Distributed Password Guessing

It is often the case that whenever weak passwords are discussed, it is assumed that these are always attacked by “obtaining” password hashes and using a tool such as John the Ripper (there are plenty of others) to ‘crack’ weak passwords. That is not the case: Guessing weak passwords is also possible.

It sounds daft expressed like that – how do you guess someone’s password? Who has got the patience to sit down and try all of the possible combinations ? Well nobody does of course and to solve that problem there are tools such as Hydra which automate the process. They take a list of candidate usernames and candidate passwords, and try a service with each in turn – a long process.

But if it takes four hours to find a single account with a weak password, and we assume that there are no further weak passwords on the attacked system, then to get the details of 50 accounts within four hours you need to attack 50 systems with something like Hydra simultaneously. If you want more account details, attack more systems.

Of course if you want lots of accounts to use, you will probably need to use more than one system to run your attack. And of course real attackers will have access to the resources of compromised machines – the so-called “robot armies”.  If you have enough compromised machines to work with, and enough systems to target, you can probably guarantee a continual trickle of account details to use.

All very well in theory, but is this happening ? The answer would appear to be yes :-

Date (YYYY-MM) Number of SSH login attempts
2011-03 17141
2011-04 10138
2011-05 127634
2011-06 19613
2011-07 9844
2011-08 1898
2011-09 21
2011-10 32685
2011-11 42022
2011-12 16595
2012-01 19176
2012-02 54976
2012-03 23484
2012-04 10241
2012-05 13915
2012-06 8043
2012-07 1700
2012-08 27631


This entry was posted in Passwords. Bookmark the permalink.