If you don’t know the password, your only option is to guess. In this video, you’ll learn about brute-force attacks and how they can be made more efficient with dictionary attacks and rainbow tables.
<< Previous Video: Man-in-the-Middle Next: Spoofing >>
If you were to see the storage of user names and passwords on a computer system, you would see that the passwords are not stored in plain text. Instead passwords are hashed, and the hash is what is stored in the password files. This hash is a one-way cryptographic process, which means the creation of the hash builds out this particular value. But there’s no way to reverse the process to know what the original password happened to be.
If Carter was to log in with her username and password, the password that she provided would be hashed. And that hash would be compared to the hash that was stored in the password file. And if those two hashes were to match, then we know that Carter used the correct password. This means if someone wanted to determine what the password is for Carter, they would have to try every possible iteration of a password until they found one that matches the hash that’s stored in the password file.
This type of constant trial and error to find the password is called a brute force attack. Some brute force attacks can be done online. You would have a username and password login to a server. You would try different iterations of that username and password to see if you can figure out what the password might be.
Of course, if you’re doing this online, that means that you’re probably going to lock out the account after a certain number of bad attempts. And it would require the actual owner to call back into the support team to have that account unlocked. This means that trying to perform a brute force attack online is not very successful.
What the attackers would really like is to be able to get their hands on the password file you saw earlier. If they have that password file, they could perform an offline brute force attack where they can go through every possible iteration to try to determine what those passwords happen to be. Because the creation of a hash is a cryptographic process, there are significant computational resources required. The more hashing you do, the more CPU that you’re going to need.
Instead of going through every possible combination of numbers and letters in an attempt to find what that hash happens to match, instead what we should do is use some of the most popular terms that people use for the passwords. These are called dictionary attacks, because we’re using words and phrases that you would find in the dictionary.
If you’re going to perform a brute force attack, these may be the first ones that you happen to try. Try passwords such as 123456 or passwords with the term “password” or “ninja.” These are common terms that people tend to use. And you will occasionally find a password that is using one of these terms, making it very easy when you’re performing a brute force process.
You can find many word lists on the internet that have some of these common passwords inside of them. And some of these lists are customized for different languages or different types of industry. This will obviously catch those accounts where people are using simple words or simple phrases as their password. If a user’s password happens to be a combination of letters and numbers, then it may take a traditional brute force process to determine what that password is.
Instead of using the computational resources required to perform a brute force in real time, what if you saved the results of every possibility that a password might be? This large set of results is called a rainbow table. This rainbow table is one that you can create one time. And now to find someone’s password, you simply search for the hash that you’ve already calculated. This means that you can perform a simple search through a database and find extremely complex passwords in just a few seconds.
The challenge, of course, is you need to understand the hashing process that is used for those particular passwords. Windows passwords are stored differently than Linux passwords. And different applications store passwords in different ways. So the attackers might need a completely different set of rainbow tables depending on what type of brute force they’re performing.
For the best possible security, we store our hashed passwords with additional random information called a salt. A salted hash adds randomization to the value that’s stored in the password table, which means that precalculated rainbow tables can’t be used if a salt is being used with the password.