Depending upon the specific policies, you may not save a significant amount
of time by limiting the brute-force attack. For instance, consider a policy
that required at least one upper, one lower and one number in all passwords.
Let's first assume that the possible character set for passwords is
upper/lower/number. For four character passwords, 19% of the possible
password checks can be eliminated due to the policy. For five character
passwords, only 9% would be eliminated and the percentage would continue to
drop as the length increases. If the possible character set included
upper/lower/number/special characters, the policy would only eliminate 3% of
the possible 4 character passwords and 1% of the possible 5 character
passwords. Since the vast majority of the time for a brute-force attack is
spent on the largest length checked and since the number of tests that can
be eliminated due to the policy declines with length, I suspect that
limiting the brute-force attack due to policy might only be worthwhile for
some highly specific policies.
Also, most brute-force attacks are very fast. One would need to test the
speed of eliminating a password vs. the speed of testing a password. If you
needed code to determine whether a password passed the policy, the overhead
of this code on all passwords might eliminate any savings vs. just testing
all of the passwords. This would have to be benchmarked on a case-by-case
and policy-by-policy basis. Obviously, if the password testing is against a
remote server/resource and the testing is slow, then the savings of not
testing even a small number of passwords would more than make up for the
overhead in the code. However, brute-force attacks against remote and slow
servers is not very practical to begin with.
Bob Weiss
Password Crackers, Inc.
-----Original Message-----
From: Chris Costantino [mailto:clckct@yahoo.com]
Sent: Thursday, December 01, 2005 12:50 PM
To: pen-test@securityfocus.com
Subject: policy-based password cracker
Hi all,
I am looking for a brute-force password cracker that can be configured based
on password policies. For example, I am trying to audit a system that I
know the security policy on (min/max pw length, complexity rules, etc) What
I want is to only brute-force passwords that fit that policy. Obviously,
min and max is not the issue, but I can not seem to find anything that will
only test passwords that meet complexity requirements (lowercase alpha,
uppercase alpha, number). Something that generates this into a rainbow
table would be even better.....
Anyone aware of such a tool?
Thanks in advance,
Chris
__________________________________________
Yahoo! DSL - Something to write home about.
Just $16.99/mo. or less.
dsl.yahoo.com
----------------------------------------------------------------------------
--
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for
vulnerabilities to SQL injection, Cross site scripting and other web attacks
before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
----------------------------------------------------------------------------
---
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
