Ken Munro, partner at Pen Test Partners
Ken Munro, partner at Pen Test Partners

Password re-use, not to mention default and blank passwords, can bring your whole network to its knees.

The recent hack of Twitter accounts serves well to remind us of the perils of password re-use. We all know the pitfalls of password re-use in our personal lives. Who doesn't have a friend or relative who has had an email account compromised? “It was a long, complex password,” they say. Then you find that it was the same as their LinkedIn password.

The same is just as valid for business networks. If you have decent endpoint protection in place, exploiting servers and other systems can become more challenging. It's still possible, but can take longer. If you have a robust and effective patch process too, then sometimes password re-use is one of the few remaining ways for the hacker to take control of your network.

It's also unfortunate that, in a directory service environment such as Active Directory, the weakest system on the domain is the one that often gives the hacker access to everything. I can think of several near-bulletproof networks we've pen tested where just one insecure box gave us access to the lot.

So, have you checked for the following on your systems? Are any local admin passwords also used as domain passwords? It's not unusual to have a common local admin password across multiple systems. That's not ideal, though unique local admin passwords can be painful to administer. However, re-using these on domain accounts, or having a common workstation and server local admin password, is a no-no.

There are a few ways to check, but one relatively easy way is to use the Windows Enum tool to try your local desktop admin password against your server admin accounts. 

Extract your local admin password hashes from workstations, unless you already have the clear text. You could use pwdump, fgdump or even wce to grab the hashes, then crack weaker LM hashes with RainbowTables, or brute force NTLM hashes with a dictionary attack, using tools such as John the Ripper.

It's easy to write a quick wrapper script to take a list of known local admin passwords from your desktop range and attempt to connect to a list of servers. Any successes indicate that you have a problem with password re-use between desktop and server local admin accounts.

For example, ‘enum.exe -D -u administrator -f common.txt' could be used to try a local admin password taken from a workstation against your local server admin passwords, where ‘common.txt' contains the potential re-used admin passwords. Simply build a script to iterate through multiple hosts.

Maybe you're doing the right thing, and no weak LM password hashes are available on your local machines. Maybe the NT password hash can't be cracked with your current dictionary sets, so a quick crack is out of the question. One answer is to use the Windows Credential Editor (wce); while not strictly looking at password re-use, it does allow you to pass the hash even if you cannot crack/brute force them.

There's plenty more that wce can be used for; a very handy tool for manipulating authentication and passwords. If you want to go further, you might want to investigate hash spraying also. That's a useful route to compromise other systems if you can't crack the hash.

A workstation compromise, that then leads to compromise of a server through re-used credentials, could easily lead to cached domain credentials being exposed. Crack those and you are most of the way to controlling the domain.

Taking advantage of password re-use is one of the easiest ways to compromise systems on a business network. It's likely to lead the hacker to a server that is vulnerable, allowing them to raise privilege and then take control of your domain. It's highly unlikely to be noticed or to flag network monitors or alarms.

Do check your systems for password re-use. While you're there, it might be wise to double check for default and blank passwords too.