If you can't launch a brute force campaign, dictionary attacking is the way to go. Core Technical Specialist Dan Crowley offers some tips on throwing the book at something efficiently.

Throwing exploits at a target is definitely something you want to do during a pen test, but if you've got a process in place to identify and patch known vulnerabilities, chances are that many of your exploits will likely fail.

(Then again, you should try anyway. If exploits succeed, you want to know!)

But if known vulnerabilities don't get you in, you'll need to look for unknown vulnerabilities. Often, these unknown vulnerabilities are organization-specific and are frequently based on configuration issues.

One example that could be classified as a configuration issue would be weak passwords, and there are two basic schools of thought when it comes to attempting to guess passwords:

1.  Brute force - Try every possible password until you find the right one.

2.  Dictionary attack - Try a set of likely passwords in hopes that you guess correctly.

The wonderful thing about brute force is that brute force will ALWAYS work, at least given enough time and resources. As I like to say, "If brute force doesn't work, you just aren't using enough of it."

The horrible thing about brute force is that finding the right password might take longer than the predicted time we have left until the universe reaches heat death or collapses in on itself. If you *can* brute force the entire space of passwords possible for a system in an amount of time which makes the accessed resource still useful, it should of course be considered insecure.

For example, consider a system with a 4-character numeric-only password. In this case, there are a measly 10,000 possibilities to try. This is easily automated, and if you can guess one password every second (amazingly slow) you can still exhaust all possibilities in ~2.8 hours, making this a situation where brute force shines.

On the other hand, let's say the system requires a password which is 8-16 characters, and requires a mixture of upper/lowercase letters and numbers. This means a 62 character set. We cannot brute force the entire set if we can guess one password per second, as brute forcing the entire set of 8 character passwords alone would take over 7 million years!

Instead, we have to choose a small slice of the set of possible passwords, a "dictionary". How long we want to try guessing passwords and how long it takes to guess each one will determine the size of the dictionary we want to use.


Need help with security assessments or penetration testing? Check out our Security Consulting Services and penetration testing product, Core Impact Pro.


Here's my personal set of steps for gathering possible passwords which are good candidates for your dictionary:

1) Get generalized password lists to cover the lowest of low-hanging fruit. A combination of a few sources can provide the basis for every wordlist you create.

  • Good starter lists can be found in a variety of places. One good place to start is with John the Ripper's common password list.
  • A dictionary for the native language of the users you're attacking is a big plus.
  • Lists of default passwords can be incredibly useful.

2) Find specific password lists based on the target organization which can be combined with your basic list.

  • Expand your password list based on the type of organization. If you're going after a healthcare organization, try searching for "healthcare wordlist".
  • Expand your password list based on the location of the organization. If you're going after an organization based in Lima, Peru you might consider adding keywords like "fronton," a popular Limean sport similar to squash.
  • Expand your password list based on the users who will have accounts on the service you're attacking. If you're password grinding against a login prompt that only the marketing department uses, adding marketing terms to your list is a good idea.
  • Expand your password list based on the target organization itself. Run a tool such as "CeWL" to spider the company's website and return a list of the unique words found on that site.

3) Combine your basic wordlist with the targeted wordlists you've gathered.

  • Make sure to remove duplicate entries from your list, some dictionary crackers assume that there are no duplicate entries in your wordlist.

4) Consider mutating your wordlist to include variations on the words. This will generally add things like passwords with number-letter replacements or with appended numbers.

  • If you are doing online password cracking (automated guessing against a live network service) you may not want to mutate, because you may want to throttle your guesses to avoid detection or lockout.
  • If you are doing offline password cracking, speed considerations are not as important and you should aim for a large wordlist.
  • RSMangler is a helpful tool that you can use to mutate your wordlist.

5) Prune your list to comply with the password policy for the organization. There's no sense in trying a password which could not be used.

  • If you are cracking the captured EAP exchange for authenticating to WPA-PSK or WPA2-PSK networks, remember that both enforce a minimum passphrase length requirement of eight characters.
  • A tool which can be used to prune wordlists is the "pwinspector" tool which comes with THC-Hydra.

There are lots of online and offline cracking tools out there, and the majority of them support a dictionary crack mode. The standard format is a newline-separated list of words, so you can use the same wordlist with nearly any cracker. (Core Impact Pro includes various online and offline dictionary cracking tools!)

Much like trying to exploit known vulnerabilities, password grinding is only part of the pen testing process. Check out the ISSAF, OSSTMM, or NIST 800-42 pen testing methodology documents to see more tests that you can run against your environment.

Once again, I'm...

Dan Crowley, Technical Specialist