Professional Documents
Culture Documents
Contents
01 Executive Summary 3
03 Heisenberg Honeypots 5
05 Collected Credentials 10
06 Interesting Credentials 12
2
Slain, M. (2016, January 19). Announcing our Worst Pass-
words of 2015 [Web log post]. Retrieved from https://www.
teamsid.com/worst-passwords-2015/
This paper concentrates on one of the more interesting protocols which the
Heisenberg honeypots support, the Remote Desktop Protocol (RDP).
3
Project Sonar. (n.d.). Retrieved from https://sonar.labs.
rapid7.com
4
Of course, not all of the opportunistic login attempts to the
Heisenberg honeypots are “malicious” in the ethical sense,
as we will explore later in this paper.
Villeneuve, N., Kyle, W., & Homan, J. (2014, July 9). BrutPOS: RDP
5
www.us-cert.gov/ncas/alerts/TA14-212A
The belief that RDP is playing a role in scams is bolstered by the recent observation that at
least one online banking site, TDBank.com, is actively scanning its customers via Websock-
et connection attempts to ports associated with RDP (and VNC). Evidence of RDP would
help companies like TD Bank prevent connections from potentially risky endpoints. Proof of
this intent to portscan customers of TDBank can be seen at https://tmx.tdbank.com/fp/
check.js?org_id=i8n5h0pw&session_id=a, as reported by Randy Westergren8. The offending
javascript snippet is shown above. Notice the tuple, ‘RDP:3389’, indicating the service and
port to be scanned.
odd that @TDBank_US is port scanning customer machines for VNC, RDP,
and a UPS? [Tweet]. Retrieved from https://twitter.com/RandyWestergren/
status/689117344220721153
9
Internetlivestats.com. (n.d.). Internet Users by Country
(2014). Retrieved February 19, 2016, from http://www.
internetlivestats.com/internet-users-by-country/
We have collected credentials intended for our RDP listening services over
the past 334 days, from 2015-03-12 to 2016-02-09. Over this period, we
have recorded 221,203 attempts to login, sourced from 119 countries
(Figures 5 and 6).
For example, a Google search for “St@rt123,” the third most common
password attempted, turned up only as a comment on a Krebs on Security
blog post suggesting it as a merely hypothetical weak password10 in con-
nection to a Russian e-payment system breach. It’s possible that “St@
rt123,” is, in fact, a known-to-some common default. Given the appearance
of this password on a blog that is concerned primarily with reporting
high-profile data breaches, its possible it’s use was merely an error in
translation11.
Despite these unknowns, some inferences can be drawn from the tables
that follow, especially when it comes to the relationships of passwords to
usernames.
Top 10 Usernames
By far, the most common username is “administrator,” followed by “Administrator”
(Figure 7). Note that because RDP is strongly associated with Windows, usernames
are not case-sensitive. While apparently omnipresent, it’s good to know that these
attackers are not omniscient, too.
The sixth most common username, “pos,” has a strong implication for point of sale
systems, while the usernames “db2admin” and “sql” imply a hunt for Internet-fac-
ing database instances.
Truly, the surprising detail to be uncovered here is just how weak these
passwords are. One or two characters, easily guessed strings, and a
strange appearance of a series of dots. Since these passwords were
deliberately chosen by the various scanners which ran up against Heisen-
berg, it implies that the default and common passwords to several POS
and kiosk systems are chosen out of convenience, rather than security.
x 11,865 (5.36%)
Zz 10,591 (4.79%)
1 5,679 (2.57%)
1 2327 1.05
. 82 0.04
;DuTYmwUxM- 61 0.03
P@wss0.A1rd 8 0.00
alex
ABC.123456 7 0.00
AAaa3344 6 0.00
1 167 0.08
admin@123 69 0.03
123456 67 0.03
.... 65 0.03
.............. 63 0.03
In Figure 10, we can see that “x” is, by far, the most commonly guessed password. Would-
be intruders are likely banking on the fact that POS and kiosk administrators may not
realize their device is reachable from the Internet, and would rather not set a password at
all. We can also see that the “St@rt123” password is associated with exactly one user
account, “user1,” just as the password “alex” is almost entirely associated with the user-
name “alex.” This would imply that perhaps “user1:St@rt123” and “alex:alex” are default
credentials to a particular brand of device, or even a particular botnet default.
