ZDNet UK

CNET NETWORKS UK BUSINESS SITES:
atlarge.com
BNET UK
silicon.com
SmartPlanet.com
ZDNet.co.uk

ZDNet.co.uk - Winner of Best Business Website 2007

You are here: ZDNet.co.uk > News > Hardware

Processors Toolkit

Get back to security basics

John Verry Tech Republic

Published: 17 Nov 2002 21:41 GMT

The password is "password"
The philanthropic organisation had all its volunteers log on via two user accounts that were aptly named volunteer1 and volunteer2. We assumed, based on the organisation's lax security posture, that these accounts were probably protected by simple, easily remembered passwords.

We attempted to connect to a network share remotely using the Windows run command: \\xxx.xx.xx.xxx\sharedfoldername and were prompted for a username and password. Our first three attempts, using "password," "organisation acronym1," and "organisation acronym2" failed. On our fourth try, using "organisation acronym3," we gained access. At this point, we were browsing shared network folders. To make matters worse, the organisation wasn't using an appropriate level of access control, and the volunteer accounts could browse the complete contents of the domain controller (the C: drive was inappropriately shared.)

Using our newfound access to the domain controller, we copied the registry to our machine and used LC3, better known as L0phtCrack, a password-cracking tool, to attempt to determine user passwords. Using a dictionary attack -- in which we tested each encoded password against the list of often used passwords -- we returned 23 out of the 61 user account passwords.

Ironically, one of the first passwords cracked was an IT vendor's name used by the network administrator. This granted us complete administrative control of the domain controller.

Due to a series of poorly executed security measures (inviting untrusted traffic into the trusted network and onto the domain controller, null sessions enabled, poor password policy, poor access control), it took us less than an hour to take control of the client's network.

"Bubba" is in the house
The governmental division's assessment was strikingly similar. From previous conversations with the client, we knew their password policy specified passwords with a mix of at least six alpha and numeric characters. During a brief penetration testing session, we loaded LC3 with a list of common passwords and instructed it to append and preface all passwords with up to four random numbers.

We were quickly able to crack four of their 21 accounts; the most damaging was a test user account labeled "Bubba" that had been used to troubleshoot a problem several months before. (We have noticed that administrators for SMB networks often create temporary test accounts that share the same password as their own account.)

While the password didn't directly provide us with administrative-level access, its construction (football team name + calendar year) did allow us to rather quickly guess the actual password for the administrator's account (baseball team + year). The same series of poorly executed security measures used by the nonprofit organisation had left their network vulnerable.

Preach fundamentals
Here is some general advice for clients who may be cutting corners the same way:

Encourage the client to ensure that null sessions are disabled. If the configuration must stay in place for an extended period of time, enable Restrict Anonymous Browsing (Null Session). With Windows NT, the HKLM\SYSTEM\Current ControlSet\Control\LSA\ RestrictAnonymous Registry key should be set to 1. In Windows 2000, you can set the same key to 2 or, if you prefer, you can set it via the Microsoft Management Console.
Stress the importance of separating internal and external functionality.
Stress the importance of establishing a good password policy that ensures passwords are difficult to guess. At a minimum, ensure that the policy disallows blank passwords, "password", and a password derived from the username.
Stress the importance of good user account maintenance. At one of the organisations discussed above, there were three "garbage" accounts (including Bubba and Test) in the Administrator's group. User accounts should be reviewed on a regular basis, and inactive accounts should be removed. Temporary user accounts established for external consultants that remain after the engagement has ended are especially concerning.
Stress the importance of learning the basics of network security.
Ensure that the client has considered all options. The wide range of inexpensive Web and e-mail hosting plans often make pushing these functions to an external provider a solid choice for smaller organisations.

Have your say instantly in the Tech Update forum.

Find out what's where in the new Tech Update with our Guided Tour.

Let the editors know what you think in the Mailroom.