Currently in the *nix world, dictionary cracking is the most popular exploit. The FAQ of this work states that this is not a treasure map for folks who want to do damage. We have included the footnote to John the Ripper88 because the download site appears right at the top of Google; so, we are not giving anything away here. John The Ripper works on both DOS and UNIX based systems and a CD can be ordered that contains 20 different languages. It is a whopping $15 USD airmailed to any address in the world. A popular non-free (after 15-day trial) package that can be used to audit Windows NT and 2000 passwords for susceptibility to dictionary attacks is LC4 (aka L0phtCrack 4), by @Stake.89
By comparing a large number of common words sorted by popularity, the dictionary attack can be quite effective. Additionally, dont think youre safe from dictionary attacks if you tack a # or 4 on the end of your password, because dictionary attacks arent limited to just trying words that are in the dictionary. Its common for dictionary attack programs to also prepend and append special characters and letters to dictionary words, or even make common numeric/symbol substitutions for letters such as 0 for o and ! for I or L, when trying to determine a password.
Both dictionary and brute force password guessing attacks can be carried out in one of two ways, one more difficult to detect than the other:
The first is typically more of a threat since it is more likely to be accomplished without triggering any system alarms, and thus go undetected until the intruder uses one of the cracked passwords. It does, however, require that the user have access to the encrypted password values (possible on Windows via tools like LC4, and on UNIX systems that are not configured to use shadow passwords). Fortunately, this approach doesnt work everywhere.
The second method is still a threat, but normally systems can be configured to lock out accounts after a certain number of invalid password attempts, to help prevent attacks that involve password guessing.
Be aware that depending on what applications are in use on your system, it may be possible to perform validation without logging any incorrect attempts, and thus not alerting anyone to the attack. How? Some network-based and web-based applications request user ID/password information.
In some cases, this information is validated against OS user and password information using OS validation functions but unlike the OS logon validation program, the application doesnt write entries into system logs when it encounters invalid user/password combinations, or lock out a user from further attempts after a certain number of unsuccessful tries. This is yet another example of how additional services and applications installed on a system can increase its vulnerability.
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.