"Using An Enhanced Dictionary to Facilitate Auditing Techniques Related to Brute Force SSH and FTP Attacks" Ryan McDougall St. Cloud State University
About Me SCSU Student Student Network Administrator for Computer Networking Department Research Assistant in Business Computing Research Lab
Overview Accounts Audits on Accounts Dictionary Attacks Focus on Username vs. Password Dictionary creation for username emphasis Distributed attack scenario
Accounts Username Password (Security Control) Passwords are a security control to prevent unauthorized access.
Auditing Account auditing (in IT Security) is the proactive evaluation of the security controls in place to protect the accounts from unauthorized access. How can you audit?
Dictionary Attacks Guessing possible user name and password combinations. Usually achieved by utilities that try numerous amounts of times (THC Hydra) Use compilations of user names and passwords (dictionaries).
Dictionary Creation Commonly, when dictionaries are created, there tends to be more emphasis on passwords with common usernames Username vs. Password emphasis Rockyou.com incident – A breach led to the release of 32 million passwords.
Rockyou.com Incident
Rockyou.com Incident “If a hacker would have used the list of the top 5000 passwords as a dictionary for brute force attack on Rockyou.com users, it would take only one attempt (per account) to guess 0.9% of the users passwords or a rate of one success per 111 attempts. Assuming an attacker with a DSL connection of 55KBPS upload rate and that each attempt is 0.5KB in size, it means that the attacker can have 110 attempts per second. At this rate, a hacker will gain access to one new account every second or just less than 17 minutes to compromise 1000 accounts.”
Dictionary Creation Considering the Rockyou.com incident, there is reason to believe it might be more efficient to use dictionaries that put heavy emphasis on usernames. We can write a simple program, which I choose to write in C++.
Dictionary Creation This program takes input files and uses nested for loops and arrays of records to piece the username dictionaries together. The output with this proof of concept is in the format (x 1 y 1 y 2 y 3… y n ) where x is the first letter of a first name and y 1 -y n are the characters that make up a last name. This can be easily adjusted for different user name formats.
Sample Output ***This only shows a small section of the ‘a’ first name combinations***
Distributed Attack Scenario
A distributed method will provide a more efficient attack. Dictionaries are divided up between attackers using ‘chunking’. May aid in avoiding security controls put in place to ban accounts/IP addresses.
Q/A Any questions?