The Danger of Administrator Password Reuse
23 Aug 2022
Don't let password fatigue lead you to sacrifice security for convenience
According to the 2020 State of Password and Authentication Security Behaviours Report, nearly half of all IT security professionals surveyed share passwords with colleagues to access business accounts. In the same study, IT security professionals reported that they reuse passwords across an average of 12 workplace accounts. And nearly 60 percent of IT professionals indicated their company relies on human memory for password management.
These behaviours are the product of password fatigue. From logging into your personal email and your computer at work, to online banking and accessing mobile apps, a number of simple (but necessary) everyday tasks require users to input a password. The resulting password fatigue leads many to sacrifice security for convenience by re-using passwords across applications, leaving information vulnerable to attackers. In fact, in its 2022 Data Breach Investigations Report, Verizon found that 80% of data breaches are linked to passwords. This is especially concerning to businesses, financial institutions, government agencies, or any entity with multiple servers.
One way to test network security is to conduct external and internal penetration tests, with the objective of identifying security weaknesses that an attacker could exploit to gain unauthorized system or data access. Any security holes are identified so action can be taken to improve cyber defences.
During a recent client site penetration test (pen test) we conducted, we were able to gain domain administrator access through the exploitation of a frontline Oracle vulnerability, ultimately giving us full control over the domain.
Gaining a foothold
The identification and exploitation of the initial Oracle WebLogic Server RCE (Remote Code Execution) vulnerability was trivial, largely achieved using our standard pen test toolkit. The Proof of Concept (PoC) command "ipconfig" (below) was executed on the server.
We then replaced the ipconfig command in the PoC with "whoami," which returned the response "nt authority\system". This confirmed we could now execute code on the affected servers.
Having proven that the RCE was valid, allowing complete system access and the ability to execute most commands at a local admin level, we created a new account on the servers and granted this account local admin privileges, as shown in the screenshot below.
Elevating privilege through password reuse
We then investigated other local user accounts on the affected servers, and finding a list of local admin accounts, we tested these to see if the credentials matched the domain controller accounts. After a few failed attempts, we soon found a domain controller account that re-used the same credentials as a local admin account.
Due to the nature of Windows NT password hashes, we used the pass-the-hash technique to gain full access to the domain controller. In other words, we didn't even need to crack the password hash to gain access, meaning in this scenario password strength was irrelevant. We had managed to gain access to the domain controller by using a local admin account, simply because the admins were re-using passwords across both systems.
Test and patch to reduce platform for attack
Although the password reuse and pass-the-hash techniques are nothing new and a common feature in a pen tester's playbook, the vulnerability for the Oracle WebLogic Server is fairly recent (October 2020) and the exploit used to abuse this even more recent (May 2022). This demonstrates the importance of secure system configuration, regular software patching and the performing of regular pen tests to identify frontline vulnerabilities, in order to reduce the platform and opportunity for more invasive and manual onward attacks.
Avoiding password reuse across local admin and domain controller accounts would have contained the attack to the local admin level on the affected servers, as opposed to opening up full domain access. There is a lot of good advice about using secure passwords, but importance must also be given to ensuring passwords are not re-used across systems, especially at the administrator level.
Francis Choi,
Penetration Tester
Francis is a CREST Team Lead at Intertek NTA where he specialises in internal IT health checks, cyber essentials, and PCI ASV testing. He particularly enjoys working with customers and helping them achieve compliance.
Theo Sheppard,
Penetration Tester, Trainee
Theo is a Trainee Penetration Tester at Intertek NTA, where he primarily performs external tests, but has recently added internal testing to his responsibilities. He enjoys finding new and interesting vulnerabilities.