Password Cracking using dictionary attacks
0 likes345 views
This document discusses password cracking through dictionary attacks. It explains that passwords are insecure by nature and vulnerable to brute force guessing. Dictionary attacks use wordlists of common passwords, words, and phrases rather than every possible combination in a brute force attack. The document demonstrates running a dictionary attack on an FTP server, finding a password in under 4 minutes. It concludes that dictionary attacks can be powerful when using optimized wordlists from past breaches.
Password Cracking using dictionary attacks
- 1. Cyber Security Assignment 2 Performing Password Cracking Vibhansh Gupta 17BCS059 14 December 2020 Page of1 7
- 2. The Nature of Passwords Passwords are the most common means of authentication. Passwords are protected by using one-way cryptographic algorithms that produce a hash of set length. Cryptography can only protect something to the point where the only feasible attack on the encrypted secret is to try and guess it. However, in the case of passwords guessing is easy. Passwords are insecure by nature because they are used for preventing humans from guessing a small secret created by humans. It isn’t just web applications that are at risk from brute force attacks. Encrypted databases, password-protected documents, and other secure data can also be stolen in a brute force attack, whether it’s available online or downloaded to an attacker’s computer. GPUs and cryptocurrency ASICs are designed to handle large loads of repetitive tasks, which is exactly what a brute force attacker needs. That doesn't mean every hacker who is attempting a brute force attack uses one, but those who are serious about stealing your data de f initely do. Exhaustive key searches are the solution to cracking any kind of cryptography, but they can take a very long time. When an attacker has a high degree of con f idence that the password they're trying to crack consists of certain words, phrases, or number and letter combinations, it can be much quicker to compile a dictionary of possible combinations and use that instead. Page of2 7
- 3. Dictionary Attacks Dictionaries are raw text f iles consisting of one word or phrase per line. Each line is a candidate match where each hash is computed and compared to the hashes to be recovered. The di ff erence between a Dictionary and a brute-force attack is that a Dictionary contains a list of probable matches rather than all possible string combinations. A Dictionary needs to be well optimised otherwise if it includes any string combinations it risks becoming a brute-force attack and loses its e ff iciency. Therefore Dictionaries often include known popular passwords, words from the English and other languages, ID numbers, phone numbers, sentences from books etc. Many services prevent users from using simple words as their passwords and ask to include special characters, numbers, and uppercase letters. But even though “Password123!” technically matches these criteria, it can’t be considered a strong password, and any dictionary attack would crack it. The wordlists with the best success rate are the ones that are composed from actual passwords taken from di ff erent public sources or previously disclosed databases. A well-optimised wordlist can be the most successful of all the attacks described. Fig. 1 A simple bash script that can be used for a dictionary attack. Page of3 7
- 4. The Attack with screenshots Fig. 2 Old Ubuntu IRC Channel logs available online Fig. 3 Generating the dictionary from IRC chat log f iles Page of4 7
- 5. Fig. 4 Main Method for staging the attack Page of5 7
- 6. Fig. 5 Attack ran on data from a FTP Server where ua-h000** are users Page of6 7
- 7. Conclusion Reviewing the output you can see I was able to determine the password for the account in less than 4 minutes. That’s just one of many accounts on the server. From here you could write an automated tool to crack accounts and then implant backdoors once an account is compromised. While brute-force and dictionary attacks aren’t generally your go-to options, they do have their place. Dictionary attacks, especially, can be really powerful if used in the correct manner. References Used • Lecture 24: The Dictionary Attack and the Rainbow-Table Attack on Password Protected Systems by Avi Kak - Purdue University (May 19, 2020) • Cracking Encrypted PDF Password Using Dictionary Attack by Shaquib Izhar - Cybrary Blog (Feb 15, 2018) • Modern Password Cracking: A hands-on approach to creating an optimised and versatile attack by Chrysanthou Yiannis - Royal Holloway, University of London (May 01, 2013) Page of7 7