PCI-DSS Requirement 8.2.3 Makes you Less Secure

FAILThis is a quick blog post on my thoughts regarding PCI-DSS password requirement 8.2.3 and how I think it creates an environment where all non-CDE data is left exposed via weak password requirements. I still see organizations that do not understand password strength vs password length and PCI-DSS 8.2.3 requires neither! I like to back up my posts with some data and statistics so feel free to use this information to let your auditors know that compliance does not equal secure. I show how quickly hashcat will run through a seven (7) alphanumeric password for the most common password hashes.

If the organization does not include the systems and infrastructure that centrally manage authentication then this a failure of the organization and the assessment team. All organizations I have conducted a PCI-DSS related assessment have a Windows Active Directory domain environment with the majority of workstations and server running a version of the Windows operating system. Weaknesses in how Windows manages and protects authentication credentials is central in the compromise of the Windows domain during each penetration test I conduct. Most often Windows Domain Controllers are not included in the scope. Again, this is a failure of the organization and the assessment team to not include these servers in the scope of the engagement. Scoping and PCI-DSS will be left for another time.

I want to focus on how PCI-DSS compliance impacts the overall security of the rest of the organization’s data. PCI-DSS requirement 8.2.3 requires a minimum of a seven (7) character password with alphanumeric characters. This is pathetically weak . Youtube video by KirkpatrickPrice explains this poor standard perfectly with the following statement from the video:

The password settings and password requirements that you have within your environment need to be set to a minimal level of standards. Understand that the PCI DSS should not be considered the gold standard by any means, a lot of people might even consider it a copper standard. I’ve even talked to people that have said it’s more like a PVC standard around the level of security that we’re expecting.

Whatever the pipes are made of they are leaking. I have a blog post from 2009 discussing how length is better than strength. Again I state that PCI-DSS 8.2.3 requires neither! The length vs strength argument is summed up perfectly by this XKCD comic. People may argue that PCI-DSS requires multi-factor authentication for physical and remote access to systems that interact with the CDE. This is a great protection for the CDE but does nothing to protect the rest of the organization’s resources. PCI-DSS does not require multi-factor for the file server, HR system, customer database, or any other system if no credit card information is stored. We won’t even get into the weaknesses identified in various forms of multi-factor authentication.

I own a single NVidia GeForce GTX 970 (12/2018 – $100 used on Ebay). Below are the statistics on cracking a seven (7) character alphanumeric NTLMv2 password hash. The information below shows every combination of alphanumeric will be attempted in three (3) and a half minutes. P-A-T-H-E-T-I-C

