CAPEC

Common Attack Pattern Enumeration and Classification
Common Attack Pattern Enumeration and Classification

A Community Knowledge Resource for Building Secure Software

Home > CAPEC List > Individual CAPEC Dictionary Definition (Release 1.1)   View the CAPEC List

Individual CAPEC Dictionary Definition (Release 1.1)
Individual CAPEC Dictionary Definition (Release 1.1)

Try Common(default) Usernames and Passwords
Attack Pattern ID
Pattern Abstraction: Detailed

70

Typical Severity

High

Description

Summary


An attacker may try certain common (default) usernames and passwords to gain access into the system and perform unauthorized actions.  An attacker may try an intelligent brute force using known vendor default credentials as well as a dictionary of common usernames and passwords.

Many vendor products come preconfigured with default (and thus well known) usernames and passwords that should be deleted prior to usage in a production environment.  It is a common mistake to forget to remove these default login credentials.  Another problem is that users would pick very simple (common) passwords (e.g. "secret" or "password") that make it easier for the attacker to gain access to the system compared to using a brute force attack or even a dictionary attack using a full dictionary.  

Attack Prerequisites

The system uses one factor password based authentication.

Typical Likelihood of Exploit

Medium

Methods of Attack
  • Brute Force
Examples-Instances

Description


User Bob sets his password to "123".  If the system does not have password strength enforcement against a sound password policy, this password may be admitted.  A simple numeric sequence like this is one of the most common passwords and is easily guessable by an attacker.

Related Vulnerability

Description


Cisco 2700 Series Wireless Location Appliances (version 2.1.34.0 and earlier) have a default administrator username "root" with a password "password".  This allows remote attackers to easily obtain administrative privileges.

Related Vulnerability

CVE-2006-5288

Attacker Skill or Knowledge Required

Low: An attacker just needs to gain access to common default usernames/passwords specific to the technologies used by the system. Additionally, a brute force attack leveraging common passwords can be easily realized if the user name is known.

Resources Required

Technology or vendor specific list of default usernames and passwords.

Probing Techniques

Try to determine what products are used in the implementation of the system. Determine if there are any default accounts associated with those products.

Indicators-Warnings of Attack

Many incorrect login attempts are detected by the system.

Obfuscation Techniques

Try to spoof IP addresses so that it does not look like the incorrect log in attempts are coming from the same computer.

Solutions and Mitigations

Delete all default account credentials that may be put in by the product vendor.

Implement a password throttling mechanism. This mechanism should take into account both the IP address and the log in name of the user.

Put together a strong password policy and make sure that all user created passwords comply with it. Alternatively automatically generate strong passwords for users.

Passwords need to be recycled to prevent aging, that is every once in a while a new password must be chosen.

Attack Motivation-Consequences
  • Privilege Escalation
Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
521Weak Password RequirementsTargeted
262Not Using Password AgingTargeted
263Password Aging with Long ExpirationTargeted
Related Attack Patterns
IDNameRelationship TypeRelationship Description
16Dictionary-based Password AttackMore Abstract
49Password Brute ForcingOccasionally Follows
55Rainbow Table Password CrackingOccasionally Follows
Related Security Principles
  • Failing Securely
Purpose

Penetration

CIA Impact
Confidentiality ImpactIntegrity ImpactAvailability Impact
HighHighMedium
Technical Context
Architectural ParadigmFrameworkPlatformLanguage
AllAllAllAll
Source
Submission(s)
SubmitterOrganizationDateComment
Eugene LebanidzeCigital, Inc2007-02-26
Modification(s)
ModifierOrganizationDateComment
Sean BarnumCigital, Inc2007-03-01Review and revision of content
Back to top
 

CAPEC is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

Vision and Technical Leadership provided by Cigital, Inc.

This Web site is hosted by The MITRE Corporation.
Copyright 2008, The MITRE Corporation.

Contact capec@mitre.org for more information.
Page Last Updated: April 18, 2008
Privacy policy
Terms of use
Contact us