An attacker may try certain common (default) usernames and passwords to
gain access into the system and perform unauthorized actions. An attacker
may try an intelligent brute force using known vendor default credentials as
well as a dictionary of common usernames and passwords.
Many vendor products come preconfigured with default (and thus well known)
usernames and passwords that should be deleted prior to usage in a
production environment. It is a common mistake to forget to remove these
default login credentials. Another problem is that users would pick very
simple (common) passwords (e.g. "secret" or "password") that make it easier
for the attacker to gain access to the system compared to using a brute
force attack or even a dictionary attack using a full dictionary.
Attack Prerequisites
The system uses one factor password based authentication.
Typical Likelihood of Exploit
Likelihood: Medium
Methods of Attack
Brute Force
Examples-Instances
Description
User Bob sets his password to "123". If the system does not have
password strength enforcement against a sound password policy, this
password may be admitted. A simple numeric sequence like this is one of
the most common passwords and is easily guessable by an attacker.
Description
Cisco 2700 Series Wireless Location Appliances (version 2.1.34.0 and
earlier) have a default administrator username "root" with a password
"password". This allows remote attackers to easily obtain administrative
privileges.
Related Vulnerabilities
CVE-2006-5288
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
An attacker just needs to gain access to common default
usernames/passwords specific to the technologies used by the system.
Additionally, a brute force attack leveraging common passwords can be
easily realized if the user name is known.
Resources Required
Technology or vendor specific list of default usernames and passwords.
Probing Techniques
Try to determine what products are used in the implementation of the
system. Determine if there are any default accounts associated with those
products.
Indicators-Warnings of Attack
Many incorrect login attempts are detected by the system.
Obfuscation Techniques
Try to spoof IP addresses so that it does not look like the incorrect log
in attempts are coming from the same computer.
Solutions and Mitigations
Delete all default account credentials that may be put in by the product
vendor.
Implement a password throttling mechanism. This mechanism should take into
account both the IP address and the log in name of the user.
Put together a strong password policy and make sure that all user created
passwords comply with it. Alternatively automatically generate strong
passwords for users.
Passwords need to be recycled to prevent aging, that is every once in a
while a new password must be chosen.
Vision and Technical Leadership provided by Cigital, Inc.
This Web site is hosted by The MITRE Corporation.
Copyright 2009, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.
Description
