Testing for default credentials (OTG-AUTHN-002)

Brief Summary
Nowadays web applications often make use of popular open source or commercial software that can be installed on servers with minimal configuration or customization by the server administrator. Moreover, a lot of hardware appliances (i.e. network routers and database servers) offer web-based configuration or administrative interfaces. Often these applications, once installed, are not properly configured and the default credentials provided for initial authentication and configuration are never changed. These default credentials are well known by penetration testers and, unfortunately, also by malicious attackers, who can use them to gain access to various types of applications. Furthermore, in many situations, when a new account is created on an application, a default password (with some standard characteristics) is generated. If this password is predictable and the user does not change it on the first access, this can lead an attacker to gain unauthorized access to the application.

Description of the Issue
The root cause of this problem can be identified as:
 * Inexperienced IT personnel, who are unaware of the importance of changing default passwords on installed infrastructure components, or leave the password as default for "ease of maintenance".
 * Programmers who leave backdoors to easily access and test their application and later forget to remove them.
 * Applications with built-in, non-removable default accounts with a pre-set username and password.
 * Applications that do not force the user to change the default credential after the first login operation.

Testing for default credentials of common applications
In Blackbox testing the tester knows nothing about the application and its underlying infrastructure. In reality this is often not true, and some information about the application is known. We suppose that you have identified, through the use of the techniques described in this Testing Guide under the chapter Information Gathering, at least one or more common applications that may contain accessible administrative interfaces. When you have identified an application interface, for example a Cisco router web interface or a Weblogic administrator portal, check that the known usernames and passwords for these devices do not result in successful authentication. To do this you can consult the manufacturer’s documentation or, in a much simpler way, you can found common credentials using a search engine or by using one of the sites or tools listed in the Reference section. When facing applications to which we do not have a list of default and common user accounts (due to the fact for example that the application is not widely spread) we can attempt to guess valid default credentials. Note that the application being tested may have an account lockout policy enabled, and multiple password guess attempts with a known username may cause the account to be locked. If it is possible to lock the administrator account, it may be troublesome for the system administrator to reset it. Many applications have verbose error messages that inform the site users as to the validity of entered usernames. This information will be helpful when testing for default or guessable user accounts. Such functionality can be found, for example, on the login page, password reset and forgotten password page, and sign up page. Once you have found a default username you could also start guessing passwords for this account. More information about this procedure can be found in the section Testing for User Enumeration and Guessable User and in the section Testing for Weak password policy. Since these types of default credentials are often bound to administrative accounts you can proceed in this manner:
 * Try the following usernames - "admin", "administrator", "root", "system", "guest", "operator", or "super". These are popular among system administrators and are often used. Additionally you could try "qa", "test", "test1", "testing" and similar names. Attempt any combination of the above in both the username and the password fields. If the application is vulnerable to username enumeration, and you successfully manage to identify any of the above usernames, attempt passwords in a similar manner. In addition try an empty password or one of the following "password", "pass123", "password123", "admin", or "guest" with the above accounts or any other enumerated accounts. Further permutations of the above can also be attempted. If these passwords fail, it may be worth using a common username and password list and attempting multiple requests against the application. This can, of course, be scripted to save time.
 * Application administrative users are often named after the application or organization. This means if you are testing an application named "Obscurity", try using obscurity/obscurity or any other similar combination as the username and password.
 * When performing a test for a customer, attempt using names of contacts you have received as usernames with any common passwords.
 * Attempt using all the above usernames with blank passwords.
 * Review the page source and javascript either through a proxy or by viewing the source. Look for any references to users and passwords in the source. For example "If username='admin' then starturl=/admin.asp else /index.asp" (for a successful login vs a failed login). Also, if you have a valid account, then login and view every request and response for a valid login vs an invalid login, such as additional hidden parameters, interesting GET request (login=yes), etc.
 * Look for account names and passwords written in comments in the source code. Also look in backup directories, etc for source code that may contain comments of interest.

Testing for default password of new accounts
As mentioned previously, in other situations, when a new account is created on an application, a default password is generated. This password could have some standard characteristics making it predictable and if the user does not change it on the first access (this often happens if the user is not forced to change it), this can lead an attacker to gain unauthorized access to the application. Advice for testing default passwords on common application (about lockout policy and verbose error messages) still remain valid also for this test. The Following steps can be applied to test for these types of default credentials:
 * Viewing the User Registration page may help determine the expected format and length of the application usernames and passwords. If a user registration page does not exist, determine if the organization uses a standard naming convention for user names such as their email address or the name before the "@" in the email.
 * Try to extrapolate from the application how usernames are generated. For example, can a user create their own username or does the system create an account for the user based on some personal information or a predictable sequence? If the application does create its own accounts in a predictable sequence, such as user7811, try fuzzing all possible accounts recursively. If you can identify a different response from the application when using a valid username and a wrong password, then you can try a brute force attack on the valid username (or quickly try any of the identified common passwords above or in the reference section).
 * Try to determine if the password is predictable by creating many new accounts in quick succession to compare and determine if the passwords are predictable. If predictable, then try to correlate these with the usernames, or any enumerated accounts, and use them as a basis for a brute force attack.
 * If you have identified the correct naming convention for the user name, try to “brute force” passwords with some common predictable sequence like for example dates of birth.
 * Attempt using all the above usernames with blank passwords or using the username also as password value.

Result Expected
Successful authentication to the application or system being tested.

Gray Box testing and example
The following steps rely on an entirely Gray Box approach. If only some of this information is available to you, refer to black box testing to fill the gaps.
 * Talk to the IT personnel to determine passwords they use for administrative access and how administration of the application is undertaken.
 * Examine the user database for default credentials as described in the Black Box testing section. Also check for empty password fields.
 * Examine the code for hard coded usernames and passwords.
 * Check for configuration files that contain usernames and passwords.
 * Examine the password policy and, if the application creates its own passwords for new users, check the policy in use for this procedure.

Result Expected
Successful authentication to the application or system being tested.