Performing a dictionary attack on my own site
I would like to perform a di开发者_如何转开发ctionary attack or, if it is easier an attack directly in the database with my hashed passwords in order to find out which users of my site are using simple passwords.
I will be implementing some complexity rules when creating passwords but I would love to be able to contact the users who have simple dictionary words and ask them to change their passwords.
The database is MySQL with MD5 hashed passwords. The rest of the site is written in PHP.
My assumption is I need a dictionary file and them an automated way to test each word against each user, but I have over 1000 users to look through and I am sure there are well over 10,000 potential words to test so I have no idea of the best way to automate that type of thing.
Any help or guidance would be extremely appreciated.
The database is MySQL with MD5 encrypted passwords.
... with MD5 hashed passwords. Hashing != Encryption
The most straightforward way to carry out the attack is to get your dictionary words in a list, say $dict
and
foreach ($dict as $word) {
$hash = md5($word);
$db->query("SELECT username FROM users WHERE password='$hash'");
// and see if any rows are returned
}
That being said, you should :
- Use SHA1 as your hashing algorithm since MD5 is broken.
- Use salts. Recommended read: Just Hashing is Far from Enough for Storing Passwords – How to Position against Dictionary and Rainbow Table Attacks
- Get a dictionary
- Encode the dictionary words into MD5. Take into account the uppercase and lowercase variations.
- Select useremail from the database where password in the set of encoded words.
- Send emails to those emails.
If the MD5 are unsalted, then you will likely be able to read the weak or only moderately strong user passwords in plaintext by entering the hashes into a online rainbow table, for example: http://gdataonline.com/seekhash.php
A dictionary attacks is not needed then.
If you are using unsalted MD5 passwords in your application, then you should be beaten up with a rusty iron rod of course.
10,000 words and 1,000 users doesn't sound too bad. Start with something like this:
<?php
$words = ... // load dictionary file into array
foreach ($words as $word) {
$result = mysql_query('
SELECT name
FROM users
WHERE password = MD5(' . $word . ');
');
while ($row = mysql_fetch_assoc($result)) {
print($row['name'] . "\n");
// send an email, save to a file, etc.
}
}
Build an index on password beforehand and you should be good to go.
There's shareware and freeware out on the Internet that claims to perform brute force or dictionary attacks on websites.
I hesitate to recommend any, or even suggest that these programs do what they say they do.
If you're going to download one, test it out on an isolated computer.
Force all users to change their passwords with the new policy. This way is a lot easier.
Check their passwords when they log in next time. If any password is weak, redirect the user to the change password page, and force him/her/it to change it.
精彩评论