Session..........: hashcat
Status...........: Running
Hash.Type........: NTLM
Hash.Target......: 00001fae1aed72fac86b15fd393f8174
Time.Started.....: Mon Dec 31 14:08:13 2018 (2 secs)
Time.Estimated...: Mon Dec 31 14:11:43 2018 (3 mins, 28 secs)
Guess.Mask.......: ?1?1?1?1?1?1?1 [7]
Guess.Charset....: -1 ?u?l?d, -2 Undefined, -3 Undefined, -4 Undefined
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 16739.1 MH/s (47.82ms) @ Accel:1024 Loops:256 Thr:256 Vec:2
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 25313673216/3521614606208 (0.72%)
Rejected.........: 0/25313673216 (0.00%)
Restore.Point....: 3407872/916132832 (0.37%)
Restore.Sub.#1...: Salt:0 Amplifier:3584-3840 Iteration:0-256
Candidates.#1....: NvRXIE0 -> Yzd5bS0
Hardware.Mon.#1..: Temp: 63c Fan:  0% Util: 99% Core:1316MHz Mem:3004MHz Bus:16Bus:16
By the way, the plaintext password for the hash shown above is jubilee7. This alphanumeric eight (8) character password would be cracked in less than four (4) hours iterating through every combination.
Session..........: hashcat
Status...........: Running
Hash.Type........: NTLM
Hash.Target......: 00001fae1aed72fac86b15fd393f8174
Time.Started.....: Mon Dec 31 14:55:47 2018 (2 secs)
Time.Estimated...: Mon Dec 31 18:36:20 2018 (3 hours, 40 mins)
Guess.Mask.......: ?1?1?1?1?1?1?1?1 [8]
Guess.Charset....: -1 ?u?l?d, -2 Undefined, -3 Undefined, -4 Undefined
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 16499.2 MH/s (47.56ms) @ Accel:1024 Loops:256 Thr:256 Vec:2
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 34051457024/218340105584896 (0.02%)
Rejected.........: 0/34051457024 (0.00%)
Restore.Point....: 6815744/56800235584 (0.01%)
Restore.Sub.#1...: Salt:0 Amplifier:2304-2560 Iteration:0-256
Candidates.#1....: db45bS00 -> ffadtg00
Hardware.Mon.#1..: Temp: 65c Fan:  0% Util:100% Core:1316MHz Mem:3004MHz Bus:16
In reality it only took twenty-eight (28) minutes to crack.
Session..........: hashcat
Status...........: Cracked
Hash.Type........: NTLM
Hash.Target......: 00001fae1aed72fac86b15fd393f8174
Time.Started.....: Mon Dec 31 14:57:13 2018 (27 mins, 28 secs)
Time.Estimated...: Mon Dec 31 15:24:41 2018 (0 secs)
Guess.Mask.......: ?1?1?1?1?1?1?1?1 [8]
Guess.Charset....: -1 ?u?l?d, -2 Undefined, -3 Undefined, -4 Undefined
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 16367.7 MH/s (47.61ms) @ Accel:1024 Loops:256 Thr:256 Vec:2
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 26971725627392/218340105584896 (12.35%)
Rejected.........: 0/26971725627392 (0.00%)
Restore.Point....: 7013400576/56800235584 (12.35%)
Restore.Sub.#1...: Salt:0 Amplifier:3328-3584 Iteration:0-256
Candidates.#1....: DrrsVde7 -> HvDPore7
Hardware.Mon.#1..: Temp: 76c Fan: 75% Util:100% Core:1303MHz Mem:3004MHz Bus:16
Below are the statistics on cracking a seven (7) character alphanumeric NetNTLMv2 password hash. Every combination is attempted in less than four (4) hours. Also P-A-T-H-E-T-I-C. I mention NetNTLMv2 because of the easy to execute man-in-the-middle (MitM) attacks against the protocol weaknesses centering on the Link-Local Multicast Name Resolution (LLMNR) protocol and Web Proxy Auto-Discovery Protocol (WPAD).
Session..........: hashcat
Status...........: Running
Hash.Type........: NetNTLMv2
Hash.Target......: netntlmv2.txt
Time.Started.....: Mon Dec 31 12:09:01 2018 (3 secs)
Time.Estimated...: Mon Dec 31 16:01:18 2018 (3 hours, 52 mins)
Guess.Mask.......: ?1?1?1?1?1?1?1 [7]
Guess.Charset....: -1 ?u?l?d, -2 Undefined, -3 Undefined, -4 Undefined
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   505.3 MH/s (52.86ms) @ Accel:128 Loops:64 Thr:256 Vec:1
Recovered........: 0/2 (0.00%) Digests, 0/2 (0.00%) Salts
Progress.........: 1801060352/7043229212416 (0.03%)
Rejected.........: 0/1801060352 (0.00%)
Restore.Point....: 0/916132832 (0.00%)
Restore.Sub.#1...: Salt:1 Amplifier:384-448 Iteration:0-64
Candidates.#1....: r6e0000 -> k7Som10
Hardware.Mon.#1..: Temp: 68c Fan: 34% Util:100% Core:1316MHz Mem:3004MHz Bus:16
Below are the statistics on cracking a seven (7) character alphanumeric Domain Cached Credential version 1 (mscache) password hash. Every combination eleven (11) minutes. More P-A-T-H-E-T-I-C
Session..........: hashcat
Status...........: Running
Hash.Type........: Domain Cached Credentials (DCC), MS Cache
Hash.Target......: 090470811fdd079352726350dab6b036:rrsort
Time.Started.....: Mon Dec 31 14:06:40 2018 (1 sec)
Time.Estimated...: Mon Dec 31 14:18:14 2018 (11 mins, 33 secs)
Guess.Mask.......: ?1?1?1?1?1?1?1 [7]
Guess.Charset....: -1 ?u?l?d, -2 Undefined, -3 Undefined, -4 Undefined
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  5065.3 MH/s (79.48ms) @ Accel:512 Loops:256 Thr:256 Vec:4
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 6543114240/3521614606208 (0.19%)
Rejected.........: 0/6543114240 (0.00%)
Restore.Point....: 0/916132832 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:3840-3844 Iteration:0-256
Candidates.#1....: ZzUG970 -> XzYXIE0
Hardware.Mon.#1..: Temp: 63c Fan:  0% Util:100% Core:1316MHz Mem:3004MHz Bus:16
Below are the statistics on cracking a seven (7) character alphanumeric Domain Cached Credential version 2 (mscachev2) password hash. Every combination will take the better part of a year. Microsoft’s storage of cached credentials on systems that are members of the domain is currently one of the more computationally complex password hashes.
Session..........: hashcat
Status...........: Running
Hash.Type........: Domain Cached Credentials 2 (DCC2), MS Cache 2
Hash.Target......: $DCC2$10240#username#c296e8879b9ed32b3307d0a847244239
Time.Started.....: Mon Dec 31 14:11:16 2018 (1 sec)
Time.Estimated...: Wed Oct  9 04:03:52 2019 (281 days, 12 hours)
Guess.Mask.......: ?1?1?1?1?1?1?1 [7]
Guess.Charset....: -1 ?u?l?d, -2 Undefined, -3 Undefined, -4 Undefined
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   144.8 kH/s (72.38ms) @ Accel:256 Loops:128 Thr:256 Vec:1
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 0/3521614606208 (0.00%)
Rejected.........: 0/0 (0.00%)
Restore.Point....: 0/56800235584 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:2176-2304
Candidates.#1....: sarieri -> swJWONA
Hardware.Mon.#1..: Temp: 63c Fan:  0% Util:100% Core:1316MHz Mem:3004MHz Bus:16
Last but not least we examine the password hash used for the latest LTS Ubuntu. Below are the statistics on cracking a seven (7) character alphanumeric sha512crypt password hash. Every combination will take a year and a half.
Session..........: hashcat
Status...........: Running
Hash.Type........: sha512crypt $6$, SHA512 (Unix)
Hash.Target......: $6$OjUT9iCj$nxj/1j97piYCVpYWpxsMbH4nuUYqS.tjEZPdyuu...g9cTx.
Time.Started.....: Mon Dec 31 14:44:50 2018 (28 secs)
Time.Estimated...: Mon Jun 29 05:52:03 2020 (1 year, 180 days)
Guess.Mask.......: ?1?1?1?1?1?1?1 [7]
Guess.Charset....: -1 ?u?l?d, -2 Undefined, -3 Undefined, -4 Undefined
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:    74707 H/s (69.94ms) @ Accel:512 Loops:128 Thr:32 Vec:1
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 2129920/3521614606208 (0.00%)
Rejected.........: 0/2129920 (0.00%)
Restore.Point....: 0/56800235584 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:10-11 Iteration:512-640
Candidates.#1....: darieri -> dyyZY12
Hardware.Mon.#1..: Temp: 69c Fan: 53% Util:100% Core:1316MHz Mem:3004MHz Bus:16

