Alibaba had a problem. Over the span of two week in late 2015, over 20 million
accounts
were compromised from an on-going brute force attack. While a portion
of the compromised accounts were due to password reuse, there were likely many
accounts which simply used weak passwords. In attacks like this, many times
only need to use small variations on a few common passwords in order to
gain to a large number of accounts. While many services demand
pseudo-complex passwords (e.g. minimum eight characters including at least one
capital letter, one number and one special character), users often make predictable substitutions to
their default password to meet these requirements.

As security professionals, it is critical that we identify systems that can
easily be compromised due to weak credentials. While there are several
stand-alone tools that are commonly used to brute force access for various
protocols, I want to focus on Nmap’s brute library. The advantage here is that
any password mutation updates we make to this library will automatically take
effect in all of the NSE scripts within the brute category (currently 125
scripts). Brute force tools are as effective as the username / password lists that
you provide them. Simply put, the difference between having the string
password, but not common iterations of the same string, such as
[email protected], [email protected] and Password1, can be the difference between
success and failure when brute forcing credentials.

Paulino Calderon created an incredibly useful
patch for Nmap’s brute.lua library
that adds basic password mangling to all Nmap brute scripts. I added more sophisticated password mangling cases (based on mutator) to the patch as well as modified the
patch to work with the latest version of Nmap. The
updated version is available
here.

To avoid bloat, Nmap only comes with a handful of default
usernames and around 5000
passwords. For maximum
effectiveness, it is important that we choose an appropriate list. For
example, the default MS SQL user sa is not included in Nmap’s
username list. On the password front, the
rockyou.txt
password dump is often effective when brute forcing accounts belonging to native English speakers.
However, you might need to use a language / region specific word list in other
cases. The userdb and passdb script arguments can be used to specify
alternative word lists. An example of Nmap using password mutation via our
updated patch is shown below:

Nmap brute scan results  - Scan - Gaining Access the Easy Way

To summarize, although our default password list only contained the string
password, we demonstrated that we were able to detect a common variation of this password using our updated brute library. In order to successfully brute force credentials, we may
need to mangle our word list to modify case or substitute, prepend or append
characters. Passwords (or slightly modified versions of passwords) are often
reused across multiple services. By collecting a diverse set of password dumps
and running a robust set of password mangling rules on them, we can alert
clients who use weak passwords before an attack occurs.

As an aside, if your interested in becoming an Nmap ninja, go register
here. it will be super fun!



Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here