{"id":1199,"date":"2019-01-01T15:27:03","date_gmt":"2019-01-01T21:27:03","guid":{"rendered":"http:\/\/www.jedge.com\/wordpress\/?p=1199"},"modified":"2019-01-01T21:36:18","modified_gmt":"2019-01-02T03:36:18","slug":"pci-dss-8-2-3-makes-you-less-secure","status":"publish","type":"post","link":"https:\/\/www.jedge.com\/wordpress\/2019\/01\/pci-dss-8-2-3-makes-you-less-secure\/","title":{"rendered":"PCI-DSS Requirement 8.2.3 Makes you Less Secure"},"content":{"rendered":"

\"FAIL\"This is a quick blog post on my thoughts regarding PCI-DSS password requirement 8.2.3 and how I think it creates an environment where all non-CDE data is left exposed via weak password requirements. I still see organizations that do not understand password strength vs password length and PCI-DSS 8.2.3 requires neither! I like to back up my posts with some data and statistics so feel free to use this information to let your auditors know that compliance does not equal secure. I show how quickly hashcat<\/a> will run through a seven (7) alphanumeric password for the most common password hashes.
\n<\/p>\n

If the organization does not include the systems and infrastructure that centrally manage authentication then this a failure of the organization and the assessment team. All organizations I have conducted a PCI-DSS related assessment have a Windows Active Directory domain environment with the majority of workstations and server running a version of the Windows operating system. Weaknesses in how Windows manages and protects authentication credentials is central in the compromise of the Windows domain during each penetration test I conduct. Most often Windows Domain Controllers are not included in the scope. Again, this is a failure of the organization and the assessment team to not include these servers in the scope of the engagement. Scoping and PCI-DSS will be left for another time.<\/p>\n

I want to focus on how PCI-DSS compliance impacts the overall security of the rest of the organization\u2019s data. PCI-DSS requirement 8.2.3 requires a minimum of a seven (7) character password with alphanumeric characters. This is pathetically<\/strong> weak . Youtube video<\/a> by KirkpatrickPrice <\/a>explains this poor standard perfectly with the following statement from the video:<\/p>\n

The password settings and password requirements that you have within your environment need to be set to a minimal level of standards. Understand that the PCI DSS should not be considered the gold standard by any means, a lot of people might even consider it a copper standard. I\u2019ve even talked to people that have said it\u2019s more like a PVC standard around the level of security that we\u2019re expecting.<\/em><\/p>\n

Whatever the pipes are made of they are leaking. I have a blog post from 2009<\/a> discussing how length is better than strength. Again I state that PCI-DSS 8.2.3 requires neither! The length vs strength argument is summed up perfectly by this XKCD comic<\/a>. People may argue that PCI-DSS requires multi-factor authentication for physical and remote access to systems that interact with the CDE. This is a great protection for the CDE but does nothing to protect the rest of the organization\u2019s resources. PCI-DSS does not require multi-factor for the file server, HR system, customer database, or any other system if no credit card information is stored. We won\u2019t even get into the weaknesses identified in various forms of multi-factor authentication. <\/p>\n

I own a single NVidia GeForce GTX 970 (12\/2018 – $100 used on Ebay). Below are the statistics on cracking a seven (7) character alphanumeric NTLMv2 password hash. The information below shows every combination of alphanumeric will be attempted in three (3) and a half minutes. P-A-T-H-E-T-I-C<\/strong>
\n

Session..........: hashcat\nStatus...........: Running\nHash.Type........: NTLM\nHash.Target......: 00001fae1aed72fac86b15fd393f8174\nTime.Started.....: Mon Dec 31 14:08:13 2018 (2 secs)\nTime.Estimated...: Mon Dec 31 14:11:43 2018 (3 mins, 28 secs)\nGuess.Mask.......: ?1?1?1?1?1?1?1 [7]\nGuess.Charset....: -1 ?u?l?d, -2 Undefined, -3 Undefined, -4 Undefined\nGuess.Queue......: 1\/1 (100.00%)\nSpeed.#1.........: 16739.1 MH\/s (47.82ms) @ Accel:1024 Loops:256 Thr:256 Vec:2\nRecovered........: 0\/1 (0.00%) Digests, 0\/1 (0.00%) Salts\nProgress.........: 25313673216\/3521614606208 (0.72%)\nRejected.........: 0\/25313673216 (0.00%)\nRestore.Point....: 3407872\/916132832 (0.37%)\nRestore.Sub.#1...: Salt:0 Amplifier:3584-3840 Iteration:0-256\nCandidates.#1....: NvRXIE0 -> Yzd5bS0\nHardware.Mon.#1..: Temp: 63c Fan:  0% Util: 99% Core:1316MHz Mem:3004MHz Bus:16Bus:16<\/code><\/pre>By the way, the plaintext password for the hash shown above is jubilee7. This alphanumeric eight (8) character password would be cracked in less than four (4) hours iterating through every combination.
