If you’re planning to take the Security+ exam, you should have a basic understanding of cryptographic attacks. This includes common password attacks that attempt to discover or bypass passwords used for authentication on systems and networks, and for different types of files.
For example, can you answer this question?
Q. An attacker has captured a database filled with hashes of randomly generated passwords. Which of the following attacks is MOST likely to crack the largest number of passwords in this database?
A. Dictionary attack
B. Birthday attack
C. Brute force attack
D. Rainbow tables
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Brute Force Attacks
A brute force attack attempts to guess all possible character combinations. The two types of brute force attacks are online and offline.
An online password attack attempts to discover a password from an online system. For example, an attacker can try to log on to an account by repeatedly guessing the username and password. Many tools are available that attackers can use to automate the process. For example, ncrack is a free tool that can be used to run online brute force password attacks.
Account lockout policies are used in Windows systems. They are effective against online brute force password attacks. An account lockout setting locks an account after the user enters the incorrect password a preset number of times. Individual services often have their own settings to prevent brute force attacks. For example, Secure Shell (SSH) can disconnect an attacker if he hasn’t logged on within 60 seconds and limit the number of authentication attempts per connection. These settings often thwart brute force attacks against these services.
Offline password attacks attempt to discover passwords from a captured database or captured packet scan. For example, when attackers hack into a system or network causing a data breach, they can download entire databases. They then perform offline attacks to discover the passwords contained within the databases.
One of the first steps to thwart offline brute force attacks is to use complex passwords and to store the passwords in an encrypted or hashed format. Complex passwords include a mix of uppercase letters, lowercase letters, numbers, and special characters. Additionally, longer passwords are much more difficult to crack than shorter passwords.
Dictionary Attacks
A dictionary attack is one of the original password attacks. It uses a dictionary of words and attempts every word in the dictionary to see if it works. A dictionary in this context is simply a list of words and character combinations.
Dictionaries used in these attacks have evolved over time to reflect user behavior. Today, they include many of the common passwords that uneducated users configure for their accounts. For example, even though 12345 isn’t a dictionary word, many people use it as a password, so character sets such as these have been added to many dictionaries used by dictionary attack tools.
These attacks are thwarted by using complex passwords. A complex password will not include words in a dictionary.
Birthday Attacks
A birthday attack is named after the birthday paradox in mathematical probability theory. The birthday paradox states that for any random group of 23 people, there is a 50 percent chance that 2 of them have the same birthday. This is not the same year, but instead one of the 365 days in any year.
In a birthday attack, an attacker is able to create a password that produces the same hash as the user’s actual password. This is also known as a hash collision.
A hash collision occurs when the hashing algorithm creates the same hash from different passwords. This is not desirable. As an example, imagine a simple hashing algorithm creates three-digit hashes. The password “success” might create a hash of 123 and the password “passed” might create the same hash of 123. In this scenario, an attacker could use either “success” or “passed” as the password and both would work.
Birthday attacks on hashes are thwarted by increasing the number of bits used in the hash to increase the number of possible hashes. For example, the MD5 algorithm uses 128 bits and is susceptible to birthday attacks. SHA-3 can use as many as 512 bits and it is not susceptible to birthday attacks.
Rainbow Table Attacks
Rainbow table attacks are a type of attack that attempts to discover the password from the hash. A rainbow table is a huge database of recomputed hashes. It helps to look at the process of how some password cracker applications discover passwords without a rainbow table. Assume that an attacker has the hash of a password. The application can use the following steps to crack it:
1. The application guesses a password (or uses a password from a dictionary).
2. The application hashes the guessed password.
3. The application compares the original password hash with the guessed password hash. If they are the same, the application now knows the password.
4. If they aren’t the same, the application repeats steps 1 through 3 until finding a match. From a computing perspective, the most time-consuming part of these steps is hashing the guessed password in step 2. However, by using rainbow tables, applications eliminate this step. Rainbow tables are huge databases of passwords and their calculated hashes. Some rainbow tables are as large as 160 GB in size, and they include hashes for every possible combination of characters up to eight characters in length. Larger rainbow tables are also available using more characters.
In a rainbow table attack, the application simply compares the hash of the original password against hashes stored in the rainbow table. When the application finds a match, it identifies the password used to create the hash (or at least text that can reproduce the hash of the original password). Admittedly, this is a simplistic explanation of a rainbow table attack, but it is adequate unless you plan on writing an algorithm to create your own rainbow table attack software.
Salting passwords is a common method of preventing rainbow table attacks, along with other password attacks such as dictionary attacks. A salt is a set of random data such as two additional characters. Password salting adds these additional characters to a password before hashing it. These additional characters add complexity to the password, and also result in a different hash than the system would create using only the original password. This causes password attacks that compare hashes to fail.
Bcrypt and Password-Based Key Derivation Function 2 (PBKDF2) use salting techniques to increase the complexity of passwords and thwart brute force and rainbow table attacks.
Q. An attacker has captured a database filled with hashes of randomly generated passwords. Which of the following attacks is MOST likely to crack the largest number of passwords in this database?
A. Dictionary attack
B. Birthday attack
C. Brute force attack
D. Rainbow tables
Answer is D. A rainbow table attack attempts to discover the password from the However, they use rainbow tables, which are huge databases of precomputed hashes.
A dictionary attack compares passwords against words in a dictionary of words, but a dictionary of words wouldn’t include randomly generated passwords.
A birthday attack relies on hash collisions. However, it wouldn’t necessarily be effective depending on what hashing algorithm is used.
A brute force attack attempts to guess all possible character combinations but is very time-consuming for each password.
See Chapter 7 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on advanced attacks.