IT Security Horror Story: Digging your own grave with Default Credentials

Mark Manousogianis, Information Security Consultant, Coalfire Labs

I recently performed a penetration test that really required no “hacking skills” whatsoever. I was able to obtain domain administrator rights simply by logging into web applications and network hardware using default credentials.
 
The process was simple. I started by logging into a wireless access point using default debug credentials. After logging into this access point, I was able to obtain the administrator password to the access point. The administrator password on the access point was the same as the domain administrator password. Game over.
 
Although I obtained domain administrator rights, I of course continued the test. In the time allotted to me I was able to log into the companies security cameras, the Dell DRAC cards, switches, routers and even a Barracuda mail filter using default credentials. Although the company did have a strong password policy in regards to their domain user accounts, their 1000 hosts, were completely compromised due to the consistent use of default credentials on their hardware and web applications.

Have a scary story of your own? We'd love to hear your story and help you combat your IT monsters!

Learn more about Coalfire Labs:
Penetration Testing
Vulnerability Scanning & Assessments
Social Engineering
Application Security

Read our other IT Security Horror Stories:
The 100 Million Dollar Getaway
The Ghosts Inside
Breaching a bank in 20 minutes

Past Horror Stories
Truth is SCARIER than Fiction Redux
Is your Network an Unsegmented Haunted House?
Digging your own grave with Default Credentials
Slow Network, Big Phish
The Case of the Phantom Blood Red Team
A Tale of Spooky Hosted Images
Ghost in the Machine
Tale of the Fake IT Rep
Truth is Scarier Than Fiction
The Case of the Phantom Technician

Mark Manousogianis

Author

Mark Manousogianis — Information Security Consultant, Coalfire Labs

Recent Posts

Post Topics

Archives

Tags

Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS
Top