The Sure Risk of Weak Passwords

Passwords at times fail to fulfill the intended purpose of authenticating users because password strength may not be given due consideration. A password is deemed strong if it is hard to guess, that is, not a dictionary word or personally identifiable, and is a good long string made of combination of numbers, letters and special characters. On the contrary, weak passwords are usually small in length, consisting of dictionary words, default passwords and pet names which render them highly prone to password cracking by criminals.

The best way to educate organizations on the importance of password strength is to demonstrate how easy it is for an adversary to recover weak passwords and we shall therefore take a look at a certain organization. Mr. Dismas, who’s a procurement officer received a phishing email and was unfortunately tricked into downloading the “new offer” update onto his machine which was a carrying malicious payload.

Downloaded malicious executable

The  attacker after employing a social engineering methodology to the Dismas who successfully invoked into downloading the malicious file which the attacker earlier on created the newoffer file.

Creating malicious payload

Attempting to run the newoffer file by Dismas it happened so that the interaction of Dismas with the file caused TCP reverse shell (a session) creation back at the attacker’s machine using a listener which is setup by the attacker on Kali Linux OS.

Getting meterpreter session

The attacker escalates to system privileges so as to have enough control over the system.

Elevating privileges

After gaining elevated privileges, the attacker uses hashdump command on the meterpreter in order for the system to output password hashes. These hashes are subsequently run through an offline cracking tool, John the Ripper, and the user credentials unveiled.

Using hashdump command to get password hashes
Passwords cracked with John the Ripper

We can see two user account passwords cracked: happy and secret. Well, were these users safe as they thought?

Here are some factors for ensuring strong password security:

  • Length of password should at least be eight characters
  • Include upper-case [A-Z] and lower-case letters [a-z]
  • Have one or more numbers [0-9]
  • Make use of special characters [! ~ . / \ | { } [ ] ( ) – _ [email protected]%& = ; ‘ : ” ]
  • Avoid passwords that match pet names or formats of telephone numbers, vehicle number plates, calendar dates, etc.

Join Summit Consulting Ltd in partnership with IFIS on our annual cyber-security awareness and risk management conference, which is scheduled to take place from the 16th – 18th October 2019. You need to get sensitized about  how to ensure security for your classified information with the aid of hard-to crack passwords, and to get handy cyber hygiene for your daily data practices that wouldn’t land your data in the hands of the criminal in the cheapest means.

For more details and registration procedure, please click here

Share this

Leave a Comment


Scroll to Top
Chat with us
Chat with us
Questions, doubts, issues? We're here to help you!
None of our operators are available at the moment. Please, try again later.
Our operators are busy. Please try again later

The data collected by this form is used to get in touch with you. For more information, please check out our privacy policy
Have you got question? Write to us!

The data collected by the chat form is used to get in touch with you. For more information, please check out our privacy policy
This chat session has ended
Was this conversation useful? Vote this chat session.
Good Bad