Password Brute Forcing
Attack Pattern ID: 49 (Standard Attack Pattern Completeness: Complete)Typical Severity: HighStatus: Draft
+ Description

Summary

In this attack, the attacker tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.

A system will be particularly vulnerable to this type of an attack if it does not have a proper enforcement mechanism in place to ensure that passwords selected by users are strong passwords that comply with an adequate password policy.

In practice a pure brute force attack on passwords is rarely used, unless the password is suspected to be weak. Other password cracking methods exist that are far more effective (e.g. dictionary attacks, rainbow tables, etc.).

Attack Execution Flow

Explore
  1. Determine application's/system's password policy:

    Determine the password policies of the target application/system.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Determine minimum and maximum allowed password lengths.

    env-All
    2

    Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc.).

    env-All
    3

    Determine account lockout policy (a strict account lockout policy will prevent brute force attacks).

    env-All

    Indicators

    IDtypeIndicator DescriptionEnvironments
    1Positive

    Passwords are used in the application/system

    env-All
    2Inconclusive

    Passwords are not used for authentication; however, brute forcing of other protection mechanisms may also be possible.

    env-All
Exploit
  1. Brute force password:

    Given the finite space of possible passwords dictated by the password policy determined in the previous step, try all possible passwords for a known user ID until application/system grants access.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Manually or automatically enter all possible passwords through the application/system's interface. In most systems, start with the shortest and simplest possible passwords, because most users tend to select such passwords if allowed to do so.

    env-All
    2

    Perform an offline dictionary attack or a rainbow table attack against a known password hash.

    env-All

    Indicators

    IDtypeIndicator DescriptionEnvironments
    1Positive

    Weak passwords allowed, and no account lockout policy enforced.

    env-All
    2Positive

    Password hashes can be captured by attacker.

    env-All
    3Negative

    Accounts locked out after small number of failed authentication attempts.

    env-All

    Outcomes

    IDtypeOutcome Description
    1Success
    Attacker determines correct password for a user ID and obtains access to application or system.
    2Failure
    Attacker is unable to determine correct password for a user ID and obtain access to application or system.
    3Failure
    Attacker locks out account while attempting to brute force its password.

    Security Controls

    IDtypeSecurity Control Description
    1Detective
    Large number of authentication failures in logs.
    2Preventative
    Enforce strict account lockout policies.
    3Preventative
    Enforce strong passwords (having sufficient length and containing mix of lower case and upper case letters, numbers, and special characters)
    4Corrective
    Deny login attempts from sources that produce too many failed attempts. Note that this may cause problems where many users may have the same "source" as far as the application/system is concerned (e.g. a lot of users behind a NAT device).
+ Attack Prerequisites

An attacker needs to know a username to target.

The system uses password based authentication as the one factor authentication mechanism.

An application does not have a password throttling mechanism in place. A good password throttling mechanism will make it almost impossible computationally to brute force a password as it may either lock out the user after a certain number of incorrect attempts or introduce time out periods. Both of these would make a brute force attack impractical.

+ Typical Likelihood of Exploit

Likelihood: Medium

+ Methods of Attack
  • Brute Force
+ Examples-Instances

Description

A system does not enforce a strong password policy and the user picks a five letter password consisting of lower case english letters only. The system does not implement any password throttling mechanism. Assuming the attacker does not know the length of the users' password, an attacker can brute force this password in maximum 1+26+26^2+26^3+26^4+26^5 = 1 + 26 + 676 + 17576 + 456976 + 11,881,376 = 12,356,631 attempts, and half these tries (6,178,316) on average. Using modern hardware this attack is trivial. If the attacker were to assume that the user password could also contain upper case letters (and it was case sensitive) and/or numbers, than the number of trials would have been larger.

An attacker's job would' have most likely been even easier because many users who choose easy to brute force passwords like this are also likely to use a word that can be found in the dictionary. Since there are far fewer valid english words containing up to five letters than 12,356,631, an attack that tries each of the entries in the english dictionary would go even faster.

Description

A weakness exists in the automatic password generation routine of Mailman prior to 2.1.5 that causes only about five million different passwords to be generated. This makes it easy to brute force the password for all users who decided to let Mailman automatically generate their passwords for them. Users who chose their own passwords during the sign up process would not have been affected (assuming that they chose strong passwords).

Related Vulnerabilities

CVE-2004-1143

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

A brute force attack is very straightforward. A variety of password cracking tools are widely available.

+ Resources Required

A powerful enough computer for the job with sufficient CPU, RAM and HD. Exact requirements will depend on the size of the brute force job and the time requirement for completion. Some brute forcing jobs may require grid or distributed computing (e.g. DES Challenge).

+ Indicators-Warnings of Attack

Many incorrect login attempts are detected by the system.

+ Obfuscation Techniques

Try to spoof IP addresses so that it does not look like the incorrect log in attempts are coming from the same computer.

+ Solutions and Mitigations

Implement a password throttling mechanism. This mechanism should take into account both the IP address and the log in name of the user.

Put together a strong password policy and make sure that all user created passwords comply with it. Alternatively automatically generate strong passwords for users.

Passwords need to be recycled to prevent aging, that is every once in a while a new password must be chosen.

+ Attack Motivation-Consequences
  • Privilege Escalation
+ Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
521Weak Password RequirementsTargeted
262Not Using Password AgingTargeted
263Password Aging with Long ExpirationTargeted
257Storing Passwords in a Recoverable FormatTargeted
693Protection Mechanism FailureTargeted
+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfAttack PatternAttack Pattern112Brute Force 
Mechanism of Attack (primary)1000
ParentOfAttack PatternAttack Pattern16Dictionary-based Password Attack 
Mechanism of Attack1000
ParentOfAttack PatternAttack Pattern55Rainbow Table Password Cracking 
Mechanism of Attack1000
ParentOfAttack PatternAttack Pattern70Try Common(default) Usernames and Passwords 
Mechanism of Attack (primary)1000
+ Purposes
  • Penetration
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: Low
+ Technical Context
Architectural Paradigms
All
Frameworks
All
Platforms
All
Languages
All
+ Content History
Submissions
SubmitterOrganizationDate
Eugene LebanidzeCigital, Inc2007-02-26
Modifications
ModifierOrganizationDateComments
Sean BarnumCigital, Inc2007-03-01Review and revision of content
Richard StruseVOXEM, Inc2007-03-26Review and feedback leading to changes in Description and Related Attack Patterns
Sean BarnumCigital, Inc2007-04-13Modified pattern content according to review and feedback
Amit SethiCigital, Inc.2007-10-29Added extended Attack Execution Flow