Read more about server security strategies
Bad passwords can have catastrophic consequences. That's because passwords play a key role in enterprise security, protecting assets (including email systems, databases and many other types of servers) from unauthorized users (including malicious hackers).
A bad password has one of the following three characteristics:
- It can easily be guessed
- It is likely to appear in a wordlist
- It can be bruteforced in a reasonable amount of time
All three of these possibilities need a little further explanation.
People behave remarkably similarly when choosing passwords, and certain ones crop up again and again. An analysis of 32 million passwords that were made public when a website called Rockyou.com was hacked illustrates this clearly:
Most Popular Passwords
|Rank||Password||Number of Instances|
The password 123456 was chosen by almost 1 percent of Rockyou.com users. Put another way, a hacker would be able to successfully access about one in every 100 accounts he tried to access by just using this password.
Other easily guessable passwords include the names of users' pets, children, favorite sports team or spouse. This information is often easily available from sources such as Facebook.
After a hacker has tried obvious passwords like 123456 and Password, he will often work his way through a list of possible passwords contained in a wordlist. Wordlists typically contain words found in a dictionary, popular names, and more comprehensive ones that contain combinations of words (such as iloveyou), words and numbers (such as money123), and words with common numeric substitutions (such as m0n3y). Passwords using upper and lower case characters, made up of random characters (d5j*Dg;r?'fRey), combinations of multiple words (doGbutTerbicYclE) or words combined with punctuation (s(c&H#0%o"L) are unlikely to appear in wordlists.
The only certain way for a hacker to find a correct password is to try every possibility until he gets lucky -- a process called bruteforcing. A one-, two- or three-character password can be bruteforced quite quickly, but as the password length increases, the chances of successfully bruteforcing a password become vanishingly small. The time required to have a reasonable chance of bruteforcing a 15-character password can be measured in billions of years.
One way you can test whether your corporate systems are protected by strong passwords is to do what a hacker would do: Attempt to access your systems by trying many different passwords and seeing whether you are successful. This is known as an online attack. You can also use an on online attack as an opportunity to check that your security systems detect when a server is being bombarded with unsuccessful login attempts, and that individual accounts lock after a small number of unsuccessful login attempts.
A number of tools are available for carrying out online attacks, including the open source software Hydra. Arguably, the best one is an open source software tool for the Linux OS called Medusa, written "by the geeks at Foofus.net."
Medusa is described as a "speedy, massively parallel, modular, login brute-forcer" with modules available to support almost any service that allows remote authentication using a password, including: CVS, FTP, HTTP, IMAP, MS-SQL, MySQL, POP3, PostgreSQL, SMTP-AUTH, Telnet and VNC. Medusa has been designed to run faster than Hydra by using thread-based (rather than Hydra's process-based) parallel testing to attempt to log in to multiple hosts or users concurrently.
Medusa 2.0 How-To
- Download medusa-2.0.tar.gz to a suitable directory
- Decompress the medusa tarball tar
- Navigate to the resulting Medusa folder
- Perform the usual Linux OS "./configure ", "make" and "make install" procedure
./configure make make install
Note: More detailed instructions, including details of dependencies, are available.
Getting a Wordlist
Put simply, Medusa works by contacting a service, such as a web login or FTP server, and attempting to log in using different usernames and passwords. To test the password strength of a particular user you need a wordlist containing all the passwords you want Medusa to try. You can find free and commercial wordlists at many places on the Internet, including the following:
- hugewordlist.txt: 3.5 million words, names, numbers and combinations
- Open Wall word list collections: Free and commercial lists in many different languages
- Outpost 9 wordlists: Around 40 different free lists, including dictionaries and names
- Packet Storm wordlists: A selection of free English and foreign language wordlists
- Masta-spitz: A huge free 194 MBMb meta-wordlist containing a compilation of many other lists
You can also generate your own wordlists by using an existing wordlist and applying "mangling" rules, such as substituting "@" for "a" or adding digits to the start or end of each word. Tools such as the multi-platform open source software John the Ripper allow you to do this.
Other tools for wordlist generation include:
- The Associative Wordlist Generator: An online tool that creates a wordlist based on seed words you provide
- Wyd: A Linux open source software tool that extracts words from websites, files and directories
Medusa is a command-line only tool, so using this open source software is a matter of building up an instruction from the command line. Let's imagine we want Medusa to connect to a network router at IP address 192.168.1.1 using the default username "admin", to test how easy it would be to find the password. To do this, we will use the wordlist hugewordlist.txt (mentioned earlier). Since we know that the router administrator has a dog called Fido and two children called Alice and Bob, it's worth adding these names to the beginning of the hugewordlist.txt textfile, along with the company name, and the top 10 passwords from Rockyou.com mentioned at the beginning of this article.
To use Medusa, the following must be specified:
- The host "192.168.1.1" to connect to, using the -h switch
- The user name "admin" to connect with, using the -u switch
- The name of the textfile containing the list of passwords to try, using the -P switch
- The module to use for the service we are contacting (in this case http) using the -M switch
So the command we must use is:
medusa -h 192.168.1.1 -u "admin" -P hugewordlist.txt -M http
On my sample network, Medusa was able to test about 2,000 passwords per minute, and it successfully found the password "}tvaringa" in about 50 seconds.
What happens if you want to test the passwords of many different users, instead of a single fixed username such as "admin"?
To test all your users' email passwords on your POP3 server, you'll need a list of email usernames stored in a text file called something like "emailusers.txt". You'll also need a password list. This time, we'll use a much shorter password list containing popular passwords stored in a file "shortpasswordlist.txt". Medusa is able to test in parallel, running through the password list 10 (or any other number) users at a time. In other words, Medusa will test the first 10 usernames against the first password on the list, followed by the first 10 usernames with the second password on the list, and so on. When it has gone through all the passwords, it will move on to the next 10 usernames, and test those against all the passwords in the password list in turn.
So this time we must specify
- The IP address of the POP3 server (in this case 192.168.1.20) using the -h switch
- The file containing usernames (emailusers.txt) using the -U switch
- The file containing the passwords (shortpasswordlist.txt) using the -P switch
- That Medusa should test multiple usernames at simultaneously using the -L switch
- The number of usernames to test at a time using the -t switch
- The module to use (POP3) using the -M switch
The command we need is:
192.168.1.20 -U emailusers.txt -P shortpasswordlist.txt -t 10 -L -M POP3
If Medusa is able to find any passwords, it is wise to check if they conform to your password policy. If so, then your password policy must be tightened. If not, then you may decide to contact the users concerned to highlight the risks of using bad passwords that breach your security policy and ensure that the passwords in question are changed.
More Information on Medusa
To see a list of all the possible switches, simply enter
To display the service modules are installed, type
More examples of Medusa's command-line options are available, but the best way to learn how use it is simply to download it and start using it.
Paul Rubens is a journalist based in Marlow on Thames, England. He has been programming, tinkering and generally sitting in front of computer screens since his first encounter with a DEC PDP-11 in 1979.