CertiGuide to Security+  9  Chapter 1:  General Security Concepts (Domain 1.0; 30%)       9  1.4  Attacks            9  1.4.11  Password Guessing

1.4.11.1  Brute Force 1 1.4.12  Software Exploitation

Currently in the *nix world, dictionary cracking is the most popular exploit. The FAQ of this work states that this is not a treasure map for folks who want to do damage. We have included the footnote to John the Ripper⁸⁸ because the download site appears right at the top of Google; so, we are not giving anything away here. John The Ripper works on both DOS and UNIX based systems and a CD can be ordered that contains 20 different languages. It is a whopping $15 USD airmailed to any address in the world. A popular non-free (after 15-day trial) package that can be used to audit Windows NT and 2000 passwords for susceptibility to dictionary attacks is LC4 (aka L0phtCrack 4), by @Stake.⁸⁹

By comparing a large number of common words sorted by popularity, the dictionary attack can be quite effective. Additionally, don’t think you’re safe from dictionary attacks if you tack a # or 4 on the end of your password, because dictionary attacks aren’t limited to just trying words that are in the dictionary. It’s common for dictionary attack programs to also prepend and append special characters and letters to dictionary words, or even make common numeric/symbol substitutions for letters such as 0 for o and ! for I or L, when trying to determine a password.

Both dictionary and brute force password guessing attacks can be carried out in one of two ways, one more difficult to detect than the other:

• Encrypting the current “trial” password and comparing it to a copy of the encrypted password that the user has obtained
  
  
• Using some system facility (like a telnet logon) to submit the current “trial” password for login verification, and letting the system’s response tell you whether or not you’ve found the correct password

The first is typically more of a threat since it is more likely to be accomplished without triggering any system alarms, and thus go undetected until the intruder uses one of the cracked passwords. It does, however, require that the user have access to the encrypted password values (possible on Windows via tools like LC4, and on UNIX systems that are not configured to use shadow passwords). Fortunately, this approach doesn’t work everywhere.

The second method is still a threat, but normally systems can be configured to lock out accounts after a certain number of invalid password attempts, to help prevent attacks that involve password guessing.

Be aware that depending on what applications are in use on your system, it may be possible to perform validation without logging any incorrect attempts, and thus not alerting anyone to the attack. How? Some network-based and web-based applications request user ID/password information.

In some cases, this information is validated against OS user and password information using OS validation functions … but unlike the OS logon validation program, the application doesn’t write entries into system logs when it encounters invalid user/password combinations, or lock out a user from further attempts after a certain number of unsuccessful tries. This is yet another example of how additional services and applications installed on a system can increase its vulnerability.

1.4.11.1  Brute Force 1 1.4.12  Software Exploitation