CAPEC-49: Password Brute Forcing
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.
执行流程
步骤 1 Explore
[Determine application's/system's password policy] Determine the password policies of the target application/system.
- Determine minimum and maximum allowed password lengths.
- Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc.).
- Determine account lockout policy (a strict account lockout policy will prevent brute force attacks).
步骤 2 Exploit
[Brute force password] Given the finite space of possible passwords dictated by the password policy determined in the previous step, try all possible passwords for a known user ID until application/system grants access.
- Manually or automatically enter all possible passwords through the application/system's interface. In most systems, start with the shortest and simplest possible passwords, because most users tend to select such passwords if allowed to do so.
- Perform an offline dictionary attack or a rainbow table attack against a known password hash.
前提条件
- An adversary needs to know a username to target.
- The system uses password based authentication as the one factor authentication mechanism.
- An application does not have a password throttling mechanism in place. A good password throttling mechanism will make it almost impossible computationally to brute force a password as it may either lock out the user after a certain number of incorrect attempts or introduce time out periods. Both of these would make a brute force attack impractical.
所需技能
所需资源
- A powerful enough computer for the job with sufficient CPU, RAM and HD. Exact requirements will depend on the size of the brute force job and the time requirement for completion. Some brute forcing jobs may require grid or distributed computing (e.g. DES Challenge).
后果影响
影响范围: Confidentiality Access Control Authorization
技术影响: Gain Privileges
影响范围: Confidentiality
技术影响: Read Data
影响范围: Integrity
技术影响: Modify Data
缓解措施
Implement a password throttling mechanism. This mechanism should take into account both the IP address and the log in name of the user.
Put together a strong password policy and make sure that all user created passwords comply with it. Alternatively automatically generate strong passwords for users.
Passwords need to be recycled to prevent aging, that is every once in a while a new password must be chosen.
示例实例
A weakness exists in the automatic password generation routine of Mailman prior to 2.1.5 that causes only about five million different passwords to be generated. This makes it easy to brute force the password for all users who decided to let Mailman automatically generate their passwords for them. Users who chose their own passwords during the sign up process would not have been affected (assuming that they chose strong passwords). See also: CVE-2004-1143
分类映射
| 分类名称 | 条目ID | 条目名称 |
|---|---|---|
| ATTACK | 1110.001 | Brute Force:Password Guessing |