![Page 1: "Using An Enhanced Dictionary to Facilitate Auditing Techniques Related to Brute Force SSH and FTP Attacks" Ryan McDougall St. Cloud State University E-mail:](https://reader035.vdocuments.mx/reader035/viewer/2022070605/5a4d1adb7f8b9ab059974e79/html5/thumbnails/1.jpg)
"Using An Enhanced Dictionary to Facilitate Auditing Techniques Related to Brute Force SSH
and FTP Attacks"
Ryan McDougallSt. Cloud State University
E-mail: [email protected]
![Page 2: "Using An Enhanced Dictionary to Facilitate Auditing Techniques Related to Brute Force SSH and FTP Attacks" Ryan McDougall St. Cloud State University E-mail:](https://reader035.vdocuments.mx/reader035/viewer/2022070605/5a4d1adb7f8b9ab059974e79/html5/thumbnails/2.jpg)
About Me
• SCSU Student• Student Network Administrator for Computer
Networking Department• Research Assistant in Business Computing
Research Lab
![Page 3: "Using An Enhanced Dictionary to Facilitate Auditing Techniques Related to Brute Force SSH and FTP Attacks" Ryan McDougall St. Cloud State University E-mail:](https://reader035.vdocuments.mx/reader035/viewer/2022070605/5a4d1adb7f8b9ab059974e79/html5/thumbnails/3.jpg)
Overview
• Accounts• Audits on Accounts• Dictionary Attacks• Focus on Username vs. Password• Dictionary creation for username emphasis• Distributed attack scenario
![Page 4: "Using An Enhanced Dictionary to Facilitate Auditing Techniques Related to Brute Force SSH and FTP Attacks" Ryan McDougall St. Cloud State University E-mail:](https://reader035.vdocuments.mx/reader035/viewer/2022070605/5a4d1adb7f8b9ab059974e79/html5/thumbnails/4.jpg)
Accounts
• Username• Password (Security Control)Passwords are a security control to prevent unauthorized access.
![Page 5: "Using An Enhanced Dictionary to Facilitate Auditing Techniques Related to Brute Force SSH and FTP Attacks" Ryan McDougall St. Cloud State University E-mail:](https://reader035.vdocuments.mx/reader035/viewer/2022070605/5a4d1adb7f8b9ab059974e79/html5/thumbnails/5.jpg)
Auditing
Account auditing (in IT Security) is the proactive evaluation of the security controls in place to protect the accounts from unauthorized access.
How can you audit?
![Page 6: "Using An Enhanced Dictionary to Facilitate Auditing Techniques Related to Brute Force SSH and FTP Attacks" Ryan McDougall St. Cloud State University E-mail:](https://reader035.vdocuments.mx/reader035/viewer/2022070605/5a4d1adb7f8b9ab059974e79/html5/thumbnails/6.jpg)
Dictionary Attacks
• Guessing possible user name and password combinations.
• Usually achieved by utilities that try numerous amounts of times (THC Hydra)
• Use compilations of user names and passwords (dictionaries).
![Page 7: "Using An Enhanced Dictionary to Facilitate Auditing Techniques Related to Brute Force SSH and FTP Attacks" Ryan McDougall St. Cloud State University E-mail:](https://reader035.vdocuments.mx/reader035/viewer/2022070605/5a4d1adb7f8b9ab059974e79/html5/thumbnails/7.jpg)
Dictionary Creation
• Commonly, when dictionaries are created, there tends to be more emphasis on passwords with common usernames
• Username vs. Password emphasis• Rockyou.com incident– A breach led to the release of 32 million
passwords.
