Dictionary Password Attacks
Notes
- A while ago, we saw that brute force attacks against a password are workable, but can be defeated with rules like
- minimum password length
- minimum password dictionary requirements
- maximum password life
- A dictionary attack is a second form of password attack
- This takes a dictionary and tries all of the words against a password file
- Or applies a set of rules to mutate the dictionary and tries these as well.
- A tool for dictionary attack is John the Ripper
- Open source and wow has it grown over the years
- It does what we are going to talk about here and more.
- Dictionaries
- known words in a language, any language (We will download a dictionary in the lab)
- plus specialized terms.
- And previously discovered passwords. (/usr/share/john/password.lst)
- Rules
- For John the Ripper
-
r reverse the current word (hello -> olleh)
-
r p reverse the current word and pluralize it. (hello -> ollehs)
- I believe
x** will try all substrings of the word
- I believe
l Q will convert the word to lowercase, and reject it if it has been tried.
- I believe
/?v V Q
- reject a word (/?) if it does not contain a vowel (?v)
- make vowels lower case, consonants uppercase (V)
- Throw away the word if we have tried it (Q)
-
R Q seems to do a one key off to the right
- (Really weird charset conversions like "england" -> rmh;smd )
- shift each character by 1 (R) -> keyboard
- Look at the rules reference.
- Look at the simple commands section
- later we will look at /etc/john/john.conf
- Other sources
- At one time the unix password file contained much more information about the users
- full name
- room and building
- home and office telephone.
- John uses the gecos field if present.
- John the Ripper
- Works in many environments
- Works with many different forms of hashes
- Can work in parallel
- Saves intermediate work files, so it can be interrupted and restarted
- Can target a single user, or an entire password file.