Fancy Network Access to a Fortune 500 Company?

By

Oct 23rd, 2012


How would you like access to a Fortune 500 company network, to you know, do whatever you like. Yeah? Okay, that will be USD$5.

Dedicatexpress.com (now offline since the writing of this article) run by a bunch of Russian gentlemen offered access to corporate networks from across the globe via an RDP, (Remote Desktop) Connection.

Essentially these chaps had scanned the internet for open ports on the 3389 TCP port number and brute forced the username and passwords. Every Windows box out there starts with a user called Administrator, once you know this all you need to do is set about breaking the password with a dictionary attack or brute force attack. Don’t worry about locking the account out after five bad guesses as the Admin account cannot be locked out.

A significant majority of the accounts were the Administrator user, however Kerbs On Security reported that they found an account with a username of “Cisco” and a password of “cisco” on the Cisco corporate network. Access to this specific machine was $4.55.

The sites Russian overloads would not allow Russian corporations to be listed, presumably not to kick the local authorities in to action. The web server IP number resolved back to an IP range in the Russian federation managed by Selectel Ltd.

A simple resolution to this attack vector would be to rename the default user account, that way the bad guys need to guess your username AND password, double the effort. That is, unless you make it easy by renaming it to an easy to guess name (Cisco, we are looking at you).

The boys over at Detect Defend, which has and RDP Honey Pot, reports that the top ten username to be attacked are, in order, Administrator, user, guest, server, admin, network, connect, login, test and backup.

They also report however that any first name is an easy target with significant attacks against names like Bob, Tom and Vikki.

Rename those accounts boys, and for crying out loud use a strong password, not in a dictionary.

If you want to test you network I suggest you get in touch with cysec.com, who have a free tool in Beta that will scan your network for Administrator accounts and give you the option of a brute force and dictionary attack. If their tool can crack you network, then so can the bad guys.

Leave a Reply

 
© 2006-2018 .