CAPEC-49 - Password Brute Forcing

In this attack, the attacker tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.

A system will be particularly vulnerable to this type of an attack if it does not have a proper enforcement mechanism in place to ensure that passwords selected by users are strong passwords that comply with an adequate password policy.

In practice a pure brute force attack on passwords is rarely used, unless the password is suspected to be weak. Other password cracking methods exist that are far more effective (e.g. dictionary attacks, rainbow tables, etc.).






  • Attack Methods 1
  • Brute Force
  • Purposes 1
  • Penetration
  • Scopes 1
  • Gain privileges / assume identity
  • Authorization
  • Access_Control
  • Confidentiality

Low level: A brute force attack is very straightforward. A variety of password cracking tools are widely available.

An attacker needs to know a username to target.

The system uses password based authentication as the one factor authentication mechanism.

An application does not have a password throttling mechanism in place. A good password throttling mechanism will make it almost impossible computationally to brute force a password as it may either lock out the user after a certain number of incorrect attempts or introduce time out periods. Both of these would make a brute force attack impractical.

A powerful enough computer for the job with sufficient CPU, RAM and HD. Exact requirements will depend on the size of the brute force job and the time requirement for completion. Some brute forcing jobs may require grid or distributed computing (e.g. DES Challenge).

Step 1 - Determine application's/system's password policy

Determine the password policies of the target application/system..

Tecnique ID: 1 - Environment(s) env-All

Determine minimum and maximum allowed password lengths.

Tecnique ID: 2 - Environment(s) env-All

Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc.).

Tecnique ID: 3 - Environment(s) env-All

Determine account lockout policy (a strict account lockout policy will prevent brute force attacks).

Indicator ID: 1 - Environment(s) env-All

Type: Positive

Passwords are used in the application/system

Indicator ID: 2 - Environment(s) env-All

Type: Inconclusive

Passwords are not used for authentication; however, brute forcing of other protection mechanisms may also be possible.

Step 1 - Brute force password

Given the finite space of possible passwords dictated by the password policy determined in the previous step, try all possible passwords for a known user ID until application/system grants access..

Tecnique ID: 1 - Environment(s) env-All

Manually or automatically enter all possible passwords through the application/system's interface. In most systems, start with the shortest and simplest possible passwords, because most users tend to select such passwords if allowed to do so.

Tecnique ID: 2 - Environment(s) env-All

Perform an offline dictionary attack or a rainbow table attack against a known password hash.

Indicator ID: 1 - Environment(s) env-All

Type: Positive

Weak passwords allowed, and no account lockout policy enforced.

Indicator ID: 2 - Environment(s) env-All

Type: Positive

Password hashes can be captured by attacker.

Indicator ID: 3 - Environment(s) env-All

Type: Negative

Accounts locked out after small number of failed authentication attempts.

Security Control ID: 1

Type: Detective

Large number of authentication failures in logs.

Security Control ID: 2

Type: Preventative

Enforce strict account lockout policies.

Security Control ID: 3

Type: Preventative

Enforce strong passwords (having sufficient length and containing mix of lower case and upper case letters, numbers, and special characters)

Security Control ID: 4

Type: Corrective

Deny login attempts from sources that produce too many failed attempts. Note that this may cause problems where many users may have the same "source" as far as the application/system is concerned (e.g. a lot of users behind a NAT device).

Outcome ID: 1

Type: Success

Attacker determines correct password for a user ID and obtains access to application or system.

Outcome ID: 2

Type: Failure

Attacker is unable to determine correct password for a user ID and obtain access to application or system.

Outcome ID: 3

Type: Failure

Attacker locks out account while attempting to brute force its password.

Implement a password throttling mechanism. This mechanism should take into account both the IP address and the log in name of the user.

Put together a strong password policy and make sure that all user created passwords comply with it. Alternatively automatically generate strong passwords for users.

Passwords need to be recycled to prevent aging, that is every once in a while a new password must be chosen.