Shulou(Shulou.com)05/31 Report--

This article is about how to analyze weak passwords in web vulnerability exploitation. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article. Let's take a look at it with the editor.

One, definition

Weak password (weak password) is not strictly and accurately defined, and it is generally believed that passwords that are easily guessed by others (they may know you well) or cracked by cracking tools are weak passwords. Weak passwords refer to passwords that contain only simple numbers and letters, such as "123", "abc", etc., because such passwords can be easily cracked by others, putting the user's computer at risk, so users are not recommended to use them.

In recent years, there have been an endless stream of incidents about information disclosure, some of which are caused by weak passwords. On the eve of the 2015 Spring Festival travel season, a netizen posted a post on the "Dark Cloud-loophole reporting platform" saying that a large amount of 12306 user data was distributed and sold on the Internet, and that the hackers were rumored to have obtained 12306 user data through "hitting the library." The following are the statistical results of 12306 password leaks by security enthusiasts:

The reason for the weak password is that the personal security awareness is not strong enough, such as directly setting the password to a simple combination of numbers (123456) to facilitate memory, or setting it to one's own birthday and directly using the system default password and so on. In the current case that most information systems are logged in with account and password authentication, through these simple weak passwords, attackers can directly obtain system control rights.

The weak password of the system is one of the common infiltration entry points, whether it is web or such as VPN, fortress machine, border router firewall, and weak passwords generated in combination with specific company scenarios and business scenarios. Login users upload webshell to get sensitive information, register user information and even get the system shell, which may cause greater risk.

Second, the generation of weak password dictionary

Many people often embed their personal identity information in order to memorize their passwords. If you have a certain understanding of a user, by collecting user information, including birthday, * * number, mobile phone number, user name, license plate number, website name, address, etc. (including Chinese information, you can use Pinyin). You can try to get the user's password by brute force cracking. And most people will set multiple accounts to the same password, that is, if you crack someone's QQ password, you may also find his forum, email, Weibo, game account password.

When generating a weak password dictionary for a company-group, you can collect relevant information from some websites

Inquiry by national social organizations

Http://www.chinanpo.gov.cn/search/orgindex.html

Heavenly Eye search-Commercial Security tool _ Enterprise Information query _ Company query _ Industry and Commerce query _ Enterprise Credit Information system

Https://www.tianyancha.com/

ICP/IP address / Domain name Information filing Management system of the Ministry of Industry and Information Technology

Http://www.beian.miit.gov.cn/publish/query/indexFirst.action

There are many websites like this.

In addition, more and more background weak passwords use @, *, & and. As a means to enhance the complexity of passwords, such special characters increase the blasting cost, but there are still rules to follow. For example, test@ company name or current year @ company name, you can use a dictionary generator to generate dictionaries specifically. (Bailu Social worker Dictionary Generator-https://github.com/HongLuDianXue/BaiLu-SED-Tool)

For example, admin@huawei, the above password composition can be divided into three items: information items, symbol items, and weak string items.

Among them, the information items are the information related to the target, such as Admin, Huawei, etc.; the symbol items are the symbols that will be used in the password combination, such as space, @, _,!, #, $, etc.; the weak character items are the "weak password" strings commonly used in the password combination, such as 123,001, abc, 2012, etc. " Item A "input box: the initial content is empty, you need to enter the" information item "of the social worker's weak password mentioned above; in addition, the tool also has a" result deduplication "selection box: checking this box will remove duplicate lines from the resulting dictionary file.

3. Weak password burst 1. The most common weak password detection method: intruder module using Burp

First use the proxy mode to grab the package, and then right-click to select Send to Intruder

Set the password variable in Intruder mode (assuming that the administrator account is known to be admin, you can also lock the password burst username, or run the username & password dictionary at the same time)

Select load in the payloads tab to select the password path and load the password dictionary. Then click the start attack in the upper right corner to try to blow up the admin account password.

According to the length of the return packet, it is found that the weak password of the admin account is admin

In addition, there are blasting SSH,FTP and other weak password tools, the use of more or less the same, some time ago wrote an article on blasting SSH, interested can take a look.

2. Super weak password checking tool (https://github.com/shack2/SNETCracker)

This is a Windows platform weak password audit tool, supports batch multithreading, can quickly find weak passwords, weak password accounts, password support and user name combination for checking, greatly improve the success rate, support custom service ports and dictionaries.

First select the service to be checked (multiple options), and then enter the IP, domain name or IP range for the check at the destination, which can be a single IP or IP segment. The IP range format must be: 192.168.1.1-192.168.200.1, 192.168.1.1-192.168.1.200. Can also import the address, the import address must be a single IP line, and then you can set up an account dictionary or password dictionary, you can choose a dictionary file, or you can fill in a single account or password, and other options can be checked by clicking on demand.

