[This is a Guest Diary by John Grant, an ISC intern as part of the SANS.edu BACS program]
I have noticed default passwords and keyboard walks are some of the most popular passwords found in the SSH/Telnet logs on my dshield honeypot. It is a known issue in the Cybersecurity industry and often found throughout compromised password dumps. Users believe long keyboard walks are secure however, it can be is easily guessed by attackers even when the password includes numbers and shift to create special characters.
Password spraying attack background
Password spraying is a common password attack in enterprise networks where the attacker takes a small amount of passwords and spray them against all users with the hope of finding a user using a weak or guessable password. Once the attacker compromises one user they can query Active Directory with the Powershell command “Get-ADDefaultDomainPasswordPolicy” which will allow the attacker to enumerate the lockout policy and how to continue spraying passwords on the enterprise network without the risk of locking out accounts.
During penetration tests I like to run password spraying attacks after enumerating the lockout policy as noted above and use a tool like “spraycharles” found on GitHub to automate the password spray attack while I work on other testing items that require more manual interactions. One of the input requirements of spraycharles is a password list or single password to test. I normally create a list of passwords to try using common qwerty keyboard walks and spray them throughout the test. If the client Active Directory policy is not following best practices of LockoutDuration and LockoutThreshold settings it possible to exhaust a password spray list quickly so I wanted to create a python script I could use during a test to quickly create qwerty style passwords that use numbers and special characters.
Using ChatGPT to generate some code as a starting point
I have found creating python scripts from scratch to be challenging to know where to begin. For this assignment I wanted to experiment with an AI tool like ChatGPT to generate some code quickly and get started. I also planned to use ChatGPT to help me add features to the code as I came up with ideas on how to add features. Additionally, I wanted to use ChatGPT to help me work through any errors in the code along the way by just copying the error output and pasting it in the next message to ChatGPT.
During this assignment, as with coding a script from scratch it helps to start with a basic request or task for ChatGPT and iterate slowly adding more features once you having working code vice posing a huge task in case you have errors in the ChatGPT output. Starting with a small amount of code will make it easier to figure out the error(s). If you cannot figure out the error you can always send a new message to ChatGPT with the error and ask it to fix the error however, this process has mixed success in my experience.
Next I add a prompt for the user to input the desired length of the passwords generated:
You may have noticed ChatGPT hard coded the amount of passwords generated to 10 so next I will ask ChatGPT to add a prompt to allow the user to decide how many passwords to generate.
Oops it looks like the ChatGPT generated a random password list and does not follow the qwerty keyboard walk like we hoped so we will try to ask it to fix the script:
Looking at the code and output, I realized ChatGPT was struggling to accurately reference the keyboard layout in the way I was telling it to generate qwerty style passwords and after numerous iterations to the code, I finally got it to output a simple keyboard walk from the top row of keyboard to the bottom using a Pandas DataFrame format to be able to reference columns and rows.
Now using the example Active Directory setting above we created 20 passwords with the length of 8 characters:
Now that have some working code we can add back in the feature of sending the output to a text file and removing the “Generated Password”:
This project showed me that ChatGPT needs clear parameters and sometimes lots of trial and error to create the python code you are trying to create. Also, it is best to start with a simple core function and slowly build complexity, which will make it easier to troubleshoot any errors in the code. This project reminded me of to the “tire swing analogy” except it is was between me and AI, trying to get it to generate code to automate a tedious task of generating qwerty style passwords.
Disclaimer: This project used the free version of ChatGPT so in all fairness the paid version of ChatGPT may cause less errors, more user friendly and reduce the amount of trial and error.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.