The other day I performed an external penetration test and obtained access using a default password (which is common) that was not changed. Afterwards I began looking up statistics on passwords and here is one of the links that was listed on a regular Google search.
http://staff.washington.edu/krl/stats/pwc/
Amazing that someone would to this day post such information out on a public website. Nice to know if this was my next external penetration target. Wait it gets better! Looking at the URL it was only obvious there had to be more so instead of going to the /pwc directory I modified the URL to go back one, which led me to these:
http://staff.washington.edu/krl/stats/
http://depts.washington.edu/ast/projects.old/
http://depts.washington.edu/ast/projects.old/pwedit.html
Thanks Ken for showing us all a perfect example of “What NOT to Do”! I especially enjoy the mention of the following:
-
Home directories /rc, /cg, /mailer
-
The mail server statistics that show me what appear to be system names and the number of entries in the etc/passwd file.
-
The large directory listing with a plethora of information
-
The nice picture of your license
- A password hash U:4001 A:2B314469 N:noyd P:MWlJQdaJvoxaE G:15 C:6
Ken
So why did I post this?
Two reasons. One, I have a blog. Two because sometimes the best lesson you can learn is by seeing the mistakes of others. Of course I plan to send an email to Ken and show him this blog entry. If there is any follow-up to the story I will post another message.
InfoSecAlways.com 