Password Theory, Explained

I saw an article a couple of days ago by a journalist asking, basically, “when you attack a target, how do you do it?”  I wrote the journalist a reply explaining my basic modus operandi.

There isn’t anything particularly special about how I go about attacking a target, except one thing: where I get my password lists.  That is, when I’m using a brute-force attack on a target service, where I draw my usernames and passwords becomes highly relevant to the success or failure of my efforts.

It should be noted at this point that I do not make it a habit to attack systems that I do not have legitimate access to (e.g. through either permission or ownership).  That said, password cracking can be a time-consuming effort.

So, how do I attack passwords?  I use a utility called “hydra.” Long-story short, hydra is only as good as the passwords you feed into it.  For example, if you’re attacking a server in a foreign country, it’s not very useful to use a password list based on American slang. But the lists I use I have gleaned from published password breaches and other dumps.  Over the past several years, I have amassed a large collection of passwords that I use for brute-forcing systems.

You might wonder then, “How do I prevent my password from being cracked?”  The short answer is to avoid passwords that appear in those lists and further to use permutations of passwords that employ so-called “haystack theory” for your passwords.  “Haystack Theory” says that is the LENGTH of the password is the only thing that matters.

Accordingly, you want to make sure your passwords are long, but memorable.  So how does this play out practically?  Ask yourself, “Which of the following passwords are more secure?”  s3crEtp@ss or password………

If you said “password………,” you are right.  The first example has a possible password space of 96^10 possible passwords.  The second has a possible space of 96^20 possible passwords.  So, we’re talking about an exponential difference.

Now, unfortunately, a lot of password policies don’t permit passwords like this, but that shouldn’t stop you from being able to employ “haystack theory” in your passwords.

If you want to read more about “haystack theory,” you can at https://www.grc.com/haystack.htm.

Corey Steele, Network and Security Engineer

HPN Spotlight: Dan Roerick

In our HPN Spotlight series, we will be featuring High Point Networks employees from our Service, Sales and Support teams across our five locations.

Name: Dan Roerick

Title: Project Manager

Office: West Fargo, ND

Where did you grow up?
I was born and raised in Fargo, ND and attended Fargo Public Schools, graduating from Fargo South High.

Dan 2

What did you do before joining the HPN team?
After high school, I attended NDSU. During college I worked as a delivery driver and shift manager for Pizza Hut, before getting my first corporate IT job in 1997. I spent 7 years as the LAN/WAN manager of a real estate company before joining HPN in July of 2004.

What do you do in your free time?
I spend time with my family and friends, and I love live events (sports, concerts, etc.) and movies. I also have a passion for photography and spend a great deal of time following that passion, and I have numerous print publications to my credit.

What is your favorite part about HPN?

We have always had a work hard/play hard mentality. Tom, Justin and Brad treat us very well for all of our hard work, and they support all the employees in their personal endeavors as well,  be that a photography passion, coaching HS football, etc. HPN truly has a family feel. That is my favorite part.

What is your favorite HPN moment?
Being honored with the High Point Award this year and being recognized as a valuable member of the team.

What is one thing about yourself that HPN employees and customers probably don’t know?
My mother is a native of Germany and met my father when he was stationed there with the US Army. I still have family in Germany, and I visited Europe half a dozen times by the time I was 18.

How Hackers Attack – Part 1

Most hackers have a favorite target. Some prefer web servers of a particular flavor, others prefer Remote Desktop or SSH, etc.  Knowing this ultimately helps an administrator to know and understand the threats that face their network.  So, how does this look in the real world?  Let us take a look at a practical example.

Let’s say my target of choice is the WordPress platform.   Now, because I have access to the WordPress source code, I spend all day pouring over the code looking for vulnerabilities.  (In fairness, it is not only open source code that I can do this on, but it’s easier on open source software because there’s typically less reverse engineering involved.)  Suppose now that I have found a vulnerability and want to develop an exploit for this vulnerability.  I turn to ExploitPack to write and test the exploit.

ExploitPack is a cross-platform tool that allows me to quickly write and test the exploit.  ExploitPack allows me to write my exploit(s) in Python, a language that is lightweight, powerful, and very easy to learn.  ExploitPack is essentially an integrated development environment (IDE) for developing exploits, and it’s free to anyone who can find it online.

So, now that I’ve found my vulnerability and have written an exploit for it, I now need to find a list of targets that would be affected by my vulnerability.  This can be a manual process, or a clever hacker can automate it.  Manually, I could search Google with a query of “link:wp-content/themes” and find all of the WordPress sites in the Google index, but now I have to compile that list by hand, and I’m quickly bored by that.  What are my options?  ‘zmap’ is a tool that allows me to quickly scan very large segments of the Internet for services running on specific ports.  I can find all the webservers on the “regular Internet” (I’ll write about the “dark net” later) in a couple of days.  Then I just need to crawl those sites using a tool like BurpSuite looking for “wp-content/themes.”  So, in a week’s time, I can find the vast majority of the sites on the Internet that run WordPress.

