"Talking about Web security" Big Enterprise security: from Employees

At present, all enterprises have this problem, such as employees to the server and the background password directly in the cloud Notes and network disk, the employee Enterprise mailbox Password and external personal password consistent, and so on, usually we in the invasion of the time as long as the micro-blog search for a target company employees, get the usual password after landing mailbox, Then in the contacts and mail to collect other technical staff contact information, and finally log in their mailbox and cloud notes, etc. to turn some VPN, SVN, SSH and other passwords, the whole process is simple and direct and effective, and the larger the enterprise this problem more serious.

For people's intrusion basic will use the means of social engineering, my memory many times in the intrusion test process have disguised identity with the target staff to communicate, once the administrator of an open source program code to download back, in a very hidden place in the program add two lines of code, and then send the code to the administrator and said " See your XX program, quite praise, I slightly optimized add a point function ", two minutes after my remote control software to see already can control his computer, from his computer turned to a lot of business sensitive information, later he also replied to ask me to optimize where, and these two lines of code function, is to download the Trojan and run.

The above-mentioned example is relatively direct, may cause suspicion, usually we will start from the company's system and employee personal account to collect information, the company's business mailbox, OA system, SVN, operating system, operation and maintenance system, etc., personal accounts like cloud notes, network disk, e-commerce website, recruitment site, etc. These sites generally have a lot of sensitive personal information, the entire invasion of the general idea is as follows

One of the more critical password links, how can we get the employee's common password, usually have the following situations:

1. Social Work Library query
Related mining based on personal information. If you just use a mailbox to search, then you may only get a password for this person, but if you search through this password, you can relate to his other email address, and then search this email address, very likely to find his second common password, draw a diagram to show

2. Guess the password
Here say the guess password is not blind 123456, that is brute force, guess the password is according to the target person's personal information and habits to analyze the password he may use, I wrote a website based on experience is called guess password, Address is www.caimima.net, the success rate is still very high, because ordinary people use passwords have two habits

！ Use personal information as a password, such as zyy19880516 (Zhang Cran's birthday is May 16, 1988). Each change to the password will only modify the front or back one or two numbers or letters, and the next is to adjust the order.

3. Brute force
After generating the password based on personal information, we can use these passwords for brute force, and some people commonly used passwords such as 123456, 1QAZ2WSX class We call the weak password, can specialize in a dictionary for blasting, I personally handwritten a batch of words based on experience generated a 200,000 code dictionary, the success rate for blasting is also very high.

Blasting is not only the blasting password, the user name needs to be exploded, do not know the password and user name in the case of the explosion is called blind explosion, usually the domestic enterprise mailbox prefix is the name of the pinyin, such as Zhang Cran's mailbox may be [email protected], I will be the internet leaked tens of millions of names into pinyin , and then repeat to reorder, use this dictionary explosion enterprise mailbox, user name Pinyin, password for the name pinyin, name Pinyin after adding 123 or 520 of this kind of form, tried, so the case of blind explosion generally always burst out a lot, Most of the enterprises burst out the mailbox password of nearly 60 employees.

4. Access to personal websites and computers for passwords
This way is very effective, a lot of technical staff have a personal blog or forum class, we just invade this blog, in the blog database to turn his password, or modify the site code, add block code to intercept password, you can get his plaintext password. In addition about the invasion of personal computers, which have to combine some social engineering, the story at the beginning of the article is a good example, the means of a variety, before a piece said, a hacker in order to invade a business, spent 2000 dollars to call a young lady dedicated to accompany the target company's network administrator Luo chat, Through the young lady sent a Trojan to the administrator, successfully invaded the company. This kind of play real existence, I before in order to invade a business, sacrificed my hidden years of the Mo Mo female number, specifically opened a member to use roaming function, roaming to the target company near with the staff hooking up.

"Talking about Web security" Big Enterprise security: from Employees