![Page 8: "Using An Enhanced Dictionary to Facilitate Auditing Techniques Related to Brute Force SSH and FTP Attacks" Ryan McDougall St. Cloud State University E-mail:](https://reader035.vdocuments.mx/reader035/viewer/2022070605/5a4d1adb7f8b9ab059974e79/html5/thumbnails/8.jpg)
Rockyou.com Incident
http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdf
![Page 9: "Using An Enhanced Dictionary to Facilitate Auditing Techniques Related to Brute Force SSH and FTP Attacks" Ryan McDougall St. Cloud State University E-mail:](https://reader035.vdocuments.mx/reader035/viewer/2022070605/5a4d1adb7f8b9ab059974e79/html5/thumbnails/9.jpg)
Rockyou.com Incident“If a hacker would have used the list of the top 5000 passwords as a dictionary
for brute force attack on Rockyou.com users, it would take only one attempt (per account) to guess 0.9% of the users passwords or a rate of one success per 111 attempts. Assuming an attacker with a DSL connection of 55KBPS upload rate and that each attempt is 0.5KB in size, it means that the attacker can have 110 attempts per second. At this rate, a hacker will gain access to one new account every second or just less than 17 minutes to compromise 1000 accounts.”
![Page 10: "Using An Enhanced Dictionary to Facilitate Auditing Techniques Related to Brute Force SSH and FTP Attacks" Ryan McDougall St. Cloud State University E-mail:](https://reader035.vdocuments.mx/reader035/viewer/2022070605/5a4d1adb7f8b9ab059974e79/html5/thumbnails/10.jpg)
Dictionary Creation
• Considering the Rockyou.com incident, there is reason to believe it might be more efficient to use dictionaries that put heavy emphasis on usernames.
• We can write a simple program, which I choose to write in C++.
![Page 11: "Using An Enhanced Dictionary to Facilitate Auditing Techniques Related to Brute Force SSH and FTP Attacks" Ryan McDougall St. Cloud State University E-mail:](https://reader035.vdocuments.mx/reader035/viewer/2022070605/5a4d1adb7f8b9ab059974e79/html5/thumbnails/11.jpg)
![Page 12: "Using An Enhanced Dictionary to Facilitate Auditing Techniques Related to Brute Force SSH and FTP Attacks" Ryan McDougall St. Cloud State University E-mail:](https://reader035.vdocuments.mx/reader035/viewer/2022070605/5a4d1adb7f8b9ab059974e79/html5/thumbnails/12.jpg)
Dictionary Creation
• This program takes input files and uses nested for loops and arrays of records to piece the username dictionaries together.
• The output with this proof of concept is in the format (x1y1y2y3…yn) where x is the first letter of a first name and y1-yn are the characters that make up a last name.
• This can be easily adjusted for different user name formats.
![Page 13: "Using An Enhanced Dictionary to Facilitate Auditing Techniques Related to Brute Force SSH and FTP Attacks" Ryan McDougall St. Cloud State University E-mail:](https://reader035.vdocuments.mx/reader035/viewer/2022070605/5a4d1adb7f8b9ab059974e79/html5/thumbnails/13.jpg)
Sample Output
***This only shows a small section of the ‘a’ first name combinations***
![Page 14: "Using An Enhanced Dictionary to Facilitate Auditing Techniques Related to Brute Force SSH and FTP Attacks" Ryan McDougall St. Cloud State University E-mail:](https://reader035.vdocuments.mx/reader035/viewer/2022070605/5a4d1adb7f8b9ab059974e79/html5/thumbnails/14.jpg)
Distributed Attack Scenario
![Page 15: "Using An Enhanced Dictionary to Facilitate Auditing Techniques Related to Brute Force SSH and FTP Attacks" Ryan McDougall St. Cloud State University E-mail:](https://reader035.vdocuments.mx/reader035/viewer/2022070605/5a4d1adb7f8b9ab059974e79/html5/thumbnails/15.jpg)
Distributed Attack Scenario
• A distributed method will provide a more efficient attack.
• Dictionaries are divided up between attackers using ‘chunking’.
• May aid in avoiding security controls put in place to ban accounts/IP addresses.
![Page 16: "Using An Enhanced Dictionary to Facilitate Auditing Techniques Related to Brute Force SSH and FTP Attacks" Ryan McDougall St. Cloud State University E-mail:](https://reader035.vdocuments.mx/reader035/viewer/2022070605/5a4d1adb7f8b9ab059974e79/html5/thumbnails/16.jpg)
Q/A
• Any questions?