\n
Session..........: hashcat\nStatus...........: Running\nHash.Type........: NTLM\nHash.Target......: 00001fae1aed72fac86b15fd393f8174\nTime.Started.....: Mon Dec 31 14:55:47 2018 (2 secs)\nTime.Estimated...: Mon Dec 31 18:36:20 2018 (3 hours, 40 mins)\nGuess.Mask.......: ?1?1?1?1?1?1?1?1 [8]\nGuess.Charset....: -1 ?u?l?d, -2 Undefined, -3 Undefined, -4 Undefined\nGuess.Queue......: 1\/1 (100.00%)\nSpeed.#1.........: 16499.2 MH\/s (47.56ms) @ Accel:1024 Loops:256 Thr:256 Vec:2\nRecovered........: 0\/1 (0.00%) Digests, 0\/1 (0.00%) Salts\nProgress.........: 34051457024\/218340105584896 (0.02%)\nRejected.........: 0\/34051457024 (0.00%)\nRestore.Point....: 6815744\/56800235584 (0.01%)\nRestore.Sub.#1...: Salt:0 Amplifier:2304-2560 Iteration:0-256\nCandidates.#1....: db45bS00 -> ffadtg00\nHardware.Mon.#1..: Temp: 65c Fan:  0% Util:100% Core:1316MHz Mem:3004MHz Bus:16<\/code><\/pre>In reality it only took twenty-eight (28) minutes to crack.
\n
Session..........: hashcat\nStatus...........: Cracked\nHash.Type........: NTLM\nHash.Target......: 00001fae1aed72fac86b15fd393f8174\nTime.Started.....: Mon Dec 31 14:57:13 2018 (27 mins, 28 secs)\nTime.Estimated...: Mon Dec 31 15:24:41 2018 (0 secs)\nGuess.Mask.......: ?1?1?1?1?1?1?1?1 [8]\nGuess.Charset....: -1 ?u?l?d, -2 Undefined, -3 Undefined, -4 Undefined\nGuess.Queue......: 1\/1 (100.00%)\nSpeed.#1.........: 16367.7 MH\/s (47.61ms) @ Accel:1024 Loops:256 Thr:256 Vec:2\nRecovered........: 1\/1 (100.00%) Digests, 1\/1 (100.00%) Salts\nProgress.........: 26971725627392\/218340105584896 (12.35%)\nRejected.........: 0\/26971725627392 (0.00%)\nRestore.Point....: 7013400576\/56800235584 (12.35%)\nRestore.Sub.#1...: Salt:0 Amplifier:3328-3584 Iteration:0-256\nCandidates.#1....: DrrsVde7 -> HvDPore7\nHardware.Mon.#1..: Temp: 76c Fan: 75% Util:100% Core:1303MHz Mem:3004MHz Bus:16<\/code><\/pre>Below are the statistics on cracking a seven (7) character alphanumeric NetNTLMv2 password hash. Every combination is attempted in less than four (4) hours.  Also P-A-T-H-E-T-I-C<\/strong>. I mention NetNTLMv2 because of the easy to execute man-in-the-middle (MitM) attacks against the protocol weaknesses centering on the Link-Local Multicast Name Resolution (LLMNR) protocol and Web Proxy Auto-Discovery Protocol (WPAD).
