6

I was watching a security vid on Irongeek the other day (I immediately lost track of which specific vid, unfortunately) where the creator gave some interesting advice about doing live password guessing against a remote machine during a pen test. The advice was this: using the "traditional" approach of picking one or a few user accounts and then hitting them with a sizable dictionary of common passwords is usually a poor way to go about things. As an alternative, the author suggests what is basically the opposite approach. Meaning: choose a very small database of the most common passwords and run it against a large list of users. The argument being that you're more likely to be successful, in terms of breaching at least one account, if you try 100 extremely common passwords against 100 accounts than if you try 10,000 common passwords against one account.

My question: what are the advantages and disadvantages of using this approach in a password audit or pen test vs. the approach of attacking one/a few accounts in-depth? The most obvious disadvantage is, well, obvious: if you want or need to target a specific user's account this approach is probably off-the-table. On the other hand, it does seem plausible to me that if you're just looking for gaining entry into one or two accounts of any kind in an organization that has, say, at least a few hundred users this might well be a more effective tactic. And maybe, in some circumstances, it might also make dealing with login-attempt throttling/ lockout protections easier.

But my personal expertise in password hacking isn't very deep. So, I'll ask those who know more than I: What are other significant practical advantages & disadvantages of using this approach vs. hitting a few accounts with lots of passwords? What are some other common circumstances where it does make sense to use one tactic or the other?

mostlyinformed
  • 2,715
  • 16
  • 38
  • 2
    All good answers above but just to summarize, if your spearing, i.e. going after a particular target then of course you use many passwords to one username. But if all you want is access to as many as possible then go for the few passwords to many accounts approach. – user92592 Dec 07 '15 at 10:12

5 Answers5

7

There are huge advantages to having access to any account on a system, even if you'd like access to a specific account. I will not detail methods to hide a system wide user base password attack here, however it's possible. Then, a direct attack against a specific account can be done. A random account on a system allows:

  1. Access to any internal information like a user directory, phone numbers, email or snail mail addresses, etc.
  2. If corporate, employee relationships (manager - direct reports), departments names, high level managers.
  3. If corporate, internal servers (email, bug database, source code, employee facing financial systems, call centers, etc.).
  4. If corporate, password may be useful for VPN login and subsequent network mapping.
  5. Access to system or internal servers may allow code injection into the server (not possible without an account). For example, XSS attack or SQL injection attack. Some code injections may lay traps for users when logging in or accessing a system. Other code injections may break system security and provide access to backend databases.
  6. Some poorly secured systems are subject to deep linking attacks (hacking url to skip over application security) and depend upon friendliness of user base to not hack URL. An outside attacker with access to an account may find these holes.
  7. Surveillance of any specific accounts to attack (username, personal information useful for password guessing, phishing of managers, underlings, assistants).
  8. Knowledge of internal systems, data and employees creates incredible potential for a wide range of phishing attacks on all employees including electronic, telephone and physical (vendors, contractors) and may allow granting of new credentials (user account) possibly with very high access privileges.

A single internal account on any system can prove extremely valuable in the hands of a knowledgable, creative and dedicated attacker.

If 99% of accounts have fantastic password security, and 1% lousy, attacking a handful of accounts would most likely miss the easily penetrated ones. Sweeping them all will more than likely catch something at which point attacker gets to try all of the above.

Andrew Philips
  • 1,411
  • 8
  • 10
  • "If 99% of accounts have fantastic password security, and 1% lousy, attacking a handful of accounts would most likely miss the easily penetrated ones. Sweeping them all will more than likely catch something at which point attacker gets to try all of the above. " Yeah, that's a really good point. In every organization I can dream up in my head at least a few percent of employees are going to be absolutely reliable at using horrible passwords. Even ultra-security conscious places like Symantec or the NSA are still going to have people in their ranks like. And most orgs far, far more. – mostlyinformed Dec 08 '15 at 05:32
  • To not take advantage of those people's extremely bad password habits via a broad attack would seem like leaving opportunities on the table. And I certainly take your points about the sheer value that can come from just getting inside the perimeter, even with a relatively low-privileged account. – mostlyinformed Dec 08 '15 at 05:41
  • @halfinformed, just to blow your mind, check out my [answer](http://security.stackexchange.com/a/107189/13857) to the question *Complex password rules - is there any sense?*. Actually, I don't think these two discussions are incompatible. When user IDs are well known, password complexity is vital (the only entropy). When user IDs are assigned and *not public*, password complexity is less important (entropy = UID+PWD). Check out Section 2 of the paper [Do Strong Web Passwords Accomplish Anything?](http://research.microsoft.com/pubs/74162/hotsec07.pdf). – Andrew Philips Dec 08 '15 at 11:10
3