How does a hacker tie it all together?  They take the list of targets they found using zmap and burp, export it into ExploitPack, select their hand-crafted vulnerability as their payload, and select a payload (which can be any of a thousand things, but in a case like this, your attacker is probably going to use a PHP shell as their payload to allow them to do whatever they want on the box) and hit “go.”

A little patience, and now I’ve got a remote shell on potentially tens of thousands of hosts from which I can do a number of things, including deface websites, steal content, steal credentials, host malware – the list goes on.  And it only took me a couple of weeks.  If the site contained anything really juicy, I might be able to sell it, or otherwise monetize it (e.g. blackmail).

That is how hackers attack your network.  All said and told, the only tool I would need to pay for to achieve all of this would be a commercial copy of BurpSuite, which costs $300… which I could recover very quickly by ransoming the websites I’d just “pwned” (“owned,” or taken over).  In the next segment of this series, I’ll write about how we prevent these attacks in a robust fashion.

Corey Steele, Network and Security Engineer

HPN Spotlight: Tylan Hochhalter

In our HPN Spotlight series, we will be featuring High Point Networks employees from our Service, Sales and Support teams across our five locations.

Name: Tylan Hochhalter

Title: Network Technician

Office: Bismarck, ND

Where did you grow up?
I grew up in Bismarck, ND, where I graduated from Century High School. I was big into competitive trap shooting when I was in high school.


What did you do before joining the HPN team?
At one point I was a plumber, but it was kind of crappy and I couldn’t stand it. I completely fell into working with security cameras working for Midwest Investigation and Security in Bismarck, ND, and I love what I do now.

What do you do in your free time?
I enjoy hunting and fishing, and I love the outdoors. I went duck hunting in Saskatchewan, which was the coolest hunting trip I’ve ever been on. It’s by far the best waterfowl hunting in our area.


What is your favorite part about HPN?
I absolutely love how HPN is a large family. Everyone seems to just click. We’re all more than happy to help each other, no matter how large or small the task. We all have the same goal in mind – doing what we love and doing it as best we can!

What is your favorite HPN moment since joining the team in June?
I’d have to say watching (HPN Security Engineer) Corey Steele drink a bottle of A1 at the company golf outing.
Editors Note: We have confirmed that this did happen, but we have not confirmed why.

What is one thing about yourself that HPN employees and customers probably don’t know?
I have a pet snake. It’s a Ball Python that is about 3 ½ ft. long.

Why VMware?

This is the fourth installment of a series by Systems Team Lead Matt Peabody to begin to answer a question he hears all the time: “Why vendor X?”

“Why VMware?” is a question I hear from quite a few customers when starting with virtualization or looking at their current virtual infrastructure.  There are many competing hypervisors out there with Microsoft’s Hyper-V being a close second.  We believe VMware is the leader still building on the success of their ESX hypervisor over a decade ago.

1. Stability
The core ESXi product is as solid as embedded appliance operating systems like switches or routers.  VMware is a purpose-built appliance we load VMs onto, rather than an add-on to a current operating system.  Like all software companies, VMware has had some bugs, but their quick turnaround time and openness with these bugs helps a great deal.  They list known issues and fixes right on their site so they are easy to find and correlate with any issues that may be happening.

2. Management
With vCenter at the root for managing a VMware environment, there is a true single pane of glass for the entire infrastructure.  The VSphere Web Client combines management, monitoring, provisioning, compliance remediation, backup, DR, and many more things into a coherent and expansive interface. There are plugins for storage vendors, virtualized networking (NSX) and storage (VSAN).  VMware ESXi has some of the easiest clustering support to get an HA environment up and running in minutes with two clicks.

3. Security
VMware is a very security-minded company.  VMware has offerings in OS compliance with vRealize Operations Management, mobile device management with Airwatch, and even endpoint management with their Horizon Suite of products.  This allows them to manage and control your entire infrastructure from one platform.  Since VMware uses purpose-built, hardened appliances and applications, they have fewer patches and vulnerabilities, and they can keep their update cycle very rapid.

4. Vision
VMware is constantly leading with emerging technologies.  From their purchase of Nircira to form their NSX virtual networking platform to their creation of VSAN, their integrated hyper-converged platform, they are always ahead of the market in their vision for the future.  They quickly integrate new products into the fold of the company and still let those technologies shine and innovate.  VMware seems to be a few years ahead of the other members in their market, and it shows in their leadership.

