Blog: How Tos

Duplicate Passwords: Why IT Support Needs a Wake Up Call

consultant-placeholder11 Lee Parkes 08 Oct 2013

There has been a lot written about outsourcing, with equally passionate opinions on both sides of the debate. However, this post is about an issue I discovered on a recent test. It’s not conjecture, it’s fact.

The client in question used to use the services of a third party IT services company (Their IT support is now in house, a common trend these days). Whilst testing (actually, doing a “Tiger Team” assessment) I discovered a common username across a number of servers.

I had compromised the server(s) in question by exploiting the blank and weak “sa”/sysadmin passwords for Microsoft SQL server. As “sa” was a local admin, it was trivial to add a new user as a local administrator. Once logged onto the host and the passwords dumped, I discovered a user account that was common to a number of servers.

This username had an easily cracked password (props to Ophcrack here!). The password was a modification of the IT support company’s name. A quick email to colleagues revealed that the password was also used on other, completely unrelated client sites. What made this an even bigger issue was the fact the same username was a Domain Admin! Before I knew this, I spent the weekend pondering whether the account could be used to compromise the domain controller. Monday morning rolls around (as it does all too quickly) and I log in to the DC with the account in question. A quick check of the Domain Admins group and there it is, the account! Keys to Kingdom, root dance etc.

The big issue here is the sharing of passwords across multiple clients. We rattle on about not using the same password for multiple accounts (email, FaceBook, Google+, bank – the list is endless), yet, the very people that are supposed to be responsible for the security of the systems are contributing to their downfall. Most IT support companies have a list of clients and testimonials on their website. It would be quite trivial to go to each one and possibly get domain admin within minutes of connecting to the network…

If you’re in IT support, or anywhere really, the takeaway here is to steer clear of reusing passwords. A password needs to be unique in the context of many, many systems, not just for users and admins in one customer’s environment.