As the title suggests, in this post I will be summarizing information on the dictionary attack based on the lecture notes “Password Protected Systems and the Annoying Dictionary Attack” by Avinash Kak. This post is a follow up to the last one as it discusses one of the many methods computer worms use to spread, the dictionary attack. Finally at the end of the post I will discuss the social context of Kak’s lecture notes.
In these notes Kak starts out by briefly describe that worms often scan for open ports on computers in a network in order to attempt to break in to the network. Then he focuses the lecture notes down to port 22 which controls the SSH service (commonly used for remote logins and other applications) and the common attack used to break into port 22, the dictionary attack. Kak describes the dictionary attack as the process when a computer worm or a hacker tries a very large number of common account names and if one of those account names works the worm or hacker then tries a very large number of common passwords in order to gain access to the account. Kak now goes on to give an example of an actual dictionary attack being carried out against moonshine.ecn.purdue.edu from the IP address 61.163.228.117 located in Henan, China (location of an IP address can be found through tools such as http://geoiptool.com as mentioned in the notes). The example Kak gives shows the logs from the computer of the attack for both guessing the username (using commons ones such as root, webmaster, webadmin, admin, guest, etc) and guessing the password (particularly for the root account).
The next section of Kak’s notes discusses the password file contained in the Conficker worm that allows it to mount a dictionary attack on systems. This expands on his previous discussion of the worm in his malware notes (mentioned in the previous post). The main part of this section of the notes is a partial list of the common passwords that the Conficker worm uses to attempt to break into machines.
At this point I will stray from summarizing the lecture notes to say a few words on passwords and what makes a good password. First is that if you see any of your passwords in the partial list of Conficker’s dictionary I strongly recommend you change it. A good password should include lowercase and uppercase letters, numbers, and special characters (such as %, #, *, etc). Also a good password should be fairly long (I would recommend at least 8 characters in length). Other things to consider are to make sure your password is not found in a physical dictionary and is not a name (of a person or user account). As a final recommendation it is good to change your passwords regularly.
Going back to the lecture notes, the final section discusses using methods such as Log Scanning or an outside tool called DenyHosts by Phil Schwartz to help prevent unauthorized access to a machine by a worm (or person) attempting a dictionary attack. Kak then proceeds to describe how the DenyHosts tool works: by looking at the number of failed attempts an IP address makes and then blocking that IP address if the attempts exceed a certain number. Kak also discusses the fact that if an attacker (be it worm or hacker) knows that a tool such as DenyHosts is running on the machine it could limit the amount of passwords tried for a username to one less than the limit (Kak shows this by using another set of logs showing the attack). This shows that while a tool such as DenyHosts is helpful it does not guarantee complete protection against the dictionary attack.
As for the social context, the notes were written by a teacher (Kak) for a class on Computer and Network Security. This means that the intended audience was undergraduate students studying computer science (who probably already have a background in network programming) and the notes would be written at a level for an undergraduate computer science major. However, since the notes have been posted on the internet it has probably gained a much wider audience consisting of people who may not necessarily study computer science (for example a couple searches on passwords could lead a person to these notes, which contains a partial list of common passwords: Conficker’s dictionary). These notes are not useless to these people, in fact one piece of information that nearly anyone can take away from these notes is that a strong password is extremely important to make sure an account is secure. Also a person who found these notes that are concerned about the security of their computer may find the tools Kak explains useful.