\n
Session..........: hashcat\nStatus...........: Running\nHash.Type........: NetNTLMv2\nHash.Target......: netntlmv2.txt\nTime.Started.....: Mon Dec 31 12:09:01 2018 (3 secs)\nTime.Estimated...: Mon Dec 31 16:01:18 2018 (3 hours, 52 mins)\nGuess.Mask.......: ?1?1?1?1?1?1?1 [7]\nGuess.Charset....: -1 ?u?l?d, -2 Undefined, -3 Undefined, -4 Undefined\nGuess.Queue......: 1\/1 (100.00%)\nSpeed.#1.........:   505.3 MH\/s (52.86ms) @ Accel:128 Loops:64 Thr:256 Vec:1\nRecovered........: 0\/2 (0.00%) Digests, 0\/2 (0.00%) Salts\nProgress.........: 1801060352\/7043229212416 (0.03%)\nRejected.........: 0\/1801060352 (0.00%)\nRestore.Point....: 0\/916132832 (0.00%)\nRestore.Sub.#1...: Salt:1 Amplifier:384-448 Iteration:0-64\nCandidates.#1....: r6e0000 -> k7Som10\nHardware.Mon.#1..: Temp: 68c Fan: 34% Util:100% Core:1316MHz Mem:3004MHz Bus:16<\/code><\/pre>Below are the statistics on cracking a seven (7) character alphanumeric Domain Cached Credential version 1 (mscache) password hash. Every combination eleven (11) minutes.  More P-A-T-H-E-T-I-C<\/strong>
\n
Session..........: hashcat\nStatus...........: Running\nHash.Type........: Domain Cached Credentials (DCC), MS Cache\nHash.Target......: 090470811fdd079352726350dab6b036:rrsort\nTime.Started.....: Mon Dec 31 14:06:40 2018 (1 sec)\nTime.Estimated...: Mon Dec 31 14:18:14 2018 (11 mins, 33 secs)\nGuess.Mask.......: ?1?1?1?1?1?1?1 [7]\nGuess.Charset....: -1 ?u?l?d, -2 Undefined, -3 Undefined, -4 Undefined\nGuess.Queue......: 1\/1 (100.00%)\nSpeed.#1.........:  5065.3 MH\/s (79.48ms) @ Accel:512 Loops:256 Thr:256 Vec:4\nRecovered........: 0\/1 (0.00%) Digests, 0\/1 (0.00%) Salts\nProgress.........: 6543114240\/3521614606208 (0.19%)\nRejected.........: 0\/6543114240 (0.00%)\nRestore.Point....: 0\/916132832 (0.00%)\nRestore.Sub.#1...: Salt:0 Amplifier:3840-3844 Iteration:0-256\nCandidates.#1....: ZzUG970 -> XzYXIE0\nHardware.Mon.#1..: Temp: 63c Fan:  0% Util:100% Core:1316MHz Mem:3004MHz Bus:16<\/code><\/pre>Below are the statistics on cracking a seven (7) character alphanumeric Domain Cached Credential version 2 (mscachev2) password hash. Every combination will take the better part of a year.  Microsoft\u2019s storage of cached credentials on systems that are members of the domain is currently one of the more computationally complex password hashes.
