In this attack, the attacker tries every possible value for a password
until they succeed. A brute force attack, if feasible computationally, will
always be successful because it will essentially go through all possible
passwords given the alphabet used (lower case letters, upper case letters,
numbers, symbols, etc.) and the maximum length of the password.
A system will be particularly vulnerable to this type of an attack if it
does not have a proper enforcement mechanism in place to ensure that
passwords selected by users are strong passwords that comply with an
adequate password policy.
In practice a pure brute force attack on passwords is rarely used, unless
the password is suspected to be weak. Other password cracking methods exist
that are far more effective (e.g. dictionary attacks, rainbow tables,
etc.).
Attack Execution Flow
Explore
Determine application's/system's password
policy:
Determine the password policies of the target
application/system.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Determine minimum and maximum allowed
password lengths.
env-All
2
Determine format of allowed passwords
(whether they are required or allowed to contain
numbers, special characters, etc.).
env-All
3
Determine account lockout policy (a strict
account lockout policy will prevent brute force
attacks).
env-All
Indicators
ID
Type
Indicator Description
Environments
1
Positive
Passwords are used in the
application/system
env-All
2
Inconclusive
Passwords are not used for authentication;
however, brute forcing of other protection
mechanisms may also be possible.
env-All
Exploit
Brute force password:
Given the finite space of possible passwords
dictated by the password policy determined in the
previous step, try all possible passwords for a
known user ID until application/system grants
access.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Manually or automatically enter all possible
passwords through the application/system's
interface. In most systems, start with the
shortest and simplest possible passwords, because
most users tend to select such passwords if
allowed to do so.
env-All
2
Perform an offline dictionary attack or a
rainbow table attack against a known password
hash.
env-All
Indicators
ID
Type
Indicator Description
Environments
1
Positive
Weak passwords allowed, and no account
lockout policy enforced.
env-All
2
Positive
Password hashes can be captured by
attacker.
env-All
3
Negative
Accounts locked out after small number of
failed authentication attempts.
env-All
Outcomes
ID
Type
Outcome Description
1
Success
Attacker determines correct
password for a user ID and obtains access to
application or system.
2
Failure
Attacker is unable to determine
correct password for a user ID and obtain access
to application or system.
3
Failure
Attacker locks out account
while attempting to brute force its
password.
Security Controls
ID
Type
Security Control Description
1
Detective
Large number of
authentication failures in
logs.
2
Preventative
Enforce strict account
lockout policies.
3
Preventative
Enforce strong
passwords (having sufficient length and containing
mix of lower case and upper case letters, numbers,
and special
characters)
4
Corrective
Deny login attempts
from sources that produce too many failed
attempts. Note that this may cause problems where
many users may have the same "source" as far as
the application/system is concerned (e.g. a lot of
users behind a NAT
device).
Attack Prerequisites
An attacker needs to know a username to target.
The system uses password based authentication as the one factor
authentication mechanism.
An application does not have a password throttling mechanism in place. A
good password throttling mechanism will make it almost impossible
computationally to brute force a password as it may either lock out the user
after a certain number of incorrect attempts or introduce time out periods.
Both of these would make a brute force attack impractical.
Typical Likelihood of Exploit
Likelihood: Medium
Methods of Attack
Brute Force
Examples-Instances
Description
A system does not enforce a strong password policy and the user picks
a five letter password consisting of lower case english letters only.
The system does not implement any password throttling mechanism.
Assuming the attacker does not know the length of the users' password,
an attacker can brute force this password in maximum
1+26+26^2+26^3+26^4+26^5 = 1 + 26 + 676 + 17576 + 456976 + 11,881,376 =
12,356,631 attempts, and half these tries (6,178,316) on average. Using
modern hardware this attack is trivial. If the attacker were to assume
that the user password could also contain upper case letters (and it was
case sensitive) and/or numbers, than the number of trials would have
been larger.
An attacker's job would' have most likely been even easier because
many users who choose easy to brute force passwords like this are also
likely to use a word that can be found in the dictionary. Since there
are far fewer valid english words containing up to five letters than
12,356,631, an attack that tries each of the entries in the english
dictionary would go even faster.
Description
A weakness exists in the automatic password generation routine of
Mailman prior to 2.1.5 that causes only about five million different
passwords to be generated. This makes it easy to brute force the
password for all users who decided to let Mailman automatically generate
their passwords for them. Users who chose their own passwords during the
sign up process would not have been affected (assuming that they chose
strong passwords).
Related Vulnerabilities
CVE-2004-1143
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
A brute force attack is very straightforward. A variety of password
cracking tools are widely available.
Resources Required
A powerful enough computer for the job with sufficient CPU, RAM and HD. Exact
requirements will depend on the size of the brute force job and the time
requirement for completion. Some brute forcing jobs may require grid or
distributed computing (e.g. DES Challenge).
Indicators-Warnings of Attack
Description
Many incorrect login attempts are detected by the system.
Obfuscation Techniques
Description
Try to spoof IP addresses so that it does not look like the incorrect
log in attempts are coming from the same computer.
Solutions and Mitigations
Implement a password throttling mechanism. This mechanism should take into
account both the IP address and the log in name of the user.
Put together a strong password policy and make sure that all user created
passwords comply with it. Alternatively automatically generate strong
passwords for users.
Passwords need to be recycled to prevent aging, that is every once in a
while a new password must be chosen.
Description
