Tag: Administrative Interface

  • LDAP Passback and Why We Harp on Passwords

    Hackers are like anyone else in that they would rather work smarter, not harder – picking the low-hanging fruit first. Oftentimes, we find companies who put it in front of them without even knowing it.

    In today’s video, I demonstrate how to conduct a Lightweight Directory Access Protocol (LDAP) passback attack, essentially using third-party hardware or software as an access point to a company network. I’ll show you three different ways to conduct the attack and offer some helpful tips on how to defend against it. 

    What I believe is important to add here is the common thread that links all of them: access to a password. If you want to know why our discussions seem to always circle back to that concept, it’s because an improperly protected password is a master key for hackers, whether their hats are white or black. 

    One is usually all we need to get inside your network. From there, the possibilities are limited only by our imaginations (and our scope of work). As I discuss at the outset of the video, too many of our customers make it easy by leaving devices like printers set to their default passwords or even null passwords, meaning they never created a password to begin with.

    Once we control the device, capturing legitimate passwords is easy. The Raxis team has conducted several internal network tests where discovering an admin interface with default or null credentials got us full domain admin access to the network. In one case, a vendor told the company that the default password was okay to use for a few weeks until things were all set up. On another, we found a password file on a sensitive file share that was set up without a password while the IT staff moved it to a new server. And still another company had no clue a system had a default password. They said it had always been that way. 

    LDAP passback attacks can be prevented, but it takes companies implementing robust security protocols for everything with an IP address on your network – including printers and other devices. 

    Remember, if it’s connected, it must be protected. 

    Make sure all your devices are locked down with a strong password — no matter how innocuous the device may seem. It’s a hacker’s job to find their way in. It’s Raxis’ job to identify these vulnerabilities so that you can correct them before that happens. 

    Our team of experts are ready to help you and your organization find its weaknesses and help you strengthen your security. Talk with our team today.

  • The Weakest Link in the Password Hash

    Your password is strong – but is everyone else’s?

    We spend considerable time trying to make sure our passwords are strong. But we also need to spend time educating our user base on why password strength is important.

    It is not uncommon for a hacker to establish his foothold in an environment by first compromising a weak or insecurely stored password. Once a base level of authenticated access is established, it becomes a matter of time before privilege escalation is achieved.

    So, while your password might be a strong 16 character, alphanumeric with symbols stronghold, your administrative assistant might still be using s0ftc@t1 (which, by the way, would crumble under a modest brute-force attack in less than 48 hours) as hers. If we can get that weak password we can extrapolate from there and gain access to other accounts.

    Important lessons to teach:
    • Use of symbols to recreate letters (i.e.: @ for a, ! for i, etc) is not that useful. Rule based brute-force attacks use dictionaries and account for common character substitution techniques.
    • Longer is better – an 8 character password is trivial for a skilled hacker regardless of it’s complexity. Currently, adding a single character and increasing the length to 9 characters, extends the time it takes to crack the password to a couple of months.
    • Use random letters and numbers.
    • Capital letters should be used along with non-capitals, but refrain from making the first character the capitalized letter (we expect that and hack for it).
    Consider multiple roots

    One trick is to use a 10 character base such as:yyT73p@55c

    Now remember that (see next section for tips).

    Now make it unique. By adding a “-” or a “+” or “_” and then a system identifier such as:

    yyT73p@55c-dr0p (say, for Dropbox)
    yyT73p@55c+f@cE (for Facebook)
    yyT73p@55c_BoA (for Bank of America)

    Now you have a super strong random root, followed by a symbol with a dictionary word including caps and symbols if you wish.

    Using this formulaic approach it’s possible to take a 10 character root and create a different password by creating an easy to remember tag. Now your passwords are 14+ characters long and easy to remember.

    Consider rhyme and pattern

    One trick I use for remembering that root is putting it in a rhythm and rhyme pattern that makes sense to me. This was a trick taught to me by a security engineer years ago and it’s worked. In the case of : yyT73p@55c every third letter (and 4th at  the end) rhymes, and I have a pace to it.

    Different root for types of systems

    Now. If you want to supercharge the geek (and help save your butt from mass hack password releases) consider having a small handful of root passwords. Perhaps one you use for social, one for finance, and one for work.

    Using that approach still only requires you to remember 3 base passwords, but, in doing so, you’ve strengthened your password repertoire considerably.

    Change the root

    Regardless of the strength of our passwords it’s still best practice to change them frequently. Using the root system all you need to do is periodically change the root and you’ve reset any exposure to compromise you may have had.

    BONUS ROUND.

    If you really care about security for a specific site (say, your bank), use a unique username. It doesn’t have to be crazy. If you tend to use “sally15” as your main username try using your last name “sanders15” for the bank. Use the same password root as above – but now you’ve got a unique username and a unique password that is associated with that one service.

    The Struggle is Real

    Getting your employees to use strong passwords is an uphill battle, but it’s a critical one. Remember – we are looking for the weakest link. Once we get a toe in the door it’s usually all we need before we spread like cancer in your system.

    By utilizing a simple system, such as the one suggested here, you can increase the chances of your employees maintaining difficult passwords and strengthening their online security.

  • HP iLO Password Cracking

    One of my favorite parts of information security is cracking password hashes. I have a dual nVidia GPU rig that I use to run hashcat on and sometimes my research leads me to crack hashes. 

    For those who don’t know, HP has a system for Integrated Lights Out, and it allows for remote management of systems. Usually these interfaces are located on a management network that is inaccessible unless you’re a systems admin.

    Well, I got my hands on some hashes using the Metasploit module called IPMI 2.0 RAKP Remote SHA1 Password Hash Retrieval. There’s a few blogs that talk about how to do that, so I’ll let you refer to them on the how. What I thought was interesting though is that a lot of the systems I was working with were left to the default password – which is a random 8 digit number.  

    With a dual GPU hashcat instance, that is fairly trivial.  I set a bruteforce attack using -a 3 ?d?d?d?d?d?d?d?d and the result below is what happened.

    1416515636048

    It took a mere 4 seconds to spin across 8 digits. If you’re a server admin, I hope you’re setting the administrator passwords on your iLO sessions to something other than digits. Also, and this goes without saying, keep your management network completely firewall off of the production network! There is no need to have the general user with any sort of access at all to these ports.  

    Still, a very strong password is your last line of defense in the event a breach occurs.