\n
Session..........: hashcat\nStatus...........: Running\nHash.Type........: Domain Cached Credentials 2 (DCC2), MS Cache 2\nHash.Target......: $DCC2$10240#username#c296e8879b9ed32b3307d0a847244239\nTime.Started.....: Mon Dec 31 14:11:16 2018 (1 sec)\nTime.Estimated...: Wed Oct  9 04:03:52 2019 (281 days, 12 hours)\nGuess.Mask.......: ?1?1?1?1?1?1?1 [7]\nGuess.Charset....: -1 ?u?l?d, -2 Undefined, -3 Undefined, -4 Undefined\nGuess.Queue......: 1\/1 (100.00%)\nSpeed.#1.........:   144.8 kH\/s (72.38ms) @ Accel:256 Loops:128 Thr:256 Vec:1\nRecovered........: 0\/1 (0.00%) Digests, 0\/1 (0.00%) Salts\nProgress.........: 0\/3521614606208 (0.00%)\nRejected.........: 0\/0 (0.00%)\nRestore.Point....: 0\/56800235584 (0.00%)\nRestore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:2176-2304\nCandidates.#1....: sarieri -> swJWONA\nHardware.Mon.#1..: Temp: 63c Fan:  0% Util:100% Core:1316MHz Mem:3004MHz Bus:16<\/code><\/pre>Last but not least we examine the password hash used for the latest LTS Ubuntu. Below are the statistics on cracking a seven (7) character alphanumeric sha512crypt password hash. Every combination will take a year and a half.
\n
Session..........: hashcat\nStatus...........: Running\nHash.Type........: sha512crypt $6$, SHA512 (Unix)\nHash.Target......: $6$OjUT9iCj$nxj\/1j97piYCVpYWpxsMbH4nuUYqS.tjEZPdyuu...g9cTx.\nTime.Started.....: Mon Dec 31 14:44:50 2018 (28 secs)\nTime.Estimated...: Mon Jun 29 05:52:03 2020 (1 year, 180 days)\nGuess.Mask.......: ?1?1?1?1?1?1?1 [7]\nGuess.Charset....: -1 ?u?l?d, -2 Undefined, -3 Undefined, -4 Undefined\nGuess.Queue......: 1\/1 (100.00%)\nSpeed.#1.........:    74707 H\/s (69.94ms) @ Accel:512 Loops:128 Thr:32 Vec:1\nRecovered........: 0\/1 (0.00%) Digests, 0\/1 (0.00%) Salts\nProgress.........: 2129920\/3521614606208 (0.00%)\nRejected.........: 0\/2129920 (0.00%)\nRestore.Point....: 0\/56800235584 (0.00%)\nRestore.Sub.#1...: Salt:0 Amplifier:10-11 Iteration:512-640\nCandidates.#1....: darieri -> dyyZY12\nHardware.Mon.#1..: Temp: 69c Fan: 53% Util:100% Core:1316MHz Mem:3004MHz Bus:16<\/code><\/pre><\/p>\n
Windows NTLMv2 and NetNTLMv2 are to two most common password hashes I encounter when conducting a penetration test. Non-Windows systems I\u2019ve commonly encountered are running a version of Unix from IBM or Sun Solaris (now owned by Oracle). Any Linux systems will be a version of Red Hat Enterprise or Ubuntu. Any networking equipment is commonly Cisco Systems. Most Cisco systems I see are still protecting passwords with \u201ctype 5\u201d hashing. Who am I kidding, I still see \u201ctype 7\u201d everywhere. Cisco \u201ctype 5\u201d uses the same hashing algorithm as older Linux systems such as Ubuntu 14.04 LTS or Red Hat Enterprise X. The Unix systems I see are still hashing with DES.