If I understand you correctly, you are asking what are the pros and cons of few-username-many-password vs many-username-few-password? Am I correct? What I can think of is that if you try many passwords against the same username, you are likely to get yourself lock out after a few wrong attempts. On the other hand, as long as your fail attempts on each account/username is below the threshold, you will not likely to lock yourself out. Furthermore, even if you do get yourself lock out, after finished circulating through all the accounts and come around again, the account which originally locks you out might automatically unlock by then.

xyz
  • 377
  • 2
  • 8
2

My immediate concern with your question echoes what @wie mentions in his answer:

"you are likely to get yourself lock out after a few wrong attempts."

If this is a concern, I would build a list of passwords and loop through each password for every user you want to try to crack. Use a time delay between each attempt and just let it run trough. Depending on the list of users, one loop might take minutes or hours, but a longer time between attempts will help you not get locked out or detected quite as easily.

From @Lexu:

"If you can't find a password under the top 500 passwords it's likely that you also won't find it under the top 1000. (I think the average user uses either a strong password or a incredible weak. Not much between these two options.)"

Beyond these questions: Does the organization have a password policy? This will enhance the complexity of the passwords you choose to test against--and hopefully rule out the use of a large subset of more simple passwords (and reduce the password set that you're using to a much smaller, and yet more complex and difficult subset of all passwords available).

Additionally, it might wise to consider the organization that you're testing, and what types of accounts and systems you want access to. For example, if you're at somestate university you might consider looking for variations of the mascot for the password. Or maybe a sport or art is a big thing there. Test against "sport" or "sports team" and their variations. Or maybe you're testing a company that makes spatulas. 'spatula' and permutations (and other combinations of the word) might be a good password to test against. Get the picture?

Finally, to address your original question more directly:

"My question: what are the advantages and disadvantages of using this approach in a password audit or pen test vs. the approach of attacking one/a few accounts in-depth?"

If you know what accounts you want (which is unlikely if you're attacking as an outsider to the organization), it would be much faster to attack only them using a huge list of password combinations and permutations.

However, if you are just trying to find a pivot point, it would be much more efficient (and more likely to succeed) to test a small number of passwords (tailored to the organization) and try to find important accounts or possible pivot points. You will be would be far less likely to succeed if you target specific accounts without any social engineering to augment your efforts.

Summarily: It is a difference in likelihood of success. Try the easiest and most complete method first. If that fails, then apply more concentrated, in-depth effort towards your goal.

Hope this is helpful!

Adam Elliott
  • 21
  • 2
  • Some good advice about tailoring the password list/s you use to what you know about the org's password policies, local universities (hadn't thought of that one before, actually) & other local factors, etc. Also, the reference to social engineering (along with a couple of the other answers) makes me think of possible "combination" approaches where one can launch broad attacks to get toeholds inside the target's perimeter then use information/intelligence you collect as a result to prepare one or more really good-quality, narrowly-targeted spearphishing attacks against high-access personnel. – mostlyinformed Dec 08 '15 at 05:13
1

If you can't find a password under the top 500 passwords it's likely that you also won't find it under the top 1000. (I think the average user uses either a strong password or a incredible weak. Not much between these two options.)

But depending on the system you might have a limited amount of accounts.

Use many-username-few-passwords when you have many users and just need one and use few-username-many-password when you have a limited amounts of usernames.

Lexu
  • 936
  • 1
  • 7
  • 14
  • Yeah, the utility of the broad approach where you have relatively few known user accounts might be much more limited. Hmm... – mostlyinformed Dec 08 '15 at 05:18
0

Back when I started working in IT, Jordan was still playing basketball. A security company doing an audit in Chicago got in to 40% of computers by sitting down and typing "Bulls" as the password with no other knowledge.

Based on that, I'd say it's smarter to try weak passwords everywhere and see who has one rather than a targeted attack - IF all you're looking for is initial access to the system.

baldPrussian
  • 2,768
  • 2
  • 9
  • 14