Hidden in Plain Sight (there are cleartext credentials on your network)
Quickly after doing my first few internal penetration tests, I noticed a concerning (though not surprising) trend - It was rather common to find cleartext credentials on the internal network (with and without authentication material). This has often been an effective means of lateral movement during tests. While an external threat actor isn't going to get in your network with the passwords stored on your company file server, they do pose a notable risk. What can someone do once they are on my network? What can they find with a pair of credentials?
Your Desk & Your Desktop
Everyone has at one time stored secrets on their computer desktop (admit it!) or nestled inside a few folders. Unless you are a faithful user of your password manager, it is hard to resist the temptation of convenience. Unfortunately, that “passwords.xlsx” file can end up in automatic device backups, seen by nosey shoulder surfing coworkers, or stolen by the operator of the malware you just downloaded.
We do physical security testing routinely at Contextual Security Solutions. As part of that, we do facility walk throughs and often find sensitive data stored on post-it notes, inside desk drawers, and written on whiteboards. Obviously physical access is needed to take advantage of these (or an awesome vantage point with binoculars to match!). A lot of luck and preparation goes into stealthily entering and exiting a facility whileachieving objectives. For most bad guys, staying remote is less risky. Some companies will have a risk model that includes physical intrusion, but mostlikely, not having a “clean desk” would be abused by a disgruntled employee. Something I have also seen is pictures of desks with sensitive material on them inadvertently used in company blog or LinkedIn posts!
Every Server is a Risk
Less obvious forms of credential storage on servers include obfuscated or encoded passwords (you know, base64), configuration files, and unencrypted database backups. We have found cleartext credentials in fileservers, backups, internal code repositories, intranet sites, documentation,emails... and the list goes on. Wherever there is user input, there is the possibility of credential storage. It is important to emphasize with this point that sometimes these credentials take some digging to find, which has led to tooling to automate just that.
Playing Hide & Seek
AI, automation, and powerful frameworks streamline so much of penetration testing. I have found a few needles in some pretty big haystacks using tools to automate searching for credentials. I cannot be an effective tester without tools, but at times, searching for files based only on pre-defined criteria may not pull up a password creatively/partially stored. Call me old fashioned, but some manual digging still needs to take place during penetration tests. Even mundane tasks like searching through a mountain of files can benefit from this. Sometimes human intuition makes a find that the tools miss (as well as vice versa to be fair).
Take Action!
Most of these threats are rooted in user behaviors. Security professionals cannot play the bad guy (always saying "no" or"don't touch") and expect long-term success. So, how can you mitigate risk in your organization? Consider ways you can practically equip your employees to not store credentials in plain sight, and respond when they do:
1) Choose a password manager that your employees can and want to use. Password managers are not without some risk, but this is oneof the best ways to help your employees prevent poor secret management. I'ves aid for a few years that the best SIEM/EPP/EDR software is the one that your company can effectively install, configure, and manage. Don't spend money on something that won't be used properly. The same goes for password managers. Make it as frictionless as possible to use. A browser extension may be non-negotiable here. While not intended for business use, Apple's built in password manager is a good example to look at. It makes it easy for users to generate strong passwords and store them out of sight. Think similarly when choosing the best solution for your business.
2) Continue to educate employees about cyber security risks. Security awareness training continues to grow in popularity and largely seems effective. Educate users about the potential consequences of storing cleartext passwords anywhere outside of a password manager.
3) Hack yourself! Audit for cleartext credentials on yournetwork. Not everyone will be well equipped to do this, but if you have a decent Linux skillset or similar, you can run a few open-source tools (Snaffler, MANSPIDER, or NetExec) to efficiently scan for these issues and remove the low hanging fruit on your network.