3 、 web_pwd_common_crack

The web universal weak password cracking script developed by our team boss is designed to detect the management background without CAPTCHA in batch.

Project address https://github.com/TideSec/web_pwd_common_crack

Installation mode

Drag it down from Github

Git clone https://github.com/TideSec/web_pwd_common_crack

Install requirements.txt dependencies

Pip install-r requirements.txt

Just run the script.

Python web_pwd_crack.py url.txt 50

Url.txt is the URL address to be tested. You can write a script to obtain it in batch from the search engine, or you can use the directory enumeration tool to collect it. 50 is the number of threads. The default is 50.

4. The following are common weak passwords for different backend types:

Database (phpmyadmin): account: root, password: root, root123, 123456

Tomcat: account: admin, tomcat, manager, password: admin, tomcat, admin123, 123456, manager

Jboss: account: admin, jboss, manager, password: admin, jboss, manager, 123456

Weblogic: account: weblogic, admin, manager, password: weblogic, admin, manager, 123456

5. Weak passwords for security devices (weak passwords shared by online bosses)

Tianrongxin firewall, do not need a certificate login address: https://192.168.1.254 user name: superman password: talent technical support hotline: 8008105119

Tianrongxin firewall, do not need a certificate login address: https://192.168.1.254 talent 8080 user name: superman password: 23 when you encounter a device, you need to back up the configuration of the old device, and then pour in the new device based on console login, user name and password consistent with web interface system config reset clear configuration save save

Lenovo Firewall, requires a certificate (preferably with an IE browser) login address: https://10.1.5.254:8889 user name: admin password: leadsec@7766, administrator, bane@7766 Technical support Hotline: 4008107766 010-56632666

Convinced of the firewall (note that the security device management address is not unique) https://10.251.251.251https://10.254.254.254 user name: admin password: admin Technical support Hotline: 4006306430

Qiming Star https://10.1.5.254:8889 user name: admin password: bane@7766 https://10.50.10.45:8889 user name: admin password: admin@123 computer side IP:10.50.10.44/255.255.255.0 Technical support Hotline: 4006243900

Juniper login address: https://192.168.1.1 user name: netscreen password: netscreen

Cisco login address: https://192.168.0.1 user name: admin password: cisco

Huawei login address: http://192.168.0.1 user name: admin password: Admin@123

H3C login address: http://192.168.0.1 user name: admin password: admin Technical support Hotline: 4006306430

Green League IPS https://192.168.1.101 username: weboper password: weboper configuration restart takes effect

Https://10.50.10.45 user name: admin password: firewall Technical support Hotline: 4006108220

Convinced VPN: 51111 port delanrecover

Huawei VPN: account: root password: mduadmin

Huawei Firewall: admin Admin@123 eudemon

Eudemon Juniper Firewall: netscreen netscreen

Default username and password for Dipper 192.168.0.1 (admin/admin_default)

Yamashi 192.168.1.1 default management account is hillstone, password is hillstone

Anheng's Mingyu Firewall admin/adminadmin

A fortress machine shterm/shterm

Vpn test/123456 of Tianrongxin

* how to find these devices on the network

(1) https://www.shodan.io/

Shodan is a search engine, but unlike Google, which searches for web sites, Shodan is used to search online devices in cyberspace. You can search for specified devices or specific types of devices through Shodan.

For example, search for Haikangwei webcam located in Nanjing: Hikvision-Webs country: "CN" city: "Nanjing"

After accessing according to ip address, you can try to login with weak password.

(2) the eyes of Zhong Kui

Https://www.zoomeye.org/

For example, search the weblogic server: app: "Oracle WebLogic Server"

IV. Suggestions for reinforcement

Some ways to prevent weak passwords:

Do not use empty passwords or system default passwords, because these passwords can be easily entered by attackers or even at no cost, and are typically weak passwords.

Set the high length & high complexity character password.

Password do not set a consecutive character (for example: AAAAAAAA) or repeat a combination of certain characters (123123).

Passwords use complex combinations such as uppercase letters (Amurz), lowercase letters (amurz), numbers (0-9), and special characters. Each type of character contains at least one.

Try not to include the names and dates of birth, commemorative dates, login names, E-mail addresses and other relevant information about yourself, parents, children and spouses, as well as the words in the dictionary.

Passwords should not be words that replace certain letters with numbers or symbols.

Change passwords regularly.

Some ways to prevent violent attacks:

Limit the number of validations, or set longer passwords and various combinations to prolong the duration of brute force cracking.

Make the password as complex as possible.

When it is found that there are too many wrong logins for the same IP, perform other authentication or block the IP.

If the number of errors is more than five or ten, log in with a CAPTCHA, or use SMS authentication, setting a limited number of verifications.

Delays can be added to prolong brute force cracking, which slows down some single-threaded attacks, but does not work well for multithreaded attacks.

The above is how to analyze the weak passwords in web vulnerability exploitation. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.