VMware continues to excel and grow as a company as they expand their influence into areas other than compute virtualization.  They keep a tight integration with their products to stay ahead of competition and innovate in the evolving world of technology.

Don’t Make Me Beg

As a security professional, published author, and frequent speaker about information security, I’ve observed that there is a relatively consistent role that denial plays in all data breaches.  It begins long before there is ever any data stolen and persists well through the discovery and resolution of the breach.  In my heart of hearts, I do not believe this denial is a conscious decision, rooted in a lazy attitude about security, but rather that denial is the path of least resistance.

How do we change the tenor of the discussion around information security such that it is easier to choose action over inaction?  Or funding over non-funding?  Or staffing over non-staffing?

Many who have attempted to answer these questions have buried the reader in statistics and anecdotal stories about how inaction, non-funding or non-staffing has ultimately lead to an organizations’ public humiliation.  Let me take a different tack: begging.

Please, please, please!  Please take seriously the trust your company and customers have put in you to protect sensitive data.

Please employ column-based database encryption to protect my Social Security Number, credit card number and other private data.

Please implement east-west packet filtering to protect data centers from insider threats.

Please employ SIEM systems to help identify anomalous events on your data systems and infrastructure, so an attack can be properly identified.

Please prepare the procedures and plans necessary to efficiently and effectively respond to a data breach.

Please invest in vulnerability scanning and patch management systems to help keep your systems up to date, to prevent the exploitation of sensitive systems, or the lateral movement from non-sensitive systems to sensitive systems.

I make these pleas first as a consumer whose card data has been stolen on numerous occasions, and second as a security consultant charged with helping prevent and/or recover from the breaches that such a denial creates.

Never think you’re too small a target.  Never think you have nothing a hacker would want.  Never think that its impossible you could be targeted, or that you have been breached.

Denial is the mother of demise; take your charge seriously and don’t be in denial.

Corey Steele, Network and Security Engineer

Candy Crush Malware Isn’t So Sweet

It was Easter this year when my aunt warned me, “Don’t start playing Candy Crush. It will ruin your life.”  She spoke like she herself had hit bottom, but she clearly hadn’t.  I heeded her words of warning, and today I’m glad, because today I’m seeing reports that a malicious version of Candy Crush, Plants vs. Zombies, and Super Hero Adventure (among others) have made it into the Google Play Store. [1]

If, by chance, you fancy a game of Plants vs. Zombies or Candy Crush, and you recently installed it (or updated it), you would be well advised to uninstall it.  But how do you avoid malware on your mobile devices to begin with?

There’s good news and bad news about malware on mobile devices.  First, the bad news: statistically, you’re exponentially more likely to get malware on an Android phone than you are on an iOS device.  The good news: our friends at ESET have a very robust antivirus suite for Android devices. [2]

“But wait, there’s more!”

Not only is the ESET for Android product capable of identifying malicious apps on your mobile, it also boasts a host of features including antispam, anti-theft, personal data protection, and call/text screening filters.

“And all of this for the low, low price of $14.95!” [2]

Personally, I’ve been running ESET for Android for more than a year, and in that time it has saved me from installing either malicious software or software that would push ads to my device.  Hopefully, your success will be similar.  If you have ESET in your corporate environment, talk to your HPN Account Representative about options for licensing ESET for your company’s mobile devices and enjoy the same great protection on all your corporate end points.

Corey Steele, Network and Security Engineer

HPN Spotlight: Elmar Cannon

In the HPN Spotlight series, we will be featuring High Point Networks employees from our Service, Sales and Support teams across our five locations.

Name: Elmar Cannon

Title: Account Manager

Office: Denver, CO

Where did you grow up?
I was born in Wiesbaden, Germany and lived there until age 10. We lived near the Mosel river for a time. I enjoyed the farms, small river towns and castles. We then moved to Victorville, CA. This high desert town was a huge change from the green lush farms and forests of Germany. I moved to Los Angeles, CA at 18 for  work, then Denver, CO 9 years ago to escape the big city.

What did you do before joining the HPN team?
I worked as a truck driver and furniture deliverer during and shortly after high school, then I worked as a desktop and network engineer. I taught Technology and Business to 7th and 8th grade kids in a rough part of North Long Beach, CA. Then, I worked my way up from Network Engineer to Director of IT operations at a medium sized school district (BVSD), where I spent a great deal of time in vendor management, engineer babysitting, exploring new technologies, and devising strategies that align with customer needs.

What do you do in your free time?
I enjoy being a dad, camping, kayaking, wood working, grilling, and welding – I like using my hands after a long day of using my brains. I am constantly thinking of ways to do things better and more efficiently.

