One of my key take-aways in the Verizon Data Breach Incident Report was that credentials are a major attack vector in 2013. Especially within the POS Intrusions, brute forcing and use of stolen creds was a major problem.
These techniques were primarily leveraged against two targets: Shared passwords on 3rd-party provided POS systems were the biggest problem, followed directly by weak passwords on remote access solutions that enable the help desk to quickly provide help to employees working on the POS devices.
When I talk to security professionals, they often tell me that they leverage L0phtcrack for brute forcing. While it's a great tool, it's really specialized in offline cracking of password hashes. For offline cracking, you need to have access to a hash that is stored in a system, typically a Windows or Unix user password.
However, especially in the case of remote access solutions, this approach does not work - you need to test passwords directly against the live service. Metasploit includes auxiliary modules that help you brute force passwords against PC Anywhere and VNC services. Here's how you'd conduct an audit for these services on your network with Metasploit Express or Metasploit Pro:
- Run a discovery scan on your network, which will identify any VNC or PCAnywhere services listening on the network
- Hit the "Bruteforce" button
- Select only the services for PCAnywhere and VNC, and start the brute forcing process
Metasploit Pro will now test these services using a list of the most common passwords, which include host names from the discovery scan. You can also provide your own password list, which may include the name of the POS vendors you work with.
By the way, Metasploit Pro also comes with a John The Ripper integration that cracks looted password hashes, covering the offline angle as well.
If you don't currently use Metasploit Pro, you can download a free Metasploit Pro trial on Rapid7.com. If you're running Kali Linux, Metasploit comes preinstalled. Just fill in the trial form to get the key, enter "msfconsole" on a Kali terminal, type "go_pro" and enter the license key.