An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.
Description
Attack Execution Flow
2
1
Step 1
Explore[Determine application's/system's password policy] Determine the password policies of the target application/system.
Determine minimum and maximum allowed password lengths.
Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc.).
Determine account lockout policy (a strict account lockout policy will prevent brute force attacks).
AI Translation
[Determina la politica delle password dell'applicazione/sistema] Identifica le policy relative alle password del sistema/applicazione target.
Determina le lunghezze minime e massime consentite per le password.
Determina il formato delle password consentite (se devono contenere numeri, caratteri speciali, ecc., o se sono opzionali).
Determina la politica di blocco degli account (una politica di blocco rigorosa impedirà gli attacchi di forza bruta).
Attack Techniques
-
Determine account lockout policy (a strict account lockout policy will prevent brute force attacks).
-
Determine minimum and maximum allowed password lengths.IT: Determina la policy di blocco dell'account (una policy di blocco dell'account rigorosa impedirà gli attacchi brute force).
-
Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc.).IT: Determina la policy di blocco dell'account (una policy di blocco dell'account rigorosa impedirà gli attacchi brute force).
2
Step 2
Exploit[Brute force password] Given the finite space of possible passwords dictated by the password policy determined in the previous step, try all possible passwords for a known user ID until application/system grants access.
Manually or automatically enter all possible passwords through the application/system's interface. In most systems, start with the shortest and simplest possible passwords, because most users tend to select such passwords if allowed to do so.
Perform an offline dictionary attack or a rainbow table attack against a known password hash.
AI Translation
[Brute force password] Data la quantità finita di possibili password determinata dalla policy di password stabilita nel passaggio precedente, provare tutte le possibili password per un ID utente noto fino a quando l'applicazione/sistema concede l'accesso.
Inserire manualmente o automaticamente tutte le possibili password tramite l'interfaccia dell'applicazione/sistema. Nella maggior parte dei sistemi, iniziare con le password più corte e semplici, poiché la maggior parte degli utenti tende a sceglierle se consentito.
Eseguire un attacco dictionary offline o un attacco con rainbow table contro un hash di password noto.
Attack Techniques
-
Manually or automatically enter all possible passwords through the application/system's interface. In most systems, start with the shortest and simplest possible passwords, because most users tend to select such passwords if allowed to do so.
-
Perform an offline dictionary attack or a rainbow table attack against a known password hash.IT: Inserire manualmente o automaticamente tutte le possibili password tramite l'interfaccia dell'applicazione/sistema. Nella maggior parte dei sistemi, iniziare con le password più corte e semplici possibili, poiché la maggior parte degli utenti tende a scegliere tali password se consentito.
Mitigations
3
Implement A Password Throttling Mechanism. This Mechanism Should Take Into Account Both The Ip Address And The Log In Name Of The User.
Passwords Need To Be Recycled To Prevent Aging, That Is Every Once In A While A New Password Must Be Chosen.
Put Together A Strong Password Policy And Make Sure That All User Created Passwords Comply With It. Alternatively Automatically Generate Strong Passwords For Users.
Consequences
Security Scopes Affected
Access Control
Authorization
Confidentiality
Integrity
Potential Impacts
Gain Privileges
Modify Data
Read Data
Indicators
1
Many incorrect login attempts are detected by the system.
Relationships
Related ATT&CK Techniques
1
T1110.001
Password Guessing
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to …
Resources Required
1
A powerful enough computer for the job with sufficient CPU, RAM and HD. Exact requirements will depend on the size of the brute force job and the time requirement for completion. Some brute forcing jobs may require grid or distributed computing (e.g. DES Challenge).