What is your favorite part about HPN?
I enjoy working in a culture that makes you want to do your best without threatening or forcing. The leadership and friendships just make you want to pull your weight. I appreciate a team that works hard and plays hard.

What is one thing about yourself that HPN employees and customers probably don’t know?
I have been a minister teaching people scriptural principles for 28 years.  I speak fluent German. I used to have hair (haha!). I was the valedictorian for my Bachelor’s Degree with  a 3.99 GPA. I held a teaching credential in CA. I love to ride dirt bikes and have since I moved to the desert.

RIP 2003

As of July 14, 2015, Microsoft Windows Server 2003 support has come to an end. I’ll begin by saying Server 2003 was the server operating system I started working on when I joined the IT community around 2007.  My first experiences were installing new 2003 servers for my employer and learning how Microsoft behaved in the server operating system space.

We were still installing server 2003 onto hardware, recovering failed installs, and installing into virtual platforms well into the 2008 lifecycle.  Since I then worked for a training facility, there were many classes still based on the 2003.  During this transition, I helped customers and students get used to the new user interface while trying to convince them that PowerShell, the revamped interface, and Server Manager were actually more efficient.

Now, with the last Server 2003 installs nearly gone (I know there are some stragglers out there and we can help with that transition), it is the end of an era for a very solid piece of software.  I know I’ll enjoy the new features Server 2016 brings us in the near future.  I’ll also be glad when I don’t have to show people on my team how to use DCPromo from the install disc or where Microsoft hid the install binaries in the i386 folder.

Matt Peabody, Systems Engineer & Team Lead

Why Zerto?

This is the third installment of a series by Systems Team Lead Matt Peabody to begin to answer a question he hears all the time: “Why vendor X?”

We are going to make a change from the originally planned “Why VMware?” and talk about a newer partner with whom we are working.  Zerto is a Disaster Recovery product built for virtualization.  We had quite a few customers asking us how they could close the gap for their data loss in the event of a total failure.  Many of them were relying on offsite backups and realized the time to restore all of their data would be a large loss of productivity.  We had looked at Continuous Data Protection backup products before and were largely unimpressed with the complexity, and we didn’t like the performance hits the VMs took when they were being protected.  We found Zerto after talking with a few of our customers who had just deployed it to protect their virtual infrastructures.

We did our normal testing of the product and found there were a few things that stood out for Zerto as a leader in Business Continuity.

1. Deployment
During our initial conversations with customers and throughout our testing, we found the deployment to be one of the simplest installs.  We rant through the install on a Windows VM, deployed the replication appliances with a few clicks and had a replication infrastructure ready to go in about 30 minutes.  We then created a few protection groups and watched our VMs replicating in real time to our DR site.  This was all done without any reboots to hosts and no downtime to install guest agents in our VMs.

2. Automation
Zerto can protect VMs in Virtual Protection Groups (VPG). These groups are similar to VMware’s VApp entities.  The VMs in a VPG are all kept in sync and make up a business application.  This allows for single click testing and automated recovery when needed for DR purposes.  Since Zerto can keep all the VMs in sync across hosts and is WAN friendly, the business critical apps can be recovered extremely quickly and to points in time down to the second.  Testing of the groups is a few clicks away and will keep the production workload from going down.  VMs can have IPs changed in software so layer 2 networks don’t have to be stretched across WAN links.

3. Fault Tolerance
Many of the complaints we found with CDP products focused on what happened when the network or backup repository was offline.  With in-guest agents, many of them built up queues of data, filling up disk space, slowing down performance and bottlenecking memory.  With Zerto, they handle all of these gracefully.  Each hosts has its own small replication proxy, which listens to the SCSI stream from the VMs it is protecting.  If the WAN connectivity is failing, those VMs build up a queue on their disks, not affecting the production application VMs’ performance.  They can also recover from long outages with ease by reprotecting a VM and only sending over changes from the last protected point in time.  Since the management architecture is distributed across datacenters, failure of one side does not impact the protection or recovery of the protected VMs.

4. Hardware Agnostic
With array-based replication, a customer needs nearly identical hardware in production and DR.  This cost was not an option for many customers that had a single datacenter and a smaller remote DR site.  With Zerto, the replication can happen from an array based production cluster to different disparate hosts with local storage, different arrays or to the cloud.  Since the replication happens above the array in the hypervisor, DR becomes easier and older hardware can be reused, rather than thrown out.  With all the options for targets, DR becomes a commodity rather than an expensive, unused datacenter.

We have been very happy with the results Zerto has shown in the Business Continuity space.  They help our customers close the gap for their DR from days down to minutes.  Next will definitely be “Why VMware?”