Co-written by Jonathan Stines and Tommy Dew. See all of this year's HaXmas content here.

He sees your password choices;
He knows when they’re not great.
So don’t reuse those passwords, please,
And make them all longer than eight.

Now that Christmas has passed and all of the chaos from the holidays is winding down, Santa and the elves are finally able to sit back and recover from the strenuous Holiday commotion. However, in fear of reputation damage from rival Holiday Leaders™, including the Easter Bunny and the Thanksgiving Turkey, the internal security team of elves at Santa’s Workshop LLC have decided to review their internal security posture. To start things off, they’re first focusing on password reuse and abuse of all users—including Santa and Rudolph!

Santa has commissioned an Elf Security Consultant, Snapid Kevin, to come in to discuss and review common weaknesses associated with password choices and see where there may be gaps with Santa’s own elves’ password decisions.

Santa requested the password assessment be reviewed from the perspective of a malicious actor, such as the Easter Bunny or T-day Turkey. Therefore, Snapid Kevin has treated the assessment as a penetration test with a focus on reviewing the overall password security posture of Santa’s organization.

Poor Elf Password Decisions

Snapid sat down at his laptop after plugging in to Santa’s production network and immediately ran Nmap and EyeWitness. After reviewing the results, Snapid found an Outlook Web Access (OWA) login portal and began to perform password sprays using the owa_login Metasploit module based off a username list he put together from employees he found on LinkedIn. To his dismay, Snapid found that 10 of the elves’ accounts were using Rudolph17, Winter2017, or Christmas2017 as the password. Snapid then logged in as one of Santa’s employees.

What to do?

  • Santa’s employees should be trained to not use easily guessed passwords but rather complex passwords that don’t use dictionary words like “gingerbread”, or “frosty”.
  • The North Pole should create and disseminate a more stringent password policy to require that users do not choose passwords that can be easily guessed dictionary words.
  • The North Pole should periodically perform audits of user password choices to ensure users are compliant with the North Pole’s password policy.
  • The North Pole could consider using technical controls to assist in password policy enforcement and prevention of dictionary words being used by the elves.

Storing Passwords in the Stockings

Snapid noticed that one of the passwords he had guessed belonged to Mrs. Claus. Snapid logged in to Mrs. Claus’ email and began searching her OWA account for sensitive information such as user passwords which were being insecurely stored in email. To Snapid’s surprise, Mrs. Claus had emailed her LastPass Enterprise Master Password to herself. While the password was highly complex and random, the fact that it was stored in plaintext allowed Snapid to retrieve the highly sensitive password.

What to do?

  • Users should be trained to not store passwords in plaintext within email.
  • The North Pole should train users how to properly use their LastPass Enterprise Password Manager.

Lack of Milk & Cookies

Snapid observed that Mrs. Claus’ OWA login didn’t require two-factor authentication—that is, authentication that requires a password and another factor to authenticate with, such as a unique token. To further test this observation, Snapid successfully logged into the Santa’s Workshop Enterprise Github server using only Mrs. Claus’ username and password. If Snapid had to present a second factor for authentication, he’d be stuck eating candy canes in an icy data center.

What to do?

  • Snapid Kevin recommends that Santa’s Workshop utilize two-factor authentication, such as Duo or Okta, on all login portals, including email and administrative interfaces.

Coming Down The Chimney

While on the Santa’s Workshop internal domain, RUDOLPH, Snapid noticed a lone Apache Tomcat server. Using his Elvish hacker intuition, Snapid loaded Metasploit and used the auxiliary/scanner/http/tomcat_mgr_login module to enumerate the Tomcat server for default usernames and passwords. After running the module, Snapid found that the default credentials ‘admin/admin’ allowed him access to the Tomcat Manager! Using these credentials, Snapid used Metasploit to deploy a malicious WAR file on the server which gave him backdoor access to the target.

What to do?

  • Change all default passwords to a secure and complex password or passphrase.

Double Dipping the Candy Canes

Using Nmap, Snapid noticed that several devices had TCP port 8080 and 8443 open, services commonly used by administrative web interfaces. Snapid connected to the web server using his browser and found that one of these administrative systems controlled Santa’s toy production conveyor belt used by the elves. Snapid also observed that authentication was required and that the default password had been changed for the highly critical system. Snapid guessed an Elf Administrator account while performing password sprays on the North Pole’s OWA portal. While the system did not appear to be connected to a centralized authentication system such as the RUDOLPH domain Active Directory, Snapid reused these guessed credentials and was able to login to the administrative portal. With this access, toy production could be halted and many kids would receive neither toys nor coal in their stockings!

What to do?

  • The elves should be trained to not reuse passwords on multiple systems. If multiple platforms are used, the elf users should have different passwords for each system rather than a shared password amongst all systems.
  • Oftentimes, organizations such as Santa’s Workshop LLC use a shared password for the local Administrator account on Windows systems as part of their corporate image. Passwords on systems for local Administrator accounts should be unique on systems. If local accounts are required, organizations should consider implementing Local Administrator Password Solution (LAPS) for assisting in rotating local Admin passwords on a predefined basis. If local accounts (privileged and non-privileged) are not required, they should be disabled in workstation and server images.

Conclusion

While Santa’s team of Security Elves may be extra busy during the holidays fighting off threats from the Easter Bunny and T-day Turkey, practicing proper password security hygiene is still very important. As discovered by Snapid Kevin, insecure password decisions and authenticator management can lead to negative consequences that could impact and even shut down Santa’s present-producing business. Malicious actors, such as T-day Turkey and the Easter Bunny, could exploit these vulnerabilities in order to damage Santa’s reputation by preventing him from getting presents out on time. Similar to Santa’s Workshop LLC, organizations should proactively assess their password and overall security posture in order to understand their vulnerabilities. This will allow for the appropriate application of security controls and remediation efforts to mitigate risk to an acceptable level.