Video Screencast Help
Cyber Security Group

Horizontal Password Guessing Attacks Part II

Created: 15 Nov 2013 • Updated: 18 Nov 2013
Vince Kornacki's picture
+6 6 Votes
Login to vote

Welcome back! In our last installment we started planning our horizontal password guessing attack by identifying the ten most common passwords. Hopefully none of those terrible passwords are scrawled on little sticky notes anywhere in the vicinity of your cubicle! But what about usernames?  What usernames should we guess? If the target application employs an established username format, you can easily predict common usernames. For example, consider an application that constructs the username by combining the user's first initial and last name. For example, the username for John Doe would be "jdoe". According to the United States Social Security, these are the top ten male names issued during the 1980's:

      1. Michael
      2. Christopher
      3. Matthew
      4. Joshua
      5. David
      6. James
      7. Daniel
      8. Robert
      9. John
    10. Joseph

 And these are the top ten female names issued during the 1980's:
 
      1. Jessica
      2. Jennifer
      3. Amanda
      4. Ashley
      5. Sarah
      6. Stephanie
      7. Melissa
      8. Nicole
      9. Elizabeth
    10. Heather

Why the 1980's, you ask? We'll guess that our median user is in their 30's. But more importantly, the 1980's featured unbelievable songs like "Come On Eileen" and "Total Eclipse Of The Heart". In any case, we can deduce that the most common male and female first names start with the following letters:

      1. A
      2. C
      3. D
      4. E
      5. H
      6. J
      7. M
      8. N
      9. R
    10. S
 
So the ten most common male and female first names condense into a list of exactly ten first initials? Well isn't that convenient! But what about last names? According to the United States Census Bureau, these are the ten most common last names:

      1. Smith
      2. Johnson
      3. Williams
      4. Brown
      5. Jones
      6. Miller
      7. Davis
      8. Garcia
      9. Rodriguez
    10. Wilson

I bet poor Tom Hanks still misses #10. In any case, we now have all the right ingredients to brew our secret sauce. We can write a script to enumerate the most common 100 usernames by sequentially combining the ten most common first initials with the each of the ten most common last names. For example:

      1.  asmith
      2.  csmith
      3.  dsmith
      4.  esmith
      5.  hsmith
           . . .
    96.  jwilson
    97.  mwilson
    98.  nwilson
    99.  rwilson
  100.  swilson
 
That's our list of 100 target usernames! Finally each of the 100 target usernames can be combined with each of the ten most common passwords from our last installment:

      1.  asmith/password
      2.  asmith/123456
      3.  asmith/12345678
      4.  asmith/abc123
      5.  asmith/qwerty
            . . .
   996.  swilson/monkey
   997.  swilson/ letmein
   998.  swilson/dragon
   999.  swilson/111111
 1000.  swilson/baseball

Voilà! We now have an optimized list of 1,000 usernames and passwords to feed into our password guessing tool. But I know what you're thinking. Does it really work? The answer is a definitive YES! I have personally implemented this technique with excellent results while conducting penetration tests for Symantec clients. Just modify the username format to fit your needs (for example "first.last" or "first_last") and let your password guessing tool rip!

So what's the moral of the story? Reinforce password defenses whenever possible. Remember those three example applications that we mentioned in our last installment? The SSH server, the banking web application, and the webmail application? Here are suggestions for each:
  • SSH Server – Avoid passwords whenever possible. For example, implement SSH public key authentication.
  • Financial web application – Supplement passwords with two factor authentication. For example, deploy VeriSign VIP tokens.
  • Webmail application – Ensure passwords adhere to stringent password length and complexity requirements. For example, require passwords to be eight characters in length and include uppercase letters, lowercase letters, numbers, and special characters. In addition, implement account lockout. Furthermore, educate user about password management tools such as Bruce Schneier's outstanding Password Safe.
Well I hope you've enjoyed our examination of horizontal password guessing attacks. Hopefully after reading these blog posts, stronger passwords and more secure applications will be on your horizon! (Sorry, I just couldn't resist.)
Blog Entry Filed Under: