Top five vulnerabilities and how to avoid them: Passwords
This blog explores how exploiting weak, reused, and default passwords is a common and effective method for gaining access during internal penetration tests. Techniques like 'Password Spraying' often lead to compromising standard domain user accounts, which can then be used to escalate privileges and identify further vulnerabilities. Common issues include insecure password reset processes and the use of default or shared local "Administrator" passwords, enabling attackers to easily move laterally across networks and escalate to Domain or Enterprise administrator privileges.
Exploiting common, weak, reused, and default passwords is a very simple and effective way to gain access to a myriad of systems and services on an internal penetration test. 'Password Spraying' attacks, which involve trying a small list of very common weak passwords across all accounts within the domain, almost always results in the compromise of at a least one standard domain user account.
This low-level access can often be leveraged to identify further vulnerabilities which can then be used to access and escalate privileges on individual hosts or within the domain. These types of attacks highlight passwords that are common and reused across a high number of accounts. This could indicate an insecure password reset process or users choosing passwords based on something common relating to the company such as company name or location etc.
Another common password faux pas is to use default or shared local "Administrator" passwords across all, or most of, the Windows hosts. Once an attacker has established a foothold on a single host it is then trivial to traverse laterally across the Windows estate. At this point, by extracting credentials, tokens or tickets from memory, pivoting into other networks and attacking other related services it is often only a matter of time before privileges can be escalated to that of Domain or Enterprise administrator.
What to do
Domain Policy
Configure a secure default domain password and lockout policy to mitigate simple password guessing and spraying attacks. Designing your password policy is a fine balance between security, user friction, and the potential impact on the IT support function. The following prescriptions need to be evaluated within the context of your business and applied accordingly.
Microsoft Security Compliance Toolkit (MSCT) Recommended Password Policy:
- Enforce Password History: 24
- Maximum password age: not set
- Minimum password age: not set
- Minimum password length: 14
- Password must meet complexity: Enabled
- Store passwords using reversible encryption: Disabled
Microsoft Security Compliance Toolkit (MSCT) Recommended Lockout Policy
- Account lockout duration: 15
- Account lockout threshold: 10
- Reset lockout counter after: 15
This is an "acceptable starting point" for your organisation but would still allow an internal attacker to try around nine passwords every 15 minutes against all accounts. If you would like to implement a more secure policy, I recommend the following:
- Account lockout duration: 30
- Account lockout threshold: 3
- Reset lockout counter after: 30
Note: This may result in an increase of the number of accidental lockouts.
Password Selection
Educate users on the importance of strong passwords and consider banning passwords that meet complexity requirements but are common, such as those based on common words like "password", seasons, months, days, the name of the area, and organisation.
Azure AD password protection is a powerful service from Microsoft that enables you to block common weak passwords and create custom blacklists of weak passwords relevant to your organisation. Other tools and password audit techniques exist for non-Azure based directories. Encourage users to use password managers to help them remember long complex passwords, which can run and sync passwords on their workstations and mobile devices.
Default Passwords
When commissioning and deploying new systems and services onto the network, ensure that all default user and administrator credentials have been reconfigured to something strong and unique. This includes switches, routers, printers and cameras, as well as server software like Tomcat and JBoss. This could be part of a formal security audit that is signed off and accepted during production acceptance / release readiness.
Administrator Passwords
All Administrative passwords should be a minimum of 14 characters and consist of mixed case letters, numbers, and symbols. Ideally, they should be completely random and unique across all the Windows hosts on which they are used. Microsoft's Local Administrator Password Solution (LAPS) can help you achieve this. It is also recommended to permanently lock out administrative accounts when the lockout threshold has been breached and to investigate further when this occurs, as this is often a sign of malicious activity.
Additionally, service accounts, which usually afford greater privileges, should be configured with very long, randomly generated passwords of at least 25 characters, as once they are set up they will not be used interactively on a day-to-day basis. Using Windows "Managed Service Accounts" is a good way of ensuring that these accounts passwords are appropriate and changed regularly.
