October 24, 2017 from http://foofus.net/goons/jmk/medusa/medusa-compare.html
Ncrack. (n.d.). Retrieved October 24, 2017 from https://nmap.org/ncrack/
Passwordless SSH (and RSH) Logins. (n.d). Retrieved October 24, 2017 from http://tweaks.clustermonkey.net/index.php/Passwordless_SSH_(and_RSH)_Logins
RPM resource rsh. (n.d.). Retrieved October 24, 2017 from https://rpmfind.net/linux/rpm2html/search.php?query=rsh
SSH (SECURE SHELL). (n.d.). Retrieved October 30, 2017 from https://www.ssh.com/ssh/
Solaris advanced user’s guide logging in remotely (rlogin). (n.d.). Retrieved October 24, 2017 from https://docs.oracle.com/cd/E19683-01/806-7612/network-2/index.html
Telnet FAQ. (n.d.). Retrieved October 30, 2017 from http://www.telnet.org/htm/faq.htm
Whats my pass? Top 500 worst passwords of all time list. (n.d.). Retrieved October 30, 2017 from http://www.whatsmypass.com/the-top-500-worst-passwords-of-all-time