"Using An Enhanced Dictionary to Facilitate Auditing Techniques Related to Brute Force SSH

and FTP Attacks"

Ryan McDougallSt. Cloud State University

E-mail: mcry0802@stcloudstate.edu

About Me

• SCSU Student• Student Network Administrator for Computer

Networking Department• Research Assistant in Business Computing

Research Lab

Overview

• Accounts• Audits on Accounts• Dictionary Attacks• Focus on Username vs. Password• Dictionary creation for username emphasis• Distributed attack scenario

Accounts

• Username• Password (Security Control)Passwords are a security control to prevent unauthorized access.

Auditing

Account auditing (in IT Security) is the proactive evaluation of the security controls in place to protect the accounts from unauthorized access.

How can you audit?

Dictionary Attacks

• Guessing possible user name and password combinations.

• Usually achieved by utilities that try numerous amounts of times (THC Hydra)

• Use compilations of user names and passwords (dictionaries).

Dictionary Creation

• Commonly, when dictionaries are created, there tends to be more emphasis on passwords with common usernames

• Username vs. Password emphasis• Rockyou.com incident– A breach led to the release of 32 million

passwords.

Rockyou.com Incident

http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdf

Rockyou.com Incident“If a hacker would have used the list of the top 5000 passwords as a dictionary

for brute force attack on Rockyou.com users, it would take only one attempt (per account) to guess 0.9% of the users passwords or a rate of one success per 111 attempts. Assuming an attacker with a DSL connection of 55KBPS upload rate and that each attempt is 0.5KB in size, it means that the attacker can have 110 attempts per second. At this rate, a hacker will gain access to one new account every second or just less than 17 minutes to compromise 1000 accounts.”

Dictionary Creation

• Considering the Rockyou.com incident, there is reason to believe it might be more efficient to use dictionaries that put heavy emphasis on usernames.

• We can write a simple program, which I choose to write in C++.

Dictionary Creation

• This program takes input files and uses nested for loops and arrays of records to piece the username dictionaries together.

• The output with this proof of concept is in the format (x1y1y2y3…yn) where x is the first letter of a first name and y1-yn are the characters that make up a last name.

• This can be easily adjusted for different user name formats.

Sample Output

***This only shows a small section of the ‘a’ first name combinations***

Distributed Attack Scenario

Distributed Attack Scenario

• A distributed method will provide a more efficient attack.

• Dictionaries are divided up between attackers using ‘chunking’.

• May aid in avoiding security controls put in place to ban accounts/IP addresses.

Q/A

• Any questions?