Pipal password analysis of Kippo password useage

Pipal is a tool for quickly and easily analysing password trends across many passwords, created by @digininja and @n00bz. Install (such as it is) is a straightforward affair; download, unpack, run. Standard usage is equally straightforward; ./pipal.rb ;
Download Pipal from here
I’ve not had too much opportunity run the tool myself, as Robin has been quick to release the results of Pipal’s analysis whenever a new breach has been made publicly available, results of this analysis can be found here.
So, trying to find an opportunity to give Pipal a run out, I decided to take a look at the passwords gathered by my Kippo installation. First up, I decided to take a look at the passwords used with added accounts once intruders compromise the system. Curious to see if the passwords chosen by those that break systems are vulnerable to the same weaknesses of standard users. This password list is quite short, so I’ll just add below:

  • zmxncbv
  • martin4e
  • sanja123hack
  • i123456
  • sistem123q
  • madaucusania
  • zaq12ws34edc
  • 3rwin89
  • b3s3mn0gumala
  • mylove120
  • zipp3r21
  • 19U!&u178
  • sor123in

The full results of this analysis is available here.
Pipal’s output from the analysis can be found here. I was surprised with some of the findings, >;60% of the passwords were 8 characters or less, many based on dictionaries words and only one utilising non-alphanumeric characters. Considering the people choosing these passwords gained access to the server by taking advantage of weak root password, I’d really expect better awareness of the importance of generating strong passwords. Guess not…..
Next up, I wanted to take a look at the passwords that are being used by bruteforce and scanning attempts to gain access to the honeypot installation. This password list is far longer than the list above, totalling 382374 entries. The full list input file is available here, and was generating by running the below SQL query against Kippo’s database. For the purposes of this analysis I decided to ignore authentication attempts that use blank passwords, but for the curious, attempts with passwords number 244062 attempts.

select count(password) from auth where password ;””;

For those not familiar with Kippo, it’s worth noting that it’s default root password (which I stuck with for this analysis) is ‘123456’, this will definitely have had an impact on the results below; partly because it features more prominently as attackers knowing the password confirm and utilise the the credentials, and bruteforce scanners will (may?) stop their attack once valid credentials are found, so that attempts which would have been made after ‘123456’ are not seen by the Kippo sensor.
The full output from Pipal from this analysis can be found here. Whilst the advice is weaker than ‘best practice’ advice on creating secure passwords, this data set indicates that simply choosing a password with 10 or more characters will avoid more 80% of remote password cracking attempts (local, offline attacks will be a different matter so take with a pinch of salt.
From finally getting my hands dirty with Pipal it’s a great tool, that does exactly what it sets out to do; give the users the numbers, so they can tell the story of the dataset.
–Andrew

Leave a comment

Your email address will not be published. Required fields are marked *