CAPEC-70: Try Common or Default Usernames and Passwords
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions. An adversary may try an intelligent brute force using empty passwords, known vendor default credentials, as well as a dictionary of common usernames and passwords. Many vendor products come preconfigured with default (and thus well-known) usernames and passwords that should be deleted prior to usage in a production environment. It is a common mistake to forget to remove these default login credentials. Another problem is that users would pick very simple (common) passwords (e.g. "secret" or "password") that make it easier for the attacker to gain access to the system compared to using a brute force attack or even a dictionary attack using a full dictionary.
前提条件
- The system uses one factor password based authentication.The adversary has the means to interact with the system.
所需技能
所需资源
- Technology or vendor specific list of default usernames and passwords.
后果影响
影响范围: Confidentiality Access Control Authorization
技术影响: Gain Privileges
缓解措施
Delete all default account credentials that may be put in by the product vendor.
Implement a password throttling mechanism. This mechanism should take into account both the IP address and the log in name of the user.
Put together a strong password policy and make sure that all user created passwords comply with it. Alternatively automatically generate strong passwords for users.
Passwords need to be recycled to prevent aging, that is every once in a while a new password must be chosen.
示例实例
A user sets their password to "123" or intentionally leaves their password blank. If the system does not have password strength enforcement against a sound password policy, this password may be admitted. Passwords like these two examples are two simple and common passwords that are easily able to be guessed by the adversary.
Cisco 2700 Series Wireless Location Appliances (version 2.1.34.0 and earlier) have a default administrator username "root" with a password "password". This allows remote attackers to easily obtain administrative privileges. See also: CVE-2006-5288
In April 2019, adversaries attacked several popular IoT devices (a VOIP phone, an office printer, and a video decoder) across multiple customer locations. An investigation conducted by the Microsoft Security Resposne Center (MSRC) discovered that these devices were used to gain initial access to corporate networks. In two of the cases, the passwords for the devices were deployed without changing the default manufacturer’s passwords and in the third instance the latest security update had not been applied to the device. [REF-572]
分类映射
| 分类名称 | 条目ID | 条目名称 |
|---|---|---|
| ATTACK | 1078.001 | Valid Accounts:Default Accounts |