\n
Session..........: hashcat\nStatus...........: Running\nHash.Type........: md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)\nHash.Target......: $1$NjH6$Q5DcSQzXEGc0HnkLKnJJB1\nTime.Started.....: Mon Dec 31 16:27:17 2018 (5 secs)\nTime.Estimated...: Wed Jan  9 11:10:33 2019 (8 days, 18 hours)\nGuess.Mask.......: ?1?1?1?1?1?1?1 [7]\nGuess.Charset....: -1 ?u?l?d, -2 Undefined, -3 Undefined, -4 Undefined\nGuess.Queue......: 1\/1 (100.00%)\nSpeed.#1.........:  4642.3 kH\/s (88.84ms) @ Accel:1024 Loops:1000 Thr:32 Vec:1\nRecovered........: 0\/1 (0.00%) Digests, 0\/1 (0.00%) Salts\nProgress.........: 22577152\/3521614606208 (0.00%)\nRejected.........: 0\/22577152 (0.00%)\nRestore.Point....: 0\/56800235584 (0.00%)\nRestore.Sub.#1...: Salt:0 Amplifier:53-54 Iteration:0-1000\nCandidates.#1....: Earieri -> EqRgana\nHardware.Mon.#1..: Temp: 60c Fan:  0% Util:100% Core:1316MHz Mem:3004MHz Bus:16<\/code><\/pre><\/p>\n
Resources<\/strong>
\nWhy Being Compliant Is Not the Same as Being Secure
\nhttps:\/\/www.getadvanced.net\/blog\/article\/why-being-compliant-is-not-the-same-as-being-secure<\/a><\/p>\n
Compliance does not equal security
\nhttps:\/\/www.computerworld.com\/article\/3021787\/security\/compliance-does-not-equal-security.html<\/a><\/p>\n
Compliant does not equal protected: our false sense of security
\nhttps:\/\/www.csoonline.com\/article\/2995924\/data-protection\/compliant-does-not-equal-protected-our-false-sense-of-security.html<\/a><\/p>\n
Compliant but not Secure: Why PCI-Certified Companies Are Being Breached
\nhttps:\/\/www.csiac.org\/journal-article\/compliant-but-not-secure-why-pci-certified-companies-are-being-breached\/<\/a><\/p>\n
Compliant but not Secure: Why PCI-Certified Companies Are Being Breached
\nSTI Graduate Student Research
\nby Christian Moldes – December 9, 2015
\nhttps:\/\/www.sans.org\/reading-room\/whitepapers\/compliance\/paper\/36497<\/a><\/p>\n
Understanding the differences between the Cisco password \\ secret Types
\nhttps:\/\/community.cisco.com\/t5\/networking-documents\/understanding-the-differences-between-the-cisco-password-secret\/ta-p\/3163238<\/a><\/p>\n
PCI DSS \u2013 Why it fails
\nhttps:\/\/nakedsecurity.sophos.com\/2014\/04\/23\/pci-dss-why-it-fails\/<\/a><\/p>\n
Requirements for Password\/Passphrase Complexity and Strength
\nhttps:\/\/kirkpatrickprice.com\/video\/pci-requirement-8-2-3-passwords-passphrases-must-require-minimum-seven-characters-contain-numeric-alphabetic-characters\/<\/a><\/p>\n
What is LLMNR & WPAD and How to Abuse Them During Pentest?
\nhttps:\/\/pentest.blog\/what-is-llmnr-wpad-and-how-to-abuse-them-during-pentest\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
This is a quick blog post on my thoughts regarding PCI-DSS password requirement 8.2.3 and how I think it creates an environment where all non-CDE data is left exposed via weak password requirements. I still see organizations that do not understand password strength vs password length and PCI-DSS 8.2.3 requires neither! I like to back […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[6],"tags":[129,178,177],"class_list":["post-1199","post","type-post","status-publish","format-standard","hentry","category-fyi","tag-hashcat","tag-passwords","tag-pci-dss"],"_links":{"self":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/1199","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/comments?post=1199"}],"version-history":[{"count":13,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/1199\/revisions"}],"predecessor-version":[{"id":1216,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/1199\/revisions\/1216"}],"wp:attachment":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/media?parent=1199"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/categories?post=1199"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/tags?post=1199"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}