There are several recent, dangerous security vulnerabilities -- MDAC, IIShack, rpc.cmsd, and rpc.ttdbserver to name the leaders -- but nothing matches the threat and ubiquity of poorly chosen passwords. In fact, you could probably combine all the current buffer overflows, input-validation attacks, and data-driven attacks and still not match the menace of easily guessed passwords.
In almost every engagement we take on, gaining user or administrative access on a Unix, Windows NT or NetWare system comes from simple password guessing, gaining administrator (or at least user) rights in less time than it takes to describe the steps. In our travels we find four sets of passwords most often: no password, password as username (either same or different user), company name, and dictionary word (such as password and summer). Of course, finding passwords by brute force using a sequential character generator can also be effective, but it is often time-consuming and usually unnecessary (if the goal is to break in).
The process of guessing the correct password can approach an art form. Studying the user's name, background information, and role in the company can often turn up an obvious password. For example, if the target is a CFO, a good password guess might be money, bill, invest, finance, or stocks.
Users and Passwords
Of course, all this talk of guessing a poorly chosen password is completely useless without a real username on the system. Guessing a default username on a system (such as Oracle) can be fruitful, but most attackers will target the user by name. You can look for usernames in a variety of locations. For Unix systems, usernames can be obtained by enumerating the users defined in mail via the SMTP VRFY or EXPN commands, by downloading the /etc /passwd files from poorly configured TFTP servers or NFS exported file systems, and also by downloading them from Lightweight Directory Access Protocol (LDAP) servers.
For NT systems, you can often get usernames through the null session or user2sid /sid2user vulnerabilities, LDAP queries, SMTP VRFY or EXPN commands, and enumerating Lanman SNMP.
Once a username is obtained, the hard part is over for the attacker. In fact, 90 percent of the time we can simply roll right into a network by trying the word password (or none at all). These poorly chosen passwords are far and away the biggest vulnerability on the security landscape. We don't care how many firewalls, intrusion-detection solutions, or secure operating systems you have in place, if users can set their passwords to something trivial to remember (and break), they will.
Develop and enforce password policies
In general, the following guidelines should be a part of any password policy.
-- Each Unix password must have a minimum of eight characters.
-- Each NT password must be seven or 14 characters long. Having any other length jeopardizes the strength of the password.
-- Passwords should never contain proper nouns or dictionary words.
-- Passwords should never be popular words, phrases, movies, names, and so on.
-- Each password must differ from the user's login name and any reverse or circular shift of that login name.
-- Each password must contain at least two alphanumeric characters and at least two special characters (*&^%$).
-- The new password must differ from the old one by at least three characters.
There is no easy way to enforce these guidelines. You'll need to manually attack your systems' password files and try to crack them. Once successful, company policy should dictate that users change their passwords immediately to something more difficult to guess. Here are some great tools to audit your NT and Unix passwords:
-- L0phtcrack: best password-cracking features, at http://www.l0pht.com/l0phtcrack-- John the Ripper: originally for Unix but now the fastest NT password cracker around, at http://www.false.com/security/john-- Password Appraiser: new NT cracker, at http://www.quakenbush.com/default.htmFor NT, you can always use passfilt.dll, but the password content restrictions are limited. Also check out TP Information Systems' Password Policy Enforcer, at http://www.tpis.com.au/products/ppe/features.asp, and let us know what you think.
Now some of you may feel nervous about imposing strict password policies and guidelines. But the alternative is easily hackable systems. And for those executives who can't understand why IT has to make such demands, imagine your salary, stock options, and personal and corporate e-mail in the hands of the wrong person; then reconsider this "inconvenience." Are your systems vulnerable? Let us know at email@example.com.
(Stuart McClure is an independent security consultant with Rampart Security Group. Joel Scambray is a consultant with Ernst & Young. They have encountered numerous technologies during their 10 years in information security. They recently wrote the security book Hacking Exposed (Osborne/ McGraw-Hill).)