It is often the case that whenever weak passwords are discussed, it is assumed that these are always attacked by “obtaining” password hashes and using a tool such as John the Ripper (there are plenty of others) to ‘crack’ weak passwords. That is not the case: Guessing weak passwords is also possible.
It sounds daft expressed like that – how do you guess someone’s password? Who has got the patience to sit down and try all of the possible combinations ? Well nobody does of course and to solve that problem there are tools such as Hydra which automate the process. They take a list of candidate usernames and candidate passwords, and try a service with each in turn – a long process.
But if it takes four hours to find a single account with a weak password, and we assume that there are no further weak passwords on the attacked system, then to get the details of 50 accounts within four hours you need to attack 50 systems with something like Hydra simultaneously. If you want more account details, attack more systems.
Of course if you want lots of accounts to use, you will probably need to use more than one system to run your attack. And of course real attackers will have access to the resources of compromised machines – the so-called “robot armies”. If you have enough compromised machines to work with, and enough systems to target, you can probably guarantee a continual trickle of account details to use.
All very well in theory, but is this happening ? The answer would appear to be yes :-
| Date (YYYY-MM) | Number of SSH login attempts |
|---|---|
| 2011-03 | 17141 |
| 2011-04 | 10138 |
| 2011-05 | 127634 |
| 2011-06 | 19613 |
| 2011-07 | 9844 |
| 2011-08 | 1898 |
| 2011-09 | 21 |
| 2011-10 | 32685 |
| 2011-11 | 42022 |
| 2011-12 | 16595 |
| 2012-01 | 19176 |
| 2012-02 | 54976 |
| 2012-03 | 23484 |
| 2012-04 | 10241 |
| 2012-05 | 13915 |
| 2012-06 | 8043 |
| 2012-07 | 1700 |
| 2012-08 | 27631 |