Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Last Daily Podcast (Wed, Dec 7th):Attacking MongoDB;

Latest Diaries

The Passwords You Should Never Use

Published: 2016-12-07
Last Updated: 2016-12-07 13:15:50 UTC
by Xavier Mertens (Version: 1)
4 comment(s)

New releases of bad or weak passwords lists are common[1][2] on the Internet. Those lists compile passwords that are used by people to protect (even if it's not the most appropriate term) their accounts. But passwords are everywhere and also used to control access to devices. Recent attacks like the Mirai[3] botnet which attacked IoT devices are a good example. Once infected, a device will start to search for new potential victims by scanning the Internet for some vulnerable ports (TCP/23, TCP/2323 are good examples), then brute-force the password by testing a list of well-known passwords. Those passwords are somewhere different than users' password but just as vulnerable.

While hunting, I found some interesting pieces of C source code that contained lists of passwords used by such infected devices. Keep in mind that a password considered as strong (your know the magic formula: a mix of upper/lower case characters, numbers and special characters) is useless if it is known in the wild!

Here is the list of passwords that I found to be used in the wild:

"" (empty string!)
00000000
1111
1111111
1234
12345
123456
54321
666666
7ujMko0admin
7ujMko0vizxv
888888
Zte521
admin
admin1
admin1234
administrator
anko
default
dreambox
fucker
guest
hi3518
ikwb
juantech
jvbzd
klv123
klv1234
meinsm
pass
password
realtek
root
service
smcadmin
supervisor
support
system
tech
ubnt
user
vizxv
xc3511
xmhdipc
zlxx

If you have devices configured with one of those passwords, change it as soon as possible. Even, if your devices are not facing the internet! Feel free to share your list of passwords if you found others, I'm curious.

[1] http://gizmodo.com/the-25-most-popular-passwords-of-2015-were-all-such-id-1753591514
[2] http://www.passwordrandom.com/most-popular-passwords
[3] https://isc.sans.edu/forums/diary/The+Short+Life+of+a+Vulnerable+DVR+Connected+to+the+Internet/21543

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

Keywords: botnet mirai password
4 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Attacking NoSQL applications
Dec 6th 2016
21 hours ago by Bojan (0 comments)

Hancitor Maldoc Videos
Dec 5th 2016
2 days ago by DidierStevens (0 comments)

Protecting Powershell Credentials (NOT)
Dec 2nd 2016
5 days ago by Rob VandenBrink (2 comments)

Tap Gigabit Networks on the Cheap
Dec 1st 2016
5 days ago by Johannes (8 comments)

Unpatched Vulnerability in Firefox used to Attack Tor Browser
Nov 30th 2016
6 days ago by Johannes (0 comments)

Take Back Wednesday? SQL Slammer... still alive but barely kicking
Nov 30th 2016
1 week ago by Johannes (1 comment)

View All Diaries →

Latest Discussions

404 Project: Compatible with mod_security?
created Dec 4th 2016
2 days ago by Ted (1 reply)

Confused about SHA1 in Certs and upcoming changes in browsers
created Dec 2nd 2016
5 days ago by Dana (1 reply)

SQL Slammer activity
created Nov 30th 2016
1 week ago by lwhitworth (2 replies)

Need help with classifying botnets via log entries
created Nov 17th 2016
2 weeks ago by Anonymous (0 replies)

Good read about PCI DSS
created Nov 16th 2016
3 weeks ago by scanforsecurity.com (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Dyn.com DDoS Attack
Oct 21st 2016
1 month ago by Johannes (9 comments)

Port 7547 SOAP Remote Code Execution Attack Against DSL Modems
Nov 29th 2016
1 week ago by Johannes (21 comments)

TR-069 NewNTPServer Exploits: What we know so far
Nov 29th 2016
1 week ago by Johannes (12 comments)

Critical Cisco ASA IKEv1/v2 Vulnerability. Active Scanning Detected
Feb 12th 2016
9 months ago by Johannes (25 comments)

Protecting Powershell Credentials (NOT)
Dec 2nd 2016
5 days ago by Rob VandenBrink (2 comments)