Gaining access to a remote system always gives us pentesters a feeling of satisfaction. Specifically, gaining remote command execution on a system is the ultimate goal for a pentester, in order to gain an initial foothold into the target’s system. Besides direct exploitation, web application attacks, and other means of penetration, the most common and successful attack vectors during a pentest are password attacks. The re-use of passwords and insufficient password policy enforcement are the most common vulnerabilities that can be identified across all information networks, be it enterprises or small offices, as well as applications (e-mails, file sharing, etc). But how should a pentester handle the passwords encountered during an engagement? If they’re added to his/her password list, it’ll make things easier in future engagements and will also serve the client better. But is this the ethical thing to do?
During Internal VA engagements we’re usually(!) given access to the administrative passwords, which we can then use to configure our scanners to login to the systems and acquire their policy settings. At some engagements we’re provided with a custom – created only for us – administrative account; or our clients change their administrators’ accounts passwords to a temp one that they can share for the duration of the project. But sometimes, for example when we are assessing a production system, we’re provided with the actual administrative credentials.
Everyone in the InfoSec community knows that passwords are reused. It is common knowledge that developers (and administrators for that matter) tend to think in a more practical, rather than secure, way in terms of password choices. I’ve been involved in numerous engagements in which administrative credentials shared a similar pattern with each other, with easy-to-type-and-remember passwords, often without disregarding company policy on the creation of new passwords. In addition, password policies are not always enforced for super user accounts. We often see passwords which are essentially the company name in Leet, i.e. a combination of ASCII characters that replace letters – e.g. “M1cros0ft!”. The best way to completely eradicate vulnerabilities related to weak passwords and password re-use is to make everyone understand their effect, especially since this issue can’t be resolved by an automated, backend process.
Therein lies the ethical dilemma for some pentesters. Since our work is based on our experience and that the goal of a penetration test is to emulate all possible attack vectors a dedicated attacker might try, should we add the passwords we’ve identified to our password list for re-use in future projects – especially when these follow an easy-to-use-and-remember pattern? Would that be inline with work/community ethics?
What’s your take? If you’re a system admin – how do you handle password policy? If you’re a fellow pentester – what do you do with client passwords?