An attacker tries each of the words in a dictionary as passwords to gain
access to the system via some user's account. If the password chosen by the
user was a word within the dictionary, this attack will be successful (in
the absence of other mitigations). This is a specific instance of the
password brute forcing attack pattern.
Attack Execution Flow
Explore
Determine application's/system's password
policy:
Determine the password policies of the target
application/system.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Determine minimum and maximum allowed
password lengths.
env-All
2
Determine format of allowed passwords
(whether they are required or allowed to contain
numbers, special characters, etc., or whether they
are allowed to contain words from the
dictionary).
env-All
3
Determine account lockout policy (a strict
account lockout policy will prevent brute force
attacks).
env-All
Indicators
ID
type
Indicator Description
Environments
1
Positive
Passwords are used in the
application/system
env-All
2
Negative
Passwords are not used in the
application/system.
env-All
Select dictionaries:
Pick the dictionaries to be used in the attack
(e.g. different languages, specific terminology,
etc.)
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Select dictionary based on particular users'
preferred languages.
env-All
2
Select dictionary based on the
application/system's supported languages.
env-All
Determine username(s) to
target:
Determine username(s) whose passwords to
crack.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Obtain username(s) by sniffing network
packets.
env-CommProtocol env-Peer2Peer
env-ClientServer
2
Obtain username(s) by querying
application/system (e.g. if upon a failed login
attempt, the system indicates whether the entered
username was valid or not)
env-All
3
Obtain usernames from filesystem (e.g. list
of directories in C:\Documents and Settings\ in
Windows, and list in /etc/passwd in UNIX-like
systems)
env-Embedded env-Local
Indicators
ID
type
Indicator Description
Environments
1
Negative
Remote application or system provides no
indication regarding whether a given username is
valid or not.
Presence of any valid usernames
could not be established.
Security Controls
ID
type
Security Control Description
1
Preventative
Do not reveal
information regarding validity of particular
usernames to users.
2
Corrective
Lock out accounts
whose usernames are suspected to have been
compromised.
Exploit
Use dictionary to crack
passwords.:
Use a password cracking tool that will leverage
the dictionary to feed passwords to the system and
see if they work.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Try all words in the dictionary, as well as
common misspellings of the words as passwords for
the chosen username(s).
env-All
2
Try common combinations of words in the
dictionary, as well as common misspellings of the
combinations as passwords for the chosen
username(s).
env-All
Indicators
ID
type
Indicator Description
Environments
1
Negative
Application/system does not use password
authentication.
env-All
Outcomes
ID
type
Outcome Description
1
Success
Attacker determines correct
password for a user ID and obtains access to
application or system.
2
Failure
Attacker is unable to determine
correct password for a user ID and obtain access
to application or system.
Security Controls
ID
type
Security Control Description
1
Detective
Large number of
authentication failures in
logs.
2
Preventative
Enforce strict account
lockout policies.
3
Preventative
Enforce strong
passwords (having sufficient length and containing
mix of lower case and upper case letters, numbers,
and special
characters)
Attack Prerequisites
The system uses one factor password based authentication.
The system does not have a sound password policy that is being
enforced.
The system does not implement an effective password throttling
mechanism.
Typical Likelihood of Exploit
Likelihood: Medium
Methods of Attack
Brute Force
Examples-Instances
Description
A system user selects the word "treacherous" as their passwords
believing that it would be very difficult to guess. The password-based
dictionary attack is used to crack this password and gain access to the
account.
Description
The Cisco LEAP challenge/response authentication mechanism uses
passwords in a way that is susceptible to dictionary attacks, which
makes it easier for remote attackers to gain privileges via brute force
password guessing attacks.
Cisco LEAP is a mutual authentication algorithm that supports dynamic
derivation of session keys. With Cisco LEAP, mutual authentication
relies on a shared secret, the user's logon password—which is known by
the client and the network, and is used to respond to challenges between
the user and the Remote Authentication Dial-In User Service (RADIUS)
server.
Methods exist for someone to write a tool to launch an offline
dictionary attack on password-based authentications that leverage
Microsoft MS-CHAP, such as Cisco LEAP. The tool leverages large password
lists to efficiently launch offline dictionary attacks against LEAP user
accounts, collected through passive sniffing or active
techniques.
Related Vulnerabilities
CVE-2003-1096
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
A variety of password cracking tools and dictionaries are available to
launch this type of an attack.
Resources Required
A machine with sufficient resources for the job (e.g. CPU, RAM, HD).
Applicable dictionaries are required. Also a password cracking tool or a custom
script that leverages the dictionary database to launch the attack.
Indicators-Warnings of Attack
Many invalid login attempts are coming from the same machine (same IP
address) or for the same log in name. The login attempts use passwords that
are dictionary words.
Obfuscation Techniques
Employ IP spoofing to make it seem like login attempts are coming from
different machines.
Solutions and Mitigations
Create a strong password policy and ensure that your system enforces this
policy.
Implement an intelligent password throttling mechanism. Care must be taken
to assure that these mechanisms do not excessively enable account lockout
attacks such as CAPEC-02.
Vision and Technical Leadership provided by Cigital, Inc.
This Web site is hosted by The MITRE Corporation.
Copyright 2009, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.
Description
