CAPEC-16: Dictionary-based Password Attack
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
执行流程
步骤 1 Explore
[Determine application's/system's password policy] Determine the password policies of the target application/system.
- Determine minimum and maximum allowed password lengths.
- Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary).
- Determine account lockout policy (a strict account lockout policy will prevent brute force attacks).
步骤 2 Explore
[Select dictionaries] Pick the dictionaries to be used in the attack (e.g. different languages, specific terminology, etc.)
- Select dictionary based on particular users' preferred languages.
- Select dictionary based on the application/system's supported languages.
步骤 3 Explore
[Determine username(s) to target] Determine username(s) whose passwords to crack.
- Obtain username(s) by sniffing network packets.
- Obtain username(s) by querying application/system (e.g. if upon a failed login attempt, the system indicates whether the entered username was valid or not)
- Obtain usernames from filesystem (e.g. list of directories in C:\Documents and Settings\ in Windows, and list in /etc/passwd in UNIX-like systems)
步骤 4 Exploit
[Use dictionary to crack passwords.] Use a password cracking tool that will leverage the dictionary to feed passwords to the system and see if they work.
- Try all words in the dictionary, as well as common misspellings of the words as passwords for the chosen username(s).
- Try common combinations of words in the dictionary, as well as common misspellings of the combinations as passwords for the chosen username(s).
前提条件
- The system uses one factor password based authentication.
- The system does not have a sound password policy that is being enforced.
- The system does not implement an effective password throttling mechanism.
所需技能
所需资源
- A machine with sufficient resources for the job (e.g. CPU, RAM, HD). Applicable dictionaries are required. Also a password cracking tool or a custom script that leverages the dictionary database to launch the attack.
后果影响
影响范围: Confidentiality Access Control Authentication
技术影响: Gain Privileges
影响范围: Confidentiality
技术影响: Read Data
影响范围: Integrity
技术影响: Modify Data
缓解措施
Create a strong password policy and ensure that your system enforces this policy.
Implement an intelligent password throttling mechanism. Care must be taken to assure that these mechanisms do not excessively enable account lockout attacks such as CAPEC-2.
Leverage multi-factor authentication for all authentication services.
示例实例
A system user selects the word "treacherous" as their passwords believing that it would be very difficult to guess. The password-based dictionary attack is used to crack this password and gain access to the account.
See also: CVE-2003-1096