Windows NTLMv2 and NetNTLMv2 are to two most common password hashes I encounter when conducting a penetration test. Non-Windows systems I’ve commonly encountered are running a version of Unix from IBM or Sun Solaris (now owned by Oracle). Any Linux systems will be a version of Red Hat Enterprise or Ubuntu. Any networking equipment is commonly Cisco Systems. Most Cisco systems I see are still protecting passwords with “type 5” hashing. Who am I kidding, I still see “type 7” everywhere. Cisco “type 5” uses the same hashing algorithm as older Linux systems such as Ubuntu 14.04 LTS or Red Hat Enterprise X. The Unix systems I see are still hashing with DES.

Session..........: hashcat
Status...........: Running
Hash.Type........: md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)
Hash.Target......: $1$NjH6$Q5DcSQzXEGc0HnkLKnJJB1
Time.Started.....: Mon Dec 31 16:27:17 2018 (5 secs)
Time.Estimated...: Wed Jan  9 11:10:33 2019 (8 days, 18 hours)
Guess.Mask.......: ?1?1?1?1?1?1?1 [7]
Guess.Charset....: -1 ?u?l?d, -2 Undefined, -3 Undefined, -4 Undefined
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  4642.3 kH/s (88.84ms) @ Accel:1024 Loops:1000 Thr:32 Vec:1
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 22577152/3521614606208 (0.00%)
Rejected.........: 0/22577152 (0.00%)
Restore.Point....: 0/56800235584 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:53-54 Iteration:0-1000
Candidates.#1....: Earieri -> EqRgana
Hardware.Mon.#1..: Temp: 60c Fan:  0% Util:100% Core:1316MHz Mem:3004MHz Bus:16

Resources
Why Being Compliant Is Not the Same as Being Secure
https://www.getadvanced.net/blog/article/why-being-compliant-is-not-the-same-as-being-secure

Compliance does not equal security
https://www.computerworld.com/article/3021787/security/compliance-does-not-equal-security.html

Compliant does not equal protected: our false sense of security
https://www.csoonline.com/article/2995924/data-protection/compliant-does-not-equal-protected-our-false-sense-of-security.html

Compliant but not Secure: Why PCI-Certified Companies Are Being Breached
https://www.csiac.org/journal-article/compliant-but-not-secure-why-pci-certified-companies-are-being-breached/

Compliant but not Secure: Why PCI-Certified Companies Are Being Breached
STI Graduate Student Research
by Christian Moldes – December 9, 2015
https://www.sans.org/reading-room/whitepapers/compliance/paper/36497

Understanding the differences between the Cisco password \ secret Types
https://community.cisco.com/t5/networking-documents/understanding-the-differences-between-the-cisco-password-secret/ta-p/3163238

PCI DSS – Why it fails
https://nakedsecurity.sophos.com/2014/04/23/pci-dss-why-it-fails/

Requirements for Password/Passphrase Complexity and Strength
https://kirkpatrickprice.com/video/pci-requirement-8-2-3-passwords-passphrases-must-require-minimum-seven-characters-contain-numeric-alphabetic-characters/

What is LLMNR & WPAD and How to Abuse Them During Pentest?
https://pentest.blog/what-is-llmnr-wpad-and-how-to-abuse-them-during-pentest/

Twitter
Follow by Email
LinkedIn
YouTube
Google+
RSS

One thought to “PCI-DSS Requirement 8.2.3 Makes you Less Secure”

Leave a Reply

Your email address will not be published. Required fields are marked *

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.