Dark Mode
Capec-16 Detail
Dictionary-based Password Attack
Detailed Software Likelihood: Medium Typical Severity: High
Parents: 49
Threats: T71 T263 T271 T279 T292 T307 T385 T398
Tools: 19
An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern. Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts.
Not present
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-16 | capec | https://capec.mitre.org/data/definitions/16.html | |
| CWE-521 | cwe | http://cwe.mitre.org/data/definitions/521.html | |
| CWE-262 | cwe | http://cwe.mitre.org/data/definitions/262.html | |
| CWE-263 | cwe | http://cwe.mitre.org/data/definitions/263.html | |
| CWE-654 | cwe | http://cwe.mitre.org/data/definitions/654.html | |
| CWE-307 | cwe | http://cwe.mitre.org/data/definitions/307.html | |
| CWE-308 | cwe | http://cwe.mitre.org/data/definitions/308.html | |
| CWE-309 | cwe | http://cwe.mitre.org/data/definitions/309.html |
Explore
-
Determine application's/system's password policy: Determine the password policies of the target application/system.
-
Select dictionaries: Pick the dictionaries to be used in the attack (e.g. different languages, specific terminology, etc.)
-
Determine username(s) to target: Determine username(s) whose passwords to crack.
| Techniques |
|---|
| Determine minimum and maximum allowed password lengths. |
| Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary). |
| Determine account lockout policy (a strict account lockout policy will prevent brute force attacks). |
| Techniques |
|---|
| Select dictionary based on particular users' preferred languages. |
| Select dictionary based on the application/system's supported languages. |
| Techniques |
|---|
| Obtain username(s) by sniffing network packets. |
| Obtain username(s) by querying application/system (e.g. if upon a failed login attempt, the system indicates whether the entered username was valid or not) |
| Obtain usernames from filesystem (e.g. list of directories in C:\Documents and Settings\ in Windows, and list in /etc/passwd in UNIX-like systems) |
Exploit
-
Use dictionary to crack passwords.: Use a password cracking tool that will leverage the dictionary to feed passwords to the system and see if they work.
| Techniques |
|---|
| Try all words in the dictionary, as well as common misspellings of the words as passwords for the chosen username(s). |
| Try common combinations of words in the dictionary, as well as common misspellings of the combinations as passwords for the chosen username(s). |
- The system uses one factor password based authentication.
- The system does not have a sound password policy that is being enforced.
- The system does not implement an effective password throttling mechanism.
- A machine with sufficient resources for the job (e.g. CPU, RAM, HD). Applicable dictionaries are required. Also a password cracking tool or a custom script that leverages the dictionary database to launch the attack.
| Low |
|---|
| A variety of password cracking tools and dictionaries are available to launch this type of an attack. |
| Integrity | Access Control | Authentication | Confidentiality |
|---|---|---|---|
| Modify Data | Gain Privileges | Gain Privileges | Gain Privileges |
| Read Data |
- A system user selects the word "treacherous" as their passwords believing that it would be very difficult to guess. The password-based dictionary attack is used to crack this password and gain access to the account.
- The Cisco LEAP challenge/response authentication mechanism uses passwords in a way that is susceptible to dictionary attacks, which makes it easier for remote attackers to gain privileges via brute force password guessing attacks. Cisco LEAP is a mutual authentication algorithm that supports dynamic derivation of session keys. With Cisco LEAP, mutual authentication relies on a shared secret, the user's logon password (which is known by the client and the network), and is used to respond to challenges between the user and the Remote Authentication Dial-In User Service (RADIUS) server. Methods exist for someone to write a tool to launch an offline dictionary attack on password-based authentications that leverage Microsoft MS-CHAP, such as Cisco LEAP. The tool leverages large password lists to efficiently launch offline dictionary attacks against LEAP user accounts, collected through passive sniffing or active techniques.See also: CVE-2003-1096