IT Security Horror Story: Digging your own grave with Default Credentials

October 29, 2014, Mark Manousogianis, Information Security Consultant, Coalfire Labs

I recently performed a penetration test that really required no “hacking skills” whatsoever. I was able to obtain domain administrator rights simply by logging into web applications and network hardware using default credentials.
The process was simple. I started by logging into a wireless access point using default debug credentials. After logging into this access point, I was able to obtain the administrator password to the access point. The administrator password on the access point was the same as the domain administrator password. Game over.
Although I obtained domain administrator rights, I of course continued the test. In the time allotted to me I was able to log into the companies security cameras, the Dell DRAC cards, switches, routers and even a Barracuda mail filter using default credentials. Although the company did have a strong password policy in regards to their domain user accounts, their 1000 hosts, were completely compromised due to the consistent use of default credentials on their hardware and web applications.

Have a scary story of your own? We'd love to hear your story and help you combat your IT monsters!

Learn more about Coalfire Labs:
Penetration Testing
Vulnerability Scanning & Assessments
Social Engineering
Application Security

Read our other IT Security Horror Stories:
The 100 Million Dollar Getaway
The Ghosts Inside
Breaching a bank in 20 minutes

Past Horror Stories
Truth is SCARIER than Fiction Redux
Is your Network an Unsegmented Haunted House?
Digging your own grave with Default Credentials
Slow Network, Big Phish
The Case of the Phantom Blood Red Team
A Tale of Spooky Hosted Images
Ghost in the Machine
Tale of the Fake IT Rep
Truth is Scarier Than Fiction
The Case of the Phantom Technician

Mark Manousogianis


Mark Manousogianis — Information Security Consultant, Coalfire Labs

Recent Posts

Post Topics