• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

What defensive measures will you take to protect from password brute-force attacks?

S

starriol

Member
I was asked this on a test for the CEH. What would you answer? My own answer is at the bottom.

What defensive measures will you take to protect your network from password brute-force attacks? (Choose all that apply.)

A) Never leave a default password.

B) Never use a password that can be found in a dictionary.

C) Never use a password related to the hostname, domain name, or anything else that can be found with Whois.

D) Never use a password related to your hobbies, pets, relatives, or date of birth.

E) Use a word that has more than 21 characters from a dictionary as the password.

What do you say? For me, if you are strict, the first 4 cannot be true since they would protect specifically from dictionary attacks, not brute force. The last one would surely protect you from a brute force attack, because even when using only lower case letters for the password, it would take TRILLONS of years to compute all the combinations.

But, guess what? The correct answer is to select all the first 4!!! WTF???
The justification is: "A dictionary word can always be broken using brute force"

What do you think?
 
That's a cheesy question designed to trip you up. I hate shit like that. You get so used to being screwed through school by the clever wording of questions, that you read between the lines to figure out what they REALLY mean :^S

I would have answered A-D. I don't go to school, and I haven't studied password cracking at all, but here are my reasons...

A) "password" or "admin" or whatever would go down fast in a brute force attack

B) I would expect an algorithm that uses a dictionary to brute force first, before going to random characters. More likely to see results quicker.

C) Same as above. A clever cracker should be able to weight certain words or combinations thereof. If /I/ were to write a brute force cracker, I'd allow the entry of preferential words to check in combination with other words to hopefully speed up the process.

D) See C above

E) See B above
 
Be aware that you probably agreed to not discuss any of the content on the exam when you took it. I haven't done CEH, but it's pretty standard for cert exams to have that kind of clause.

Anyway - the test answer (A - D) looks like the best answer to me. A and B are obvious. C and D contain information that Pen Testers are taught to gather while performing reconnaissance (D is usually easily retrieved from Social Networking sites).

E can't be true, because a word from a dictionary is not complex and is limited to the 26 characters in the alphabet (52 if you could upper and lower case).
 
If you have true security measures on a particular system, it should be able to detect brute force attacks. This could be done a number of ways, but the easiest are:

Enabling user account lockouts after 3-5 number of unsuccessful login attempts for a number of minutes/hours....or until an administrator intervenes.
Logging source IPs and blacklisting when intrusions are detected.
Disabling root/admin logins via ssh or web guis.
Using OSSEC for LIDS/HIDS.
Using IPTABLES to log attempts to ports that are not explicitly open.
 
On my very trusted machines that only I have physical access to but are network reachable I set a 12+ character random passwords for all administrator accounts, and only use locked down accounts for my daily work.

On top of that, SSH(non default port) is blocked by default with iptables and only through some port knocking will it open up long enough to establish a session.

If you happen to get the SSH port open long enough to try brute forcing the passwords iptables will drop the traffic from that IP permanently.

As far as answering the question in the OP, it doesn't matter what your password is set to, a brute force attack will eventually find the password.

if you are serious about stopping a brute force attack you'll look into a multiple factor authentication scheme. Such as needing an RSA key + password to login. Port knocking, which I use, could be considered a form of two-factor authentication if I keep the port knocking algorithm secret(which ports I'm connecting to and during what time frames).
 
Crusty said:
As far as answering the question in the OP, it doesn't matter what your password is set to, a brute force attack will eventually find the password.
Click to expand...

I agree with all this but I would comment specifically here, brute force estimated times often assume that your system is replying as fast as it can take brute requests. This works on hashes (IE you're already compromised) but for external attacks you can cause a 'world of hurt' by simply throttling the login process.

Windows / Linux does this already. Setting it to 3 logins attempts with 3 seconds delay and then all beyond 30 seconds+ will greatly slow down a brute force.
 
imagoon said:
I agree with all this but I would comment specifically here, brute force estimated times often assume that your system is replying as fast as it can take brute requests.
Click to expand...
Yeah. Any kind of forced login delay or lockout pretty much kills brute force attacks on "long" (say 20-character or more) passwords
 
Actually, as phrased, none of the above. Every single one can be brute forced (some are easier with dictionaries, some with algorithms.) To protect the network, you have to use mitigation strategies to prevent anyone from being a man in the middle or access to the authentication or requesting box. And E), wow... that would be an easier dictionary attack. The number of 21+ letter dictionary words will cut down on the choices (what would that be? 1 word?). Impractical, but still.

Oh, and their justification that a dictionary word can always be broken with brute force would be false. You have to guess what the encryption scheme is, how to attack it, etc (which is common for most systems, but other factors can be used in some cases). Any system that allowed multiple attempts or off-line cracking is already at risk, use 2 factor. If someone were using a large encryption key as part of the auth scheme, the info would be useless by the time you cracked it.
 
You guys don't get it. It's a multiple choice test question, so the answer has to be there. The question does not say "What are the first, last, and only things you will do to protect your network from a brute-force attack?". The question says "What defensive measures will you take to protect your network from password brute-force attacks?" A, B, C and D are absolutely some of the defensive measures you would take to protect from brute-force...E is not.

If you get this question wrong, you either don't understand the info sec concepts that are being presented, or you don't know how to take a multiple choice test.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top