So another year has passed and what an active year it was, chocked full of security events, breaches, and account dumps! Accounts that have been breached continue to pop up on multiple sale sites and we continue to see a trend that has plagued the industry for years and years… password reuse.
I know what you’re thinking, oh boy another blog about password reuse and why it’s horrible!, but there’s a good reason why we see so many of these write ups. It’s still a very serious issue that continues to impact organizations over and over again. That being said I’ll try to not stand on this soap box beating this zombie horse for too long and get to something that can be interesting.
Why password reuse is bad:
Passwords continue to be one of the weakest security features applied to authentication mechanisms. According to multiple studies approximately 60 percent of the internet’s user base is guilty of re-utilizing passwords across platforms (websites, games, work, etc.). Math is definitely not my strong point, but just taking the figures as they are and applying the potential 60 percent to my organization’s user base and I would be pretty nervous as a systems administrator (like we’re not nervous enough as it is…).
Oh, get to the good stuff already…:
While trying to come up with something worthwhile to write about I was looking through KitPloit and stumbled upon one of the entries listed there: CredMap: The Credential Mapper (Github and initial blog post).
As we know a large amount of users re-utilize their credentials from one site or service to another. CredMap allows us to quickly check through these services by defining a new xml file for each site and either checking a one off user account, or importing a list of credentials to try (Username:Password). As an attacker this tool can be pretty useful as it can allow us to cycle through multiple services and sites and quickly identify where authentication was successful.
As a defender how can we put a tool like this to use? At first I thought about how awesome it would be to map this into an internal password audit and see where a user might be using their domain credentials externally. I quickly dumped that idea as I am sure the legal implications of conducting a test like that would be astronomical, but what if we defined new xml files for our internal sites? I am sure most of you make use of separate credentials for administration tasks (you do use a separate set of creds right, RIGHT?) so could we create new xml files for our management networks, dump and attempt to crack any hashes, and then implement a tool like this to see where our admins are reusing passwords? How about members of an account management team, do we have internal sites where we manage client related data. Could we then follow the same process as before but instead of focusing on infrastructure management we shift fire to areas where we manage critical data sets. I think the tool has a good amount of potential for defender and pen tester alike.