80     Chapter 2 • General Security Concepts: Attacks

                 Password attacks can be either online or offline. In online attacks, passwords are
             passed directly to the attacked system via remote login attempts or manual entry.
             However, they are very noisy, usually get the attention of any reasonable security
             administrator, and many systems have an account lockout feature after an unsuc-
             cessful number of attempts. Offline attacks are more dangerous, but harder to do.
             They usually involve stealing a copy of the username and hashed password listing
             and then methodically encrypting possible passwords using the same hashing func-
             tion. If a match is found, the password is considered cracked.
                 Before specific methods for applying brute force can be discussed, a brief expla-
             nation of password encryption is required. Most modern OSes use some form of
             password hashing to mask the exact password (see Chapter 9 for more information
             regarding hashing). Because passwords are never stored on the server in cleartext
             form, the password authentication system becomes much more secure. Even if
             someone who is unauthorized somehow obtains the password list, he will not be able
             to make immediate use of it, making it more likely that system administrators will
             have time to change all of the relevant passwords before any real damage is done.
                 Passwords are generally stored in what is called hashed format.When a password
             is entered into the system, it passes through a one-way hashing function, such as
             Message Digest 5 (MD5), and the output is recorded. Hashing functions are one-
             way encryption only, and once data has been hashed, it cannot be restored.A server
             doesn’t need to know what your password is. It needs to know that you know what
             it is.When you attempt to authenticate, the password you provided is passed
             through the hashing function and the output is compared to the stored hash value.
             If these values match, you are authenticated. Otherwise, the login attempt fails, and
             is logged by the system (assuming logging of such events is configured).

             Brute Force Attacks

             Brute force, in its simplest definition, refers to trying as many password combina-
             tions as possible until hitting on the right one. It is a method commonly used to
             obtain passwords, especially if the encrypted password list is available.While the
             exact number of characters in a password is usually unknown, most passwords can
             be estimated to be between four and 16 characters. Since only about 100 different
                                                                                         4
             values can be used for each character of the password, there are only about 100 to
             100 likely password combinations.Though massively large, the number of possible
                 16
             password combinations is finite and is therefore vulnerable to brute force attack.
                 It’s important to take the birthday paradox into account when talking about
             brute force attacks.The birthday paradox predicts that within a group as small as 23




          www.syngress.com