Any password-based security system can be attacked by trying every possible password. In this video, you’ll learn about brute force attacks, password files, and how hackers can abbreviate the brute force process with dictionaries.
<< Previous: Wireless Protocol AttacksNext: Session Hijacking >>
In previous videos, we’ve talked about wireless networks that have cryptographic vulnerabilities. We’ve talked about operating system vulnerabilities, and there are many ways to get into these systems without using any type of credentials. But what if everything is locked down? That means that the only way in would be to use a username and a password. But if you don’t know the username and password, you obviously are not going to have access.
That’s where brute force comes into play. We’re going to try every possible combination for a password given a particular username. This is usually a secret phrase or set of words and it’s generally not stored in plain text. It’s usually stored as a hash. There are many ways to perform a brute force attack.
One way while you’re online is to do it in the same way that you would as if you were logging in normally. You would connect to a web page or connect to a server, you’d be prompted with a username and a password, and you would try those combinations. And if it was wrong, you had to go back to the login screen and try those different combinations again. This is obviously going to be a very slow process because it’s one that relies on you interactively typing things in.
It also relies on the server itself providing you with those prompts. And most systems are going to recognize when this kind of brute force is taking place. It knows after a certain number of incorrect login attempts, it’s going to lock down the account, which means you’re no longer able to attempt any brute force attacks online. And it usually requires the account owner to be able to unlock that account. The bad guys who know what they’re doing, though, are going to do all of this offline and use an automated process to try to perform this brute force attack.
The first thing they need, though, is a list of the usernames and the password file. This password information is generally hash which is a one-way cryptographic method of changing the password from plain text into something that is really completely unreadable. And you can’t reverse engineer a hash, so you always have to try a brute force method to try to match up what the hash might be. So you would calculate what you think the username and password might be. You would determine what the hash is of that, and then compare it to the hash that’s been stored.
This obviously takes a lot of time to do, and even takes some additional computational requirements because you have to first calculate the hash to compare it to the hash that was stored in the password file. Complicating things further is that different operating systems and different authentication methods may be calculating this hash differently. So the bad guy has to really know the process in place so that he can calculate the hash correctly so that he can then compare it to what’s stored in the password file. This is a good example of a password file I pulled from one of my devices. You can see the usernames are in the password file, so those are in the clear, plain text information.
I see the user ID is associated with it in this password file. And then there’s this long hexadecimal value, and that is the hash. This was a real password that the system hashed and stored the hash. And every time this user logs in, it performs that same check, sends the hash across the wire, so that it can then determine does it match what’s currently stored in the password file? So as long as the bad guy has this information, he can then take everything offline and perform as many checks against that particular hash without any concern that anyone knows that it’s taking place or locking out anybody’s account on that server.
One way of performing a brute force attack would be to try every possible combination of letters and numbers and special characters. And that can obviously take a long amount of time if you’re going through a lot of different iterations of those. So instead, the bad guys try to narrow down the scope and only try words that are well known. Perhaps those that would only be in a dictionary. And that’s why we have something called the dictionary attack.
The bad guy is going to now step through things that are very commonly used as passwords or words that you would only find in a dictionary. Words like password and ninja and football. Our studies have shown that these are very common passwords that people will use, so why not try the low hanging fruit first and see if you can identify a username and password combination very, very quickly? There’s a lot of word lists and dictionaries already available on the internet. Some are focused on different languages, some have a different focus, maybe on medical or legal.
And all of them can be used to minimize the time it takes to identify a password when you have one of these password files. You’re obviously going to identify a subset of users by performing a dictionary attack, but your smarter users are going to use passwords that aren’t really words. They’re going to be combinations of letters and numbers and special characters. And in that case, a dictionary attack is not going to be able to identify and find those passwords for those particular users.
Sometimes people think that simply combining a well known word with one special character or two would fool the bad guys, but they already know about this. They use something called a hybrid attack against those kinds of passwords. They’ll take something like a word like apple and put a 1 in front of it. And then put the number 2 or the number 123 and try every combination of that word with those particular characters. Maybe it’s something where it’s ninja9 50cent.
You get the idea. Where someone would want to add additional letters or replace certain words with different letters. This obviously takes a little bit longer to go through all of those different iterations, but it’s still a shorter time frame than going through every possible combination of letters, numbers, and special characters.
And the bad guy has software that allows them to change exactly what will be tested for each type of password. So they can customize exactly how long it might take to go through a particular set of usernames and passwords to see if somebody has perhaps added these additional letters or numbers to the end. And they can find that all with this hybrid attack.