What is a Dictionary Attack? How the Attack works and How to Prevent the Dictionary Attack

 

A Dictionary attack is one of the ways through which the attackers try to gain access to the keys of the reign. Bad actors take advantage of people using common dictionary words as their passwords.


A study has proved how the majority of people like to reuse their passwords or use common phrases that are relatively easy to remember. 


Databases used in dictionary attack does not only include the common dictionary words, but also the passwords leaked in previous attacks.


Dictionary Attack Using Burp Suite Tool:

BurpSuite is indeed a great tool for testing vulnerability in web applications. We are here using its free-version which has limited capabilities but works well for learning! Lets began the process to brute force/dictionary attack. 


So, we’ll be using VM setup, with Kali and Bee-Box as a Web Server which is the victim. The process for setting up the Burp Suite and proxy in the browser is explained here. Make sure you have set up your proxy to your localhost.


STEP1: Intercepting the login Request


web

To capture the HTTP request, try entering the username and password on the logon form of Bee-Box. [With the Intercept ON] Once you hit the login button, Burp Suite will intercept the request and then forward the request or turn it off.


Now, right-click on the request and send it to the intruder.



Dictionary Attack

Intercepting Request

STEP2: Intruder

Once on your Intruder Tab, you will see the IP and the port you want to attack gets to fill in automatically. In case, if you did not make the request (as in step 1), you can manually put the information here under the “target” tab




Attack Ta

Now turn to the “position” tab. This is the same request (or information of raw packet) that you made before. The highlights here are the “potential injection” points marked by the BurpSuite



Dictionary Att

Payload Position

Here we know the username and just wanted to get through the password. For now, other things like sessionsIDs or security level or login are not required. Hit the “clear” as shown




Getting Session

And then highlight the parameter “password” and click Add. You would be able to see those little markers around the “password”. This means, that we will be passing a list of letters, which will go through each of those and send a request to the server


As only one parameter needs to be replaced, select the “Sniper” attack. Sniper attack uses only one payload set and replaces all the marked positions one by on


If you are trying both for the username and password, then select “Cluster Bomb”. It puts the first payload at the first position, and the second at other, and uses all the possible combination


Now, we are going to go forward and set payload. Since, we just working on finding the password, select 1. You can load the word list from Kali from the path- /usr/share/wordlist



Dictionary Att

Dictionary Attackacks.s.e.. IDs.sack.rget.


In here, I am manually adding the words, I want to test against the parameter password. And then hit “Start Attack”.


In the “result” window, you will notice that one word has different values for “length” and “status”. All others will have the same as the base request.



Dictionary Attack

Attack Result

How To Protect Yourself Against Dictionary Attack:

Dictionary or brute force attacks are not only limited to online attack, but also offline attacks. Some of the steps below are helpful for falling for these attacks:


Locking account after a maximum number of authentication attempts is reached.

Using multi-factor authentication to log in to your account.

Insert special characters in your passwords and an extra syllable to guard it against the Dictionary attack. (eg. P@$$$word).

Use a longer password with special characters and avoid reusing them. Use haveibeenpwned to look if your credentials have ever been leaked.

These are some of the steps, but not limited to these, which can strengthen the protection against these attacks.




Comments

Post a Comment

Popular posts from this blog

Brute force attack investigation

  Responsibility Index Phase Responsibility      Identification L1 Analyst:- GSOC Monitoring Team      Investigation  L2 Analyst:-This includes individuals from Network Team/GSOC Containment L2 Analyst: -  This includes individuals from Network Team/ Server team          Remediation L2 Analyst:-This includes Network Team/Server Team/GSOC Recovery L2 Analyst:-This includes Network Team/Server Team/GSOC Brute Force attack Procedure Identification Stage Stage Source Identification Brute Force incident is reported by  Network Team Incident/If the alert is raised by the SIEM Investigating Stage Stage Actions by Respective Team Investigation Security team checks If the Brute Force attack is identified and an alert generated via SIEM below parameters are considered for investigating: Source addresses of the attempts Firewall Action Investigating Destination on which brute force attem...
Read more

Which tools and software do we need?

 We will need some software when applying the dynamic analysis method. Let's take a look at these software categories. Virtualization Software We do not want to conduct dynamic analysis on our own system as we need to run the malware to be able to examine its activities. For this reason, we should make use of Virtualization Software that helps us work on some virtual systems. Thanks to these software, you can use a different operating system on your host operating system. If they are configured properly, you can perform your analysis safely, as malicious software cannot escape from this virtual operating system. It is useful to make a small note here on these virtualization software. Since these virtualization environments are essentially software, various vulnerabilities that allow malwares to escape out of these virtual environments and allow code executions on the host operating system may occur on these environments. For this reason, It is crucial to keep your virtualization so...
Read more

Packet drafting for IDS_IPS

 Table of contents Introduction Scapy-Overview Snort-Rule References Introduction In this article will demonstrate how we can generate packet that can test/trigger rule in Snort or Suricata using Scapy. Scapy is a packet manipulation tool for computer networks, originally written in Python by Philippe Biondi. It can forge or decode packets, send them on the wire, capture them, and match requests and replies. It can also handle tasks like scanning, tracerouting, probing, unit tests, attacks, and network discovery. Scapy Overview To run Scapy write scapy in your linux terminal as following: ┌──(kali㉿kali)-[~] └─$ sudo scapy [sudo] password for kali:                                                              aSPY//YASa                     apyyyyCY//////////YCa  ...
Read more