Re: Password cracking benchmarks

[Alan Amesbury <amesbury () OITSEC UMN EDU>]

Kevin Shalla wrote:

> Don't dictionary and brute force attacks rely on having access to the
> password file?


Short answer:  No.  I'll expand on this below.

> Aren't password files protected from theft?


Most modern systems are supposed to prevent unprivileged users from
gaining access to password hashes.  However, these are still obtainable
through exploits, or through legacy tools with inadequate security
designs (NIS being a big one).  Also, if someone has uncontrolled
physical access to your hardware, the safe assumption is that they have
access to every file on your system (including any files containing
password hashes).

> Aren't login sessions encrypted between PC and server?


I know that there are attacks that work against PPTP (a MSFT protocol)
and that have gotten more feasible as processing power has gotten
cheaper.  However, I've little enough direct experience that I can't
comment on it.

Assuming you're not blindly accepting SSH host keys when you connect to
remote systems, SSHv2 is a fairly safe protocol.  SSHv1 has some known
problems, although it's been a while since I've looked at the difficulty
in exploiting them.  (Systems under my control all have SSHv1
compatibility disabled anyway, since it's generally unneeded.)

> Are we talking about hacking by system administrators?  If it's just
> trying passwords, don't lockout strategies keep them out?


Anyone can attempt a brute-force attack.  The ones that I expect most
people on this list have encountered lately are the ongoing attacks
against systems running SSHd.  These are, simply put, dictionary
attacks.  You've a good point regarding automated lockouts; such
defenses would certainly help mitigate these attacks.  However, many
stock Unix systems appear to lack them.

An attacker doesn't necessarily need privileged access to conduct an
attack.  All that's needed is an interface that can accept
authentication credentials and respond whether they're valid or not.
However, it's usually much, much faster to conduct an attack against a
list of account/hash pairs, as a) much software has been written and
heavily optimized to do exactly that, and b) it's nearly impossible for
the victim to detect such an attack (unless the attacker is running the
cracking software on the victim's own hardware).

I rewrote my initial e-mail in preparation for sending it out
internally, as it seems that such a detailed discussion hasn't amongst U
of MN administrators for at least several years (possibly since I last
dug into this).  While rewriting it, I expanded a bit on the SSH attacks.


BRUTE-FORCE ATTACKS OVER SSH
----------------------------
Brute-force attacks against SSH are timed very much the same way.  The
difference is that the rate at which you can test values is
significantly lower than most password hashing algorithms.  The password
cracking rate is effectively whatever rate at which an attacker can
connect and try candidate passwords.  I think ten connections per second
is relatively high, but let's say the host being attacked lets an
attacker connect 100 times/second.  Over eight hours, an attacker could
only try 2,880,000 possible passwords, which is a pretty small
dictionary.  However, this is just for a single account.

Most attacks target multiple accounts, too, which effectively cuts the
rate at which an attack can occur, e.g., testing passwords for ten
accounts in the same number of connections will reduce your available
dictionary search space by a factor of ten.  For the sake of argument,
let's say that an eight hour attack as described above targets these
accounts on the victim host:  root, httpd, operator, admin,
administrator.  This means the attacker will try 576,000 possible
passwords per account in the time allotted, which is a pitifully small
number of guesses in a brute-force attack.  To defeat such an attack
(and assuming, for some reason, that remote root logins are *needed*),
all the system administrator needs to do is to make sure the passwords
for such accounts are sufficiently unlikely to appear on such a short list.

In short, if you (or your users) are choosing strong passwords that are
likely to survive dictionary attacks in general, then SSH attacks like
we've been seeing will probably be a minor annoyance at most.



--
Alan Amesbury
University of Minnesota