More Language Issues

By -
But this time it's with English. I've been working on several conference papers, (hence the scarcity of posts here), and one problem I keep running into time after time is the lack of standard terminology when it comes to password cracking. Here are some examples of that:

1) What exactly is a passphrase?
  • Would 'manbearpig' count as a passphrase?
  • How about 'superdude'?
  • What about passwords created by the first letters of a phrase. For example, "To be or not to be" = '2bo!2b'
  • Should the above example be called a password or a passphrase?
  • Can the term password and passphrase be used interchangeably? 

2) What exactly is covered by the term 'Brute Force Attack'?
  • If you try all combinations where the first four characters are lowercase letters, and the last two characters are numbers, is it a brute force attack?
  • Side note, I'm a fan of the term 'targeted brute force attack' for the above option. I've seen 'indexed attack' and 'incremental attack' used as well.
  • What if you use Markov models in your attack. Is this still a brute force attack? A Markov model uses the conditional probability of letters showing up in combination with each other to produce strings that resemble words. An example would be if you see the letter 'q' then the next letter will almost always be a 'u'. With these attacks you usually only try the highly probable strings so you don't exhaust the entire keyspace like you normally would expect with a brute force attack.
  • What about attacking passphrases? There are two main ways you can attack passphrases. The first is to use a dictionary of known sentences, (such as 'to be or not to be') which resembles a normal dictionary attack. The second is to generate your own sentences based on individual words, such as select five words and combine them. The second method looks a lot like a standard brute force attack, but instead of selecting from 26 letters you are selecting from several thousand words.  In fact even the approaches to make it "smarter" are the same, such as choosing certain words to start the sentence, "A To, The, ...", and using known sentence structures, "if a word is a verb, then it will probably be followed by a noun, etc".  You can even apply a Markov approach to model sentence structures if you want. That being said, these attacks do use an input dictionary so should we classify them as dictionary or brute force attacks?
  • My own personal view is that brute force attacks encompass any password guessing attack that does not use an input dictionary. That being said, the term brute-force can be misleading since there are a lot of things an attacker can do to create very sophisticated attacks even without the use of a dictionary. Also, some dictionary based attacks can look a lot like brute force, aka adding four digits to the end of a dictionary word.
3) I referenced this in an earlier post, but how should we talk about the order in which you execute word mangling rules in a dictionary attack
  • I'm tempted to go with 'word order' when you apply every mangling rule to each word before moving onto the next dictionary word. Cain and Able uses this method
  • Similarly 'Rule Order' would be when you apply the first rule to all of the dictionary words before moving on to the next rule. John the Ripper uses this method
  • Finally 'Position Order' treats dictionary words just as an insertion rule, (aka insert a dictionary), and then expands the rules from either left to right or right to left. For example if the rule was "insert one digit", "insert dictionary word", "insert special character", if it expanded from right to left it will cycle through all the special characters first, then cycle through all the dictionary words, and then cycle through all the numbers.  So it would create guesses the following way
1cat!
1cat@
1cat#
1hat!
1hat@
1hat#
2cat!
2cat@
...
  • The best known password cracker that uses position method is Access Data's PRTK.

Now all of this may seem trivial, but if you don't use common definitions it's really hard to make any progress in sharing knowledge, debating issues, or solving problems. It's almost too bad we don't have an equivalent of the Webster dictionary for security professionals.

Comments

Post a Comment

Popular posts from this blog

Tool Deep Dive: PRINCE

By -
Image
Tool Name: PRINCE (PRobability INfinite Chained Elements) Version Reviewed: 0.12 Author: Jens Steube, (Atom from Hashcat) OS Supported: Linux, Mac, and Windows Password Crackers Supported:  It is a command line tool so it will work with any cracker that accepts input from stdin Blog Change History: 1/4/2015: Fixed some terminology after talking to Atom 1/4/2015: Removed a part in the Algorithm Design section that talked about a bug that has since been fixed in version 0.13 1/4/2015: Added an additional test with PRINCE and JtR Incremental after a dictionary attack 1/4/2015: Added a section for using PRINCE with oclHashcat Brief Description:   PRINCE is a password guess generator and can be thought of as an advanced Combinator attack . Rather than taking as input two different dictionaries and then outputting all the possible two word combinations though, PRINCE only has one input dictionary and builds "chains" of combined words. These chains can have 1 to N wo
Read more

The RockYou 32 Million Password List Top 100

By -
But first, a quick responses to one of the previous comments, (since it really did merit a front-page post). Tfcx posted: The initial vulnerability was posted 29th November on a hacking forum called darkc0de here: http://forum.darkc0de.com/index.php?action=vthread&forum=11&topic=13082 Thanks, as that really helps narrow down the timeframe, (and reading that post and related posts was interesting if a bit depressing). The hack itself appears pretty straightforward once you see it, (like most things once the solution is presented to you it's easy, but finding it in the first place is hard). I'm still interested in the hacker Igigi, and have been tossing about all sorts of theories; but I'll refrain from posting them here since they are all pure WAGs right now. Now on to the main topic: Per Thorsheim wrote: I would like to see a comparison of Twitters 370 banned passwords against the top 370 or so passwords stolen from rockyou (http://www.techcrunch.com/2009/12/27/twi
Read more

Cracking the MySpace List - First Impressions

By -
Image
Alt Title: An Embarrassment of Riches Backstory: Sometime around 2008, a hacker or disgruntled employee managed to break into MySpace and steal all the usernames, e-mails, and passwords from the social networking site. This included information covering more than 360 million accounts. Who knows what else they stole or did, but for the purposes of this post I'll be focusing only on the account info. For excellent coverage of why the dataset appears to be from 2008 let me refer you to the always superb Troy Hunt's blog post on the subject . Side note, most of my information about this leak also comes from Troy's coverage. This dataset has been floating around the underground crime markets since then, but didn't gain widespread notoriety until May 2016 when an advertisement offering it for sale was posted to the "Real Deal" dark market website. Then on July 1st, 2016, another researcher managed to obtain a copy and then posted a public torrent of then entir
Read more