CAPEC-16 - Dictionary-based Password Attack

An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Attack Methods 1
  • Brute Force
  • Purposes 1
  • Penetration
  • Scopes 1
  • Gain privileges / assume identity
  • Authorization
  • Access_Control
  • Confidentiality

Low level: A variety of password cracking tools and dictionaries are available to launch this type of an attack.

The system uses one factor password based authentication.

The system does not have a sound password policy that is being enforced.

The system does not implement an effective password throttling mechanism.

A machine with sufficient resources for the job (e.g. CPU, RAM, HD). Applicable dictionaries are required. Also a password cracking tool or a custom script that leverages the dictionary database to launch the attack.

Step 1 - Determine application's/system's password policy

Determine the password policies of the target application/system..

Tecnique ID: 1 - Environment(s) env-All

Determine minimum and maximum allowed password lengths.

Tecnique ID: 2 - Environment(s) env-All

Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary).

Tecnique ID: 3 - Environment(s) env-All

Determine account lockout policy (a strict account lockout policy will prevent brute force attacks).

Indicator ID: 1 - Environment(s) env-All

Type: Positive

Passwords are used in the application/system

Indicator ID: 2 - Environment(s) env-All

Type: Negative

Passwords are not used in the application/system.


Step 2 - Select dictionaries

Pick the dictionaries to be used in the attack (e.g. different languages, specific terminology, etc.).

Tecnique ID: 1 - Environment(s) env-All

Select dictionary based on particular users' preferred languages.

Tecnique ID: 2 - Environment(s) env-All

Select dictionary based on the application/system's supported languages.

Step 3 - Determine username(s) to target

Determine username(s) whose passwords to crack..

Tecnique ID: 1 - Environment(s) env-CommProtocol env-Peer2Peer env-ClientServer

Obtain username(s) by sniffing network packets.

Tecnique ID: 2 - Environment(s) env-All

Obtain username(s) by querying application/system (e.g. if upon a failed login attempt, the system indicates whether the entered username was valid or not)

Tecnique ID: 3 - Environment(s) env-Embedded env-Local

Obtain usernames from filesystem (e.g. list of directories in C:\Documents and Settings\ in Windows, and list in /etc/passwd in UNIX-like systems)

Indicator ID: 1 - Environment(s) env-ClientServer env-Peer2Peer env-Web env-CommProtocol

Type: Negative

Remote application or system provides no indication regarding whether a given username is valid or not.


Security Control ID: 1

Type: Preventative

Do not reveal information regarding validity of particular usernames to users.

Security Control ID: 2

Type: Corrective

Lock out accounts whose usernames are suspected to have been compromised.


Outcome ID: 1

Type: Success

At least one valid username found.

Outcome ID: 2

Type: Failure

Presence of any valid usernames could not be established.



Step 1 - Use dictionary to crack passwords.

Use a password cracking tool that will leverage the dictionary to feed passwords to the system and see if they work..

Tecnique ID: 1 - Environment(s) env-All

Try all words in the dictionary, as well as common misspellings of the words as passwords for the chosen username(s).

Tecnique ID: 2 - Environment(s) env-All

Try common combinations of words in the dictionary, as well as common misspellings of the combinations as passwords for the chosen username(s).

Indicator ID: 1 - Environment(s) env-All

Type: Negative

Application/system does not use password authentication.


Security Control ID: 1

Type: Detective

Large number of authentication failures in logs.

Security Control ID: 2

Type: Preventative

Enforce strict account lockout policies.

Security Control ID: 3

Type: Preventative

Enforce strong passwords (having sufficient length and containing mix of lower case and upper case letters, numbers, and special characters)


Outcome ID: 1

Type: Success

Attacker determines correct password for a user ID and obtains access to application or system.

Outcome ID: 2

Type: Failure

Attacker is unable to determine correct password for a user ID and obtain access to application or system.



Create a strong password policy and ensure that your system enforces this policy.

Implement an intelligent password throttling mechanism. Care must be taken to assure that these mechanisms do not excessively enable account lockout attacks such as CAPEC-02.