We Have Your Usernames and Passwords, Courtesy of Google
While conducting a recent assessment, I discovered a number of Dell Remote Access Cards (DRACs) on the client’s internal network. In the past, whenever I have encountered these systems, the default username and password (‘root’ and ‘calvin’ respectively) have been in use, and this assessment was no different.
My “Revolutionary” Hacking Technique
Once I had successfully logged into one of the DRACs, its virtual console allowed me to gain full access to the server via a built-in remote desktop Java applet. Later in the engagement, I encountered a pair of Dell EqualLogic Array management consoles. A quick Google search revealed the default administrator username and password (‘grpadmin’ / ‘grpadmin’) which the client had elected to leave unaltered on both instances. A malicious attacker could have easily used the administrator functions within the consoles to disrupt, alter, or delete terabytes worth of client and employee data from the managed array.
Changing default usernames and passwords for management interfaces is a common sense, active security practice that often goes unimplemented for one reason or another. For hackers, default credentials are the lowest of low-hanging fruit, and they will not usually set off any alarm bells for network administrators scanning their logs. More often than not, an attacker can plug in the target device’s make and model into Google alongside the phrase “default password” and the credentials will typically pop up within the first few results. Whenever hackers (white and black hats alike) encounter network-based management interfaces during the course of an attack, it is standard practice to attempt a login using the application’s default credentials. If they’ve been modified, attackers will typically attempt to brute force the login only when all other methods of ingress have proven unfruitful. Brute force attacks tend to generate a recognizable footprint of network traffic and can lockout multiple accounts in a very short time frame, potentially closing off other access vectors for the attacker.
Hacking for Dummies
Unlike more complicated network protection measures, changing default credentials requires absolutely zero technical expertise or education. More importantly, it is a step that can be applied to a wide-range of systems deployed on any network. From server administration consoles to wireless routers, nearly every network-accessible interface on the market today comes with one or more pre-programmed administrator and user accounts which can be identified with a quick Google search. Simply changing these account credentials is usually enough to force an attacker to resort to increasingly complicated, less reliable, and noisier attacks, keeping client data secure and internal networks that much more protected against unauthorized access.