CAPEC-16: Dictionary-based Password Attack

Description

<p>An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.<p><p>Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts.<p>

Extended Description

For example, using a different character encoding might cause dangerous text to be treated as safe text. Alternatively, the attacker may use certain flags, such as file extensions, to make a target application believe that provided data should be handled using a certain interpreter when the data is not actually of the appropriate type. This can lead to bypassing protection mechanisms, forcing the target to use specific components for input processing, or otherwise causing the user's data to be handled differently than might otherwise be expected. This attack differs from Variable Manipulation in that Variable Manipulation attempts to subvert the target's processing through the value of the input while Input Data Manipulation seeks to control how the input is processed.

Severity :

High

Possibility :

Medium

Type :

Detailed

Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-49: Password Brute Forcing Password Brute Forcing CAPEC-151: Identity Spoofing Identity Spoofing CAPEC-560: Use of Known Domain Credentials Use of Known Domain Credentials CAPEC-561: Windows Admin Shares with Stolen Credentials Windows Admin Shares with Stolen Credentials CAPEC-600: Credential Stuffing Credential Stuffing CAPEC-653: Use of Known Operating System Credentials Use of Known Operating System Credentials

Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

The system uses one factor password based authentication.
The system does not have a sound password policy that is being enforced.
The system does not implement an effective password throttling mechanism.

Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

Low A variety of password cracking tools and dictionaries are available to launch this type of an attack.

Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

Resources required

A machine with sufficient resources for the job (e.g. CPU, RAM, HD). Applicable dictionaries are required. Also a password cracking tool or a custom script that leverages the dictionary database to launch the attack.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-262: Not Using Password Aging

CWE-263: Password Aging with Long Expiration

CWE-307: Improper Restriction of Excessive Authentication Attempts

CWE-308: Use of Single-factor Authentication

CWE-309: Use of Password System for Primary Authentication

CWE-521: Weak Password Requirements

CWE-654: Reliance on a Single Factor in a Security Decision

Visit http://capec.mitre.org/ for more details.