SecCore Essentials - Password Security

Summary

This SecCore Essential summarizes important password related configurations. It is considered implemented if the following conditions are met:

• An on-premise password policy with at minimum the following settings:
  • Minimum password length: 12 characters
  • Password must meet complexity requirements: Enabled
  • Enforce password history: 24 passwords remembered
  • Store passwords using reversible encryption: Disabled
  • Account lockout threshold: 5 invalid logon attempts
• A cloud password policy with at least the following settings:
  • Minimum password length: 12 characters
  • Multi Factor Authentication required for all users
• A procedure for assigning unique local administrator / root passwords for every device is in place
• No devices with default passwords are accessible in the network

Introduction

Passwords are the key to secure systems. Especially in on-premise environments, where Multi-Factor Authentication (MFA) can not be easily enforced, they need to be securely generated and stored. A compromised password usually leads to account or system takeover, which attackers can use to gain a stronger foothold in a network.

External services are under constant threat of brute-force (trying multiple passwords against an account) or password spraying (trying a single password against multiple accounts) attacks, which makes the enforcement of MFA a necessity.

Common Attack Vectors

This section describes common attack methods on weak password hygiene.

Brute-Force Attacks

A brute-force attack is a simple attack method in which an attacker attempts to access a specific account by automatically trying multiple different passwords. This can be carried out online (testing passwords against a live system) or offline (trying to crack a password hash).

Online brute-force can be a threat for external systems, if no rate-limiting is in place. In a securely configured Active Directory domain, this should not be an issue due to the account lock out policy, which locks accounts if a specific number of passwords are incorrectly entered.

For an offline attack, an attacker already needs to be in possession of encrypted data or password hashes. These can be obtained via different other attacks, such as Kerberoasting.

In order to make brute-force attacks more efficient, attackers usually use custom wordlists that are tailored to a target account or system. For example, the tool CeWL¹ can be used to scrape common words from an organization's website and create a list of possible passwords.

Password Spraying

In contrast to a brute-force attack, password spraying works the other way around: an attacker tries a single password for multiple users. This circumvents password lockout policies and can be done quickly and efficiently. This attack is usually carried out online, since for offline cracking, a brute-force attack is more efficient.

Password Reuse

One of the most common problems regarding passwords is password reuse. If a password is used for more than one service or account, an attacker can use this to their advantage by compromising all components that use the same password at once.

If several computers share the same local administrator password, an attacker that gains administrative privileges on one system can then easily log on to all other computers with the same password. The local administrator password does not even have to be cracked, because the NTLM password hash is always identical if the passwords are the same.

The same applies to user accounts: If a low-privileged user shares the password with a high-privileged one, the high-privileged one can be compromised. Even if there are no apparent connections between these accounts, Password Spraying can be used to gain access to all accounts sharing the same password.

The same applies to private accounts. If a user's password is stolen from one website and they use the same password for online banking or email services, these services can also be compromised by an attacker if no MFA is used.

Default Passwords

Many devices and services are configured with publicly available default passwords. This is sometimes needed for initial configuration, and the passwords should be changed as soon as the system has been set-up.

If this is not done however, an attacker can search for default passwords for management or configuration interfaces and use them to log in to these systems. They may then be able to read sensitive information, change configurations and upload malicious firmware files or software packages.

Attack Scenario

This section should demonstrate how attackers exploit weak password configurations, to laterally move between systems. The setup of this attack scenario is as follows:

• Network segmentation is not properly configured
• The attacker has a foothold in the internal network with user credentials
• The attacker has no considerations regarding OPSEC, the most straightforward approach is used

Since the attacker has already compromised a client workstation, they can use this access to read out the password policy of the Active Directory with NetExec²: As it can be seen in the screenshot, the password policy is quite weak, allowing for short passwords and no complexity requirements. Additionally no lockout policies are in place, making it easier for attackers to guess passwords. With this information in mind, the attacker can use password spraying techniques like checking for usernames as passwords to compromise additional accounts: After a few tries, the attacker successfully compromises another user account t2claire@lab.local. This account has administrative access to the system client1.lab.local, which is indicated by the (Pwn3d!) of NetExec. With these privileges the SAM and SYSTEM hives of the registry can be dumped, which contain the password hashes of all local accounts: Since a password solution like Windows LAPS³ is not in place, the password hashes can be sprayed across the network to compromise additional systems like srv1.lab.local:

Mitigation

When this essential security measure is implemented, it is not possible to guess usernames as passwords anymore: Additionally, even if a client workstation gets compromised, when a password solution like Windows LAPS is in place, the attacker will not be able to use the same password hashes to compromise additional systems: