So, as it was spotted in the news it seems like the well known activist group Anonymous targeted the Greek Ministry of Finance. The operation resulted in a breach of security and files being leaked on the Internet. The group has also made available this particular pastebin bit where they announce their attack, going as far to mention a 0day SAP exploit. What’s interesting inside that message is the list of credentials in the end, which frankly seems really awful in terms of password security (related post in Greek).
Let’s use the well known password analysis tool called pipal to generate some statistics about the passwords used by ministry staff. First things first:
1. Download the hack announcement from Pastebin:
wget http://pastebin.com/download.php?i=hwLDmEmH -O anongr
2. Extract the passwords with simple bash scripting:
cat anongr | grep password | cut -d "=" -f 3 > pass
3. Run pipal on ‘pass’ file:
./pipal.rb pass
[only interesting bits shown]
Total entries = 136
Total unique entries = 85
Top 10 passwords
123456 = 50 (36.76%)
654321 = 2 (1.47%)
7706 = 2 (1.47%)
YDE149 = 1 (0.74%)
7113PAAG = 1 (0.74%)
CDXZ7N = 1 (0.74%)
8RDTVM = 1 (0.74%)
tsamantas78 = 1 (0.74%)
VLP9Q2 = 1 (0.74%)
XFRSDI = 1 (0.74%)
Top 10 base words
dontakia = 1 (0.74%)
xfrsdi = 1 (0.74%)
paag = 1 (0.74%)
cdxz7n = 1 (0.74%)
rdtvm = 1 (0.74%)
tsamantas = 1 (0.74%)
vlp9q = 1 (0.74%)
q2bk2j = 1 (0.74%)
mfrgo = 1 (0.74%)
sodtte = 1 (0.74%)
Password length (length ordered)
3 = 3 (2.21%)
4 = 7 (5.15%)
5 = 6 (4.41%)
6 = 108 (79.41%)
7 = 10 (7.35%)
8 = 6 (4.41%)
10 = 2 (1.47%)
11 = 2 (1.47%)
Password length (count ordered)
6 = 108 (79.41%)
7 = 10 (7.35%)
4 = 7 (5.15%)
8 = 6 (4.41%)
5 = 6 (4.41%)
3 = 3 (2.21%)
10 = 2 (1.47%)
11 = 2 (1.47%)
One to six characters = 120 (88.24%)
One to eight characters = 134 (98.53%)
More than eight characters = 2 (1.47%)
Only lowercase alpha = 2 (1.47%)
Only uppercase alpha = 8 (5.88%)
Only alpha = 10 (7.35%)
Only numeric = 83 (61.03%)
First capital last symbol = 0 (0.0%)
First capital last number = 17 (12.5%)
Includes years
2008 = 1 (0.74%)
2011 = 1 (0.74%)
Years (Top 10)
2008 = 1 (0.74%)
2011 = 1 (0.74%)
Single digit on the end = 4 (2.94%)
Two digits on the end = 6 (4.41%)
Three digits on the end = 12 (8.82%)
Last number
0 = 8 (5.88%)
1 = 6 (4.41%)
2 = 6 (4.41%)
3 = 6 (4.41%)
4 = 7 (5.15%)
5 = 4 (2.94%)
6 = 55 (40.44%)
7 = 10 (7.35%)
8 = 4 (2.94%)
9 = 3 (2.21%)
Character sets
numeric: 83 (61.03%)
upperalphanum: 35 (25.74%)
upperalpha: 8 (5.88%)
loweralphanum: 8 (5.88%)
loweralpha: 2 (1.47%)
Character set ordering
alldigit: 83 (61.03%)
stringdigit: 23 (16.91%)
allstring: 10 (7.35%)
digitstring: 8 (5.88%)
stringdigitstring: 6 (4.41%)
othermask: 5 (3.68%)
digitstringdigit: 1 (0.74%)
Seems that many of the active ministry staff missed their security awareness training (IF anything like that had ever taken place). It’s always awkward to watch policies being enforced only AFTER security incidents and public embarrassment. Live test environments, so called "red flag" events, and ethical hacking all help organizations to avoid this sort of breach before it happens.