Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Remote Password Guessing - Follow-up - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Remote Password Guessing - Follow-up

We received several responses to the earlier diary about remote password guessing.

Melvin Klassen highlighted an important technique for mitigating the risks of remote password guessing: monitoring the logs on servers that authenticate users, such as POP, FTP, IMAP, web mail, telnet, and SSH. Melvin suggested counting the number of failed logon attempts and the number of logon attempts per source IP address, so that you can look for spikes and trends that may signal an attack.

Gabriel Friedmann and Mark Senior reminded us of the large-scale phishing attack on MySpace, which allowed researchers to analyze password usage patterns. According to several reports (see 1, 2, 3), the most common passwords included:

password1, abc123, myspace1, password, blink182, qwerty1, fuckyou, 123abc, baseball1, football1, 123456, soccer, monkey1, liverpool1, princess1, jordan23, slipknot1, superman1, iloveyou1, monkey, cookie123, iloveyou, miss4you, password19, clumsy, sassy, pablobob, mobbie, fuckyou1, tink69, gospel, terrete, monster7, marlboro1, bitch1, flower

Daniel Cid told us about an SSH honeypot he set up to monitor SSH brute force attempts and record the passwords used by them. The passwords he observed included:

1qaz2wsx, 1q2w3e4r5t6y, 1qaz2wsx3edc4rfv, qazwsxedcrfv, michael, work, maggie, print, 123456, internet, mobile, windows, superman, 1q2w3e4r, network, system, 123qwe, manager, querty, www, coder, 123123, 1234567890, info, tony, bill, flowers

Nathaniel Hall described a system he uses to crack local password hashes using John the Ripper. The examples of common passwords that he encountered include:

Cobra1, Dragon1, Travis1, Ferry1, Password8, Ynattirb1, Iloveyou5

Thanks to everyone who wrote in.

-- Lenny

Lenny Zeltser
ISC Handler on Duty
www.zeltser.com

Lenny

216 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!