For the last year or so, Rapid7 has been collecting login credentials via “Heisenberg,” a network of low-interaction honeypots that the company has set up to analyze login attempts by random, opportunistic actors.
The honeypots emulate the authentication handshakes of several protocols, but nothing more than that, so the motives of the “attackers” are unknown. But the recorded login attempts give insight into the top attempted usernames, passwords, and username:password combinations.
The recently released report that the company has compiled in the wake of this research has concentrated on login attempts coming through the Remote Desktop Protocol (RDP).
“RDP enables remote desktop-based control of home, office, POS, and kiosk systems, and is often enabled intentionally and legitimately by those systems’ owners, since it is sometimes considered as a secure alternative to a Virtual Private Network (VPN) connection,” the researchers explaine. “RDP is also a popular management interface for some Windows-based Point-Of-Sale (POS) systems.”
In fact, a recent Internet-wide scan the company made revealed nearly 11 million IP addresses listening for 3389/ TCP, the default port for RDP, which means that there is a huge number of targets waiting to get popped.
Expectedly, the most tried usernames are administrator and Administrator, followed by user1. pos, db2admin and sql are also in the top 10, pointing to attackers looking for Point of Sale systems and internet-facing databases.
A list of top ten passwords is a bit more interesting (and not the usual list of most commonly chosen passwords by users):
A look at the top passwords for the top ten usernames, and the top usernames associated with the top ten passwords, revealed that:
- For some usernames the attackers are trying default passwords (e.g. db2admin:d- b2admin, the default credential for many versions of IBM’s DB2 database)
- x is the most commonly guessed password, likely because POS and kiosk administrators don’t want to be bothered with setting a password, so they took the most painless path
- The username:password combinations user1:St@rt123 and alex:alex crop up often, making the researchers believe that these are default credentials to a particular brand of device, or a botnet default.
Login attempts coming from China are the most numerous. Next on the list are those from the US, and the rest trail far, far behind.
More interesting details can be had from the report, which Rapid7 is also handing out at their booth at RSA Conference.