Figure 10: Top Usernames Associated with the Top Ten Passwords
SPex 12 0.01
nmelrose 5 0.00
123 16 0.01
1 1 562 0.25
pratol 41 0.02
admin 36 0.02
Administraator 89 0.04
superior 37 0.02
admin 36 0.02
Admin 22 0.01
administrador 47 (1.2%)
Admin 45 (1.1%)
pos 41 (1.0%)
user 32 (0.8%)
test 26 (0.6%)
Guest 22 (0.6%)
guest 22 (0.6%)
Distinct Passwords per Username and Distinct “pos,” or guessing at a commonly chosen username, such
Usernames per Password as “admin.” Figure 13 is dominated by these easy guesses.
When studying online dictionary attacks, it’s helpful to Conversely, the guessed passwords do not clump together
realize that while the password is “private” and the user- as strongly as guessed usernames. The top password,
name is “public,” they are really two equal halves of a valid “password,” is only associated with 2.95% of the recorded
credential. If you happened to write an e-mail password on a events. This indicates that attackers are not spending a lot
piece of paper, but never reveal the associated e-mail of effort guessing one password across many usernames,
address, you haven’t effectively compromised your account. but instead are guessing many usernames with relatively
You are simply reversing the roles of username and pass- unique passwords for each.
word, as long as you keep the username secret. Of course,
keeping usernames secret is far more difficult, since
usernames tend to be publicly disclosed many, many times Well-Known Passwords
in normal operations. Passwords, on the other hand are In order to assess the commonality of the collected pass-
“disclosed” only upon authentication, and ideally over an words across traditional password dumps found in other
encrypted channel. research reports, we referenced two primary sources of
This is a real problem for online attacks where very little leaked password data.
about the system or its users is known. As seen in Figure 12,
the scanners are clearly targeting well-known, non-secret
default Windows accounts, such as “administrator,” default
usernames associated with a particular product, such as
password 50 2.77
1 49 2.71
....... 42 2.32
123abc!@# 39 2.16
P@ssw0rd 28 1.55
123456 26 1.44
admin 22 1.22
1x 21 1.16
...... 20 1.11
123 19 1.05
12
Wheeler, D. (2012, April 10). Zxcvbn: Realistic password strength estimation [Web log post]. Retrieved
from https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/
13
Wheeler, D. (2012). Dropbox/zxcvbn. Retrieved February 19, 2016, from https://github.com/dropbox/
zxcvbn
14
Hornby, T. (n.d.). CrackStation’s Password Cracking Dictionary. Retrieved February 19, 2016, from
https://crackstation.net/buy-crackstation-wordlist-password-cracking-dictionary.htm
15
Goodin, D. (2015, February 9). Fearing an FBI raid, researcher publishes 10 million passwords/user-
names. *Ars Technica*. Retrieved from http://arstechnica.com/security/2015/02/fearing-an-fbi-raid-re-
searcher-publishes-10-million-passwordsusernames/
Complexity: 0 (20.2% of Heisenberg passwords) Complexity: 1 (38.1% of Heisenberg passwords) Complexity: 2 (18.5% of Heisenberg passwords)
Evidence from our Heisenberg honeypot RDP credentials advice will reach the people responsible for these systems.
analysis shows that there are definite risks associated with Unfortunately, it’s difficult to know for sure without further
exposing RDP to the Internet. Opportunistic attackers investigation. Periodic credential sweeps in order to size the
search for these services on a daily basis and have devel- problem appropriately would be most helpful but are
oped playbooks for how to find ones that are most blocked by legal barriers.
vulnerable. Here are some steps defenders can take to
mitigate the exposure associated with these services. Chilling Effects and Legislative Bug-fixing
16
18 USC 1030(a)(2).
17
18 USC 1030(a)(6)(B).
18
Ellis, J. (2015, October 28). [Web log post]. Retrieved from https://community.
rapid7.com/community/infosec/blog/2015/10/28/new-dmca-exemption-is-a-pos-
itive-step-for-security-researchers
Peterson, A. (2015, July 15). The government is headed back to the drawing
19