Welcome back! In our last installment we started planning our horizontal password guessing attack by identifying the ten most common passwords. Hopefully none of those terrible passwords are scrawled on little sticky notes anywhere in the vicinity of your cubicle! But what about usernames? What usernames should we guess? If the target application employs an established username format, you can easily predict common usernames. For example, consider an application that constructs the username by combining the user's first initial and last name. For example, the username for John Doe would be "jdoe". According to the Social Security web site, these are the top ten male names issued during the 1980's (http://www.ssa.gov/OACT/babynames/decades/names1980s.html):
1. Michael
2. Christopher
3. Matthew
4. Joshua
5. David
6. James
7. Daniel
8. Robert
9. John
10. Joseph
2. Jennifer
3. Amanda
4. Ashley
5. Sarah
6. Stephanie
7. Melissa
8. Nicole
9. Elizabeth
10. Heather
Why the 1980's, you ask? We'll guess that our median user is in their 30's. But more importantly, the 1980's featured unbelievable songs like "Come On Eileen" and "Total Eclipse Of The Heart". In any case, we can deduce that the most common male and female first names start with the following letters:
2. C
3. D
4. E
5. H
6. J
7. M
8. N
9. R
10. S
1. Smith
2. Johnson
3. Williams
4. Brown
5. Jones
6. Miller
7. Davis
8. Garcia
9. Rodriguez
10. Wilson
I bet poor Tom Hanks still misses #10. In any case, we now have all the right ingredients to brew our secret sauce. We can write a script to enumerate the most common 100 usernames by sequentially combining the ten most common first initials with the each of the ten most common last names. For example:
2. csmith
3. dsmith
4. esmith
5. hsmith
. . .
96. jwilson
97. mwilson
98. nwilson
99. rwilson
100. swilson
1. asmith/password
2. asmith/123456
3. asmith/12345678
4. asmith/abc123
5. asmith/qwerty
. . .
996. swilson/monkey
997. swilson/ letmein
998. swilson/dragon
999. swilson/111111
1000. swilson/baseball
Voilà! We now have an optimized list of 1,000 usernames and passwords to feed into our password guessing tool. But I know what you're thinking. Does it really work? The answer is a definitive YES! I have personally implemented this technique with excellent results while conducting penetration tests for Symantec clients. Just modify the username format to fit your needs (for example "first.last" or "first_last") and let your password guessing tool rip!
- SSH Server – Avoid passwords whenever possible. For example, implement SSH public key authentication.
- Financial web application – Supplement passwords with two factor authentication. For example, deploy VeriSign VIP tokens (https://idprotect.verisign.com/learnmoretoken.v).
- Webmail application – Ensure passwords adhere to stringent password length and complexity requirements. For example, require passwords to be eight characters in length and include uppercase letters, lowercase letters, numbers, and special characters. In addition, implement account lockout. Furthermore, educate user about password management tools such as Bruce Schneier's outstanding Password Safe (http://passwordsafe.sourceforge.net/).