Page236

Brute Force and Hybrid Attacks

Brute-force attacks take more time, but are more effective. The attacker calculates the hash outputs for every possible password. Just a few years ago, basic computer speed was still slow enough to make this a daunting task. However, with the advances in CPU speeds and parallel computing, the time required to brute force complex passwords has been considerably reduced.

Another recent password-cracking breakthrough is the leveraging of GPUs (Graphical Processing Units) to crack passwords: “Designed to handle the ever-growing demands of computer games, today’s top GPUs can process information at the rate of nearly two teraflops (a teraflop is a trillion floating-point operations per second). To put that in perspective, in the year 2000 the world’s fastest supercomputer, a cluster of linked machines costing $110 million, operated at slightly more than seven teraflops. Graphics processing units are so fast because they’re designed as parallel computers. In parallel computing, a given problem is divided among multiple processing units, called cores, and these multiple cores tackle different parts of the problem simultaneously” [1].

An attacker may also use a rainbow table for their password attack. A rainbow table acts as a database that contains the pre-computed hashed output for most or all possible passwords. Rainbow tables take a considerable amount of time to generate and are not always complete: they may not include all possible password/hash combinations. Though rainbow tables act as a database, they are more complex under the hood, relying on a time/memory tradeoff to represent and recover passwords and hashes. We discuss the technical details of rainbow tables in more detail in Chapter 4, Domain 3: Security Architecture and Engineering.

Note:
The efficiency of pre-computation brute-force attacks leveraging rainbow tables is dependent upon the password hashing algorithm’s implementation. The main feature that determines whether rainbow tables will greatly increase the speed of password recovery is whether the implementation of the algorithm involves salts, which is simply a way of introducing randomness into the resultant hashes. In the absence of salts, the same password will yield the exact same hash every single time. Notably, Windows’ LM and NT hashes do not include salts, which make them particularly vulnerable to this type of brute forcing. Linux and UNIX systems have employed salts for decades. An older UNIX/Linux system using 16-bit salts would require an attacker to create 65,536 separate sets of rainbow tables, one set for each possible salt. A modern UNIX/Linux system using SHA-512 hashes supports 8-character base 64 salts. That allows 6 octodecillion (a decimal number with 58 digits) different salts.

A hybrid attack appends, prepends, or changes characters in words from a dictionary before hashing, to attempt the fastest crack of complex passwords. For example, an attacker may have a dictionary of potential system administrator passwords but also replaces each letter “o” with the number “0.” Targets of hybrid attacks can have complex passwords cracked if their passwords resemble any type of standard 8–15-character word with just a few changes in text with special characters.