CAPEC-16: Dictionary-based Password Attack
An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern. Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts.
Last updated
Overview
CAPEC-16 (Dictionary-based Password Attack) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Determine application's/system's password policy] Determine the password policies of the target application/system.
- Determine minimum and maximum allowed password lengths.
- Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary).
- Determine account lockout policy (a strict account lockout policy will prevent brute force attacks).
- Step 2Explore
[Select dictionaries] Pick the dictionaries to be used in the attack (e.g. different languages, specific terminology, etc.)
- Select dictionary based on particular users' preferred languages.
- Select dictionary based on the application/system's supported languages.
- Step 3Explore
[Determine username(s) to target] Determine username(s) whose passwords to crack.
- Obtain username(s) by sniffing network packets.
- Obtain username(s) by querying application/system (e.g. if upon a failed login attempt, the system indicates whether the entered username was valid or not)
- Obtain usernames from filesystem (e.g. list of directories in C:\Documents and Settings\ in Windows, and list in /etc/passwd in UNIX-like systems)
- Step 4Exploit
[Use dictionary to crack passwords.] Use a password cracking tool that will leverage the dictionary to feed passwords to the system and see if they work.
- Try all words in the dictionary, as well as common misspellings of the words as passwords for the chosen username(s).
- Try common combinations of words in the dictionary, as well as common misspellings of the combinations as passwords for the chosen username(s).
What the attacker needs
Prerequisites
- The system uses one factor password based authentication.
- The system does not have a sound password policy that is being enforced.
- The system does not implement an effective password throttling mechanism.
Skills required
- Low skill: A variety of password cracking tools and dictionaries are available to launch this type of an attack.
Resources required
- A machine with sufficient resources for the job (e.g. CPU, RAM, HD). Applicable dictionaries are required. Also a password cracking tool or a custom script that leverages the dictionary database to launch the attack.
Consequences
What a successful CAPEC-16 attack can achieve.
Gain Privileges
Affects: Confidentiality, Access Control, Authentication
Read Data
Affects: Confidentiality
Modify Data
Affects: Integrity
How to mitigate it
Defenses that reduce the risk of CAPEC-16.
- Create a strong password policy and ensure that your system enforces this policy.
- Implement an intelligent password throttling mechanism. Care must be taken to assure that these mechanisms do not excessively enable account lockout attacks such as CAPEC-2.
- Leverage multi-factor authentication for all authentication services.
How to detect it
Indicators that this attack may be underway.
- Many invalid login attempts are coming from the same machine (same IP address) or for the same log in name. The login attempts use passwords that are dictionary words.
Examples
A system user selects the word "treacherous" as their passwords believing that it would be very difficult to guess. The password-based dictionary attack is used to crack this password and gain access to the account.
The Cisco LEAP challenge/response authentication mechanism uses passwords in a way that is susceptible to dictionary attacks, which makes it easier for remote attackers to gain privileges via brute force password guessing attacks. Cisco LEAP is a mutual authentication algorithm that supports dynamic derivation of session keys. With Cisco LEAP, mutual authentication relies on a shared secret, the user's logon password (which is known by the client and the network), and is used to respond to challenges between the user and the Remote Authentication Dial-In User Service (RADIUS) server. Methods exist for someone to write a tool to launch an offline dictionary attack on password-based authentications that leverage Microsoft MS-CHAP, such as Cisco LEAP. The tool leverages large password lists to efficiently launch offline dictionary attacks against LEAP user accounts, collected through passive sniffing or active techniques. See also: CVE-2003-1096
Frequently asked questions
Common questions about CAPEC-16.
- What is CAPEC-16?
- An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern. Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts.
- How does a Dictionary-based Password Attack attack work?
- It typically unfolds over 4 phases. It begins with: [Determine application's/system's password policy] Determine the password policies of the target application/system.
- How do you prevent CAPEC-16?
- Create a strong password policy and ensure that your system enforces this policy.
- What weaknesses does CAPEC-16 target?
- CAPEC-16 exploits 7 CWE weaknesses, including CWE-262 (Not Using Password Aging), CWE-263 (Password Aging with Long Expiration), CWE-307 (Improper Restriction of Excessive Authentication Attempts), CWE-308 (Use of Single-factor Authentication).
- How severe is CAPEC-16?
- MITRE rates CAPEC-16 as High severity with medium likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-16
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.