- NOTE: This article is for informational and educational purposes only. Please do not misuse the contents of this article for malicious purposes
The most common ‘complex’ password in the world for 2019 was “qwerty@123”. Furthermore, the top 100 passwords had an average length of 6 letters and most simply used characters. That means my simple Mac can compute all 308915776 possibilities in about 10 minutes making it trivial to crack a password. Thankfully websites are evolving more complex measures and requiring users to include special characters and even numbers; even ensuring that “simple” strings such as qwerty or the domain name are not part of the password.
High-quality targets will probably use “better” passwords. But humans, being humans, often rely on things which are familiar such as birthdates, anniversaries, pet names, and popular characters. Therefore it is often a good approach to create dictionaries with possible passwords and then try all of them in an attempt to guess the correct one; this is called brute-forcing and today I will walk through a short example.
To begin with, we start by social engineering. Social Engineering is the practice of using psychological games and charm to try and trick information out of a target. Often the easiest way to begin this process is by sending a spoofed email. This is a practice which allows a user to send an email from an account other than the one it was originally sent from. Most mail providers protect against spam like this by checking if the sender is in fact who they say they are. This is done by checking a DMARC record which allows a mail service to check if the origin of the mail is the same as the one registered by officials of the website. However, as an optional service, many websites have not implemented a DMARC policy; or have done so weakly. The DMARC policy of a domain can be checked using this [https://www.dmarcanalyzer.com/] link. To spoof an email, we need to ensure the “-p” tag in the DMARC policy is set to “None”. This will mean the email will be sent forward to the inbox without being marked spam. Look at the image below on how easy and unsuspicious it is for me to spoof an email from the World Health Organization’s official domain!
Details on how to spoof are left to avoid misuse of this practice
Once a list of the target’s most special attributes is compiled into a text file, and information from crawling the target’s news feed is collected, we can finally begin to construct a dictionary for the target. Now it is time to finally write a script to construct the user-specific dictionary. A study by the University of Rhode Island in 2007 found that most passwords use a minimum of 3 letters from words which they consider “special” and often use the date and month part of special dates. This, along with many other insights, are all compiled into a neat program called Common User Password Profiler (CUPP). CUPP is an interactive terminal program that guides questions using an interview-style to create large password dictionaries. By answering simple questions, I created 26004 passwords in just 17 seconds!
Now comes the tricky part of creating a web scraper that is able to enter the 1000s of created passwords and check whether one of them allowed for a successful login. It is important to tune the automater to ensure too many passwords are not tried consecutively which may lock the user’s account or your access to the site! This can be done by adding delays between trials, but most modern websites will be able to detect such automated behavior! We can trick websites by adding some randomness to our delays and by moving the mouse randomly and crawling into deep, public links. If areas of the website allow users to type, randomly typing into text fields and allowing the domain to process those requests can also be useful. Websites like Facebook even use language detection to ensure typed words are real (most websites simply check for this by checking text contains adequate spaces).
If the login is cracked, Congrats! You have learned how to brute force successfully. However, often, users may add little random strings into their passwords; like my email address which contains an extra "s” at the beginning. To solve this, applications called manglers exist which create new passwords given a “seed” password. These changes can be a very simple; like applying a single change to the end of each seed password, or more complex; like adding every number from 0-9 to the end of each seed password. A graphical program called Mentalist allows for users to easily set rules which mangle the passwords. Like CUPP, Mentalist uses research from 100s of research papers to ensure the mangler produces a minimal, but well-working set of passwords.
Brute forcing is difficult, and at the best of times it can take hours if not days to run. However, using social engineering can dramatically decrease the number of attempts required and produce more realistic passwords. As browsers like Chrome and Safari integrate smarter and smarter password managers into the native apps, users are becoming less prone to brute force attacks. In addition, many of the most successful apps such as “Facebook” and “Gmail” use IP tracking and if a “suspicious” IP logs into the service, it requires secondary authentication in the form of randomly generated text/emailed message sequences.
Top comments (0)