"Using An Enhanced Dictionary to Facilitate Auditing Techniques Related to Brute Force SSH
and FTP Attacks"
Ryan McDougallSt. Cloud State University
E-mail: [email protected]
About Me
• SCSU Student• Student Network Administrator for Computer
Networking Department• Research Assistant in Business Computing
Research Lab
Overview
• Accounts• Audits on Accounts• Dictionary Attacks• Focus on Username vs. Password• Dictionary creation for username emphasis• Distributed attack scenario
Accounts
• Username• Password (Security Control)Passwords are a security control to prevent unauthorized access.
Auditing
Account auditing (in IT Security) is the proactive evaluation of the security controls in place to protect the accounts from unauthorized access.
How can you audit?
Dictionary Attacks
• Guessing possible user name and password combinations.
• Usually achieved by utilities that try numerous amounts of times (THC Hydra)
• Use compilations of user names and passwords (dictionaries).
Dictionary Creation
• Commonly, when dictionaries are created, there tends to be more emphasis on passwords with common usernames
• Username vs. Password emphasis• Rockyou.com incident– A breach led to the release of 32 million
passwords.
Rockyou.com Incident
http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdf
Rockyou.com Incident“If a hacker would have used the list of the top 5000 passwords as a dictionary
for brute force attack on Rockyou.com users, it would take only one attempt (per account) to guess 0.9% of the users passwords or a rate of one success per 111 attempts. Assuming an attacker with a DSL connection of 55KBPS upload rate and that each attempt is 0.5KB in size, it means that the attacker can have 110 attempts per second. At this rate, a hacker will gain access to one new account every second or just less than 17 minutes to compromise 1000 accounts.”
Dictionary Creation
• Considering the Rockyou.com incident, there is reason to believe it might be more efficient to use dictionaries that put heavy emphasis on usernames.
• We can write a simple program, which I choose to write in C++.
Dictionary Creation
• This program takes input files and uses nested for loops and arrays of records to piece the username dictionaries together.
• The output with this proof of concept is in the format (x1y1y2y3…yn) where x is the first letter of a first name and y1-yn are the characters that make up a last name.
• This can be easily adjusted for different user name formats.
Sample Output
***This only shows a small section of the ‘a’ first name combinations***
Distributed Attack Scenario
Distributed Attack Scenario
• A distributed method will provide a more efficient attack.
• Dictionaries are divided up between attackers using ‘chunking’.
• May aid in avoiding security controls put in place to ban accounts/IP addresses.
Q/A
• Any questions?
Top Related