Thursday, August 21, 2008

Shared Passwords Giving Up The Goods


Shared passwords, especially shared VNC password remind me of the straw house from the three little pigs...

In addition to the previous post on having the Domain Users group in the Enterprise Admins group (FTW!) on my last trip the organization had decided to use VNC for workstation management instead of Dameware/Remote Desktop.

Why? I have no idea. At least with RDP and Dameware you can force admins to use domain credentials to log in. But for whatever reason they had chose to use VNC on their workstations, servers used RDP. The VNC sessions were password protected

Well they had some sort of video feed linked to a webpage so people could watch the feeds from a single webpage. A simple right click on the feed properties showed an un-obfuscated VNC password (even had a check box that could have starred it out...oops). Surely the VNC properties for the feeds wouldn't be the same VNC for the workstations right? Wrong, they were. Game over. We could now log into all the workstations. We were already Enterprise Admin and could psexec into the workstations but screen shots of watching people read their email just look so much better during the outbrief :-)
CG

3 comments:

Anonymous said...

Shared VNC password? Whats the problem? It would not be a security risk until you meddling gringo's came.
OK, honestly, saw the same thing! Luv it, like it, wish I did not see it.
Best thing I came across...?
c:\ set
Returned?
Yep...
Username: Blacktie
Pasword: Pw0ned

A little Net User and what do you know...a roll-out account!
Whoo hoo!!!!

Unknown said...

from pentest experience VNC is a given if you get access to one machine running it and decode the password from the registry 99,9% the same password will work on another machine. I'm just curious about the previous comment with "set", did that system had a username and password variables configured in the env variables?

CG said...

running set will give environment variables for the user.

I personally havent seen comments in set data so maybe anonymous is pulling our leg, but I wouldnt totally rule the possibility out.

I have seen good stuff in the comments from a net user username /domain though