Unit 2: Password Cracking 2.1 Password Cracking Brute Force Attacks

>> In a future unit, we'll learn how attackers can get possession
of a database containing hashed passwords.

>>在以后的单元中，我们将学习攻击者如何获得包含散列密码的数据库。

For now, we'll just assume they haven't.

现在，我们假设它们没有。

The first possible attack is a brute force attack which might be necessary
when dealing with complex passwords.

第一种可能的攻击是蛮力攻击，在处理复杂密码时可能需要蛮力攻击。

Complex passwords have some or all of the following characteristics:
Changed in regular time intervals, like 180 days; a minimum length, for instance,
10 characters; using at least three of the following categories: Upper case letters,
lower case letters, numbers, symbols, can't be reused or at least going back
in the history of a number of recent passwords.

复杂密码具有以下部分或全部特征:定期更改密码，比如180天;最小长度，例如，10个字符;至少使用以下三种类型中的三种:大写字母、小写字母、数字、符号，不能重复使用，或者至少不能追溯到最近密码的历史。

This is why there's a minimum time frame for a password, in some cases,
to prevent users from entering 10 passwords so they can get back to their favorite one.

这就是为什么在某些情况下，密码有最小的时间限制，以防止用户输入10个密码，这样他们就可以回到自己喜欢的密码。

In May 2017, NIST, the National Institute of Standards and Technology, drafted guidelines
that dealt a big blow to complex passwords.

2017年5月，美国国家标准与技术研究院(NIST)起草了一份指南，对复杂的密码进行了重大打击。

NIST recommended to remove periodic password change requirements and to remove the need
for required character groups of uppercase letters, lowercase letters, numbers and symbols.

NIST建议取消定期修改密码的要求，并取消对大写字母、小写字母、数字和符号的字符组的需要。

NIST recommended to add the screening of possible passwords
against password lists and known compromised passwords.

NIST建议根据密码列表和已知的密码添加可能的密码筛选。

The belief is that overly complex passwords and passwords
that change too frequently are too hard for users to remember
and these users will resort to writing them down.

他们认为，过于复杂的密码和变化太频繁的密码对用户来说太难记了，他们会把密码写下来。

Furthermore, keystroke logging, phishing, and social engineering attacks work just as well
on lengthy complex passwords as they do on simple ones.

此外，击键记录、钓鱼和社会工程攻击对复杂的长密码和简单密码的效果一样好。

So let's talk about doing this brute force attack.

让我们来谈谈这种蛮力攻击。

One method involves iterating through all possible lowercase letters, uppercase letters,
numbers, and symbols for all lengths.

一种方法涉及遍历所有长度的所有可能的小写字母、大写字母、数字和符号。

That could take forever.

这可能需要很长时间。

To speed things up, you can restrict the iterations to a minimum length
and maximum length of characters.

为了加快速度，可以将迭代限制为字符的最小长度和最大长度。

Another restriction for speed involves the character sets, which could be just letters,
just lowercase letters, just uppercase letters, just numbers, just symbols,
or some combination of different character sets.

速度的另一个限制涉及字符集，字符集可以是字母、小写字母、大写字母、数字、符号或不同字符集的某种组合。

You could even use a program like Crunch which uses all the previously mentioned restrictions
but also gives you more control over specifics.

您甚至可以使用像Crunch这样的程序，它使用前面提到的所有限制，但也为您提供了对细节的更多控制。

Examples include allowing just certain characters from a single character set
or multiple character sets as well as including a known string, like a birthdate.

示例包括只允许来自单个字符集或多个字符集的特定字符，以及包含已知的字符串，如生日。

Crunch's generated word list can be dynamically passed to a program
that attempts to crack the passwords.

Crunch生成的单词列表可以动态传递给试图破解密码的程序。

The Crunch word list can also be saved to a file and later passed
to a password-cracking program, like "John the Ripper."

关键字列表也可以保存到一个文件中，然后传递给一个密码破解程序，比如“开膛手约翰”(John The Ripper)。

John the Ripper, though, can do a brute force attack on its own, without any input file.

不过，开膛手约翰可以在不需要任何输入文件的情况下自行进行蛮力攻击。

For the actual cracking, the generated words are hashed and the hashes are compared
to the stolen password-hash database file.

对于实际的破解，将生成的单词进行哈希，并将哈希值与被盗的密码哈希数据库文件进行比较。

If a generated hash matches a hash from the stolen database,
the attacker can simply associate the matching hash with its plain text input.

如果生成的哈希值与被盗数据库中的哈希值匹配，攻击者可以简单地将匹配的哈希值与其纯文本输入关联起来。

Remember, algorithms for hashing, like algorithms for encryption, are never secret.

记住，哈希算法，就像加密算法一样，从来都不是秘密。

Seeing a hashed password database is, in most cases, all you need to determine the algorithm
since the lengths of the hashes are fixed for each function,
like MD5, SHA-1, SHA-256, and SHA-512.

在大多数情况下，只需要查看散列密码数据库就可以确定算法，因为每个函数(如MD5、SHA-1、SHA-256和SHA-512)的散列长度都是固定的。

The pro to a brute force attack is that you are guaranteed
to find the matching hash trying all possible characters.

使用蛮力攻击的好处是，您可以确保在尝试所有可能的字符时找到匹配的散列。

The con is you might not be alive to see it.

问题是你可能没有活着看到它。

The time needed to parse through tons and tons of permutations and combinations
of letters is a reason why you might decide to go the route
of a dictionary attack or a rainbow table attack.

解析大量字母排列和组合所需的时间是您可能决定采用字典攻击或彩虹表攻击的原因之一。

Long and strong passwords render such an attack useless since hackers don't want to tie
up so many resources in cracking passwords for hours, days, weeks, months, and years.

长而强的密码使这样的攻击毫无用处，因为黑客不希望占用这么多资源来破解密码，时间长达数小时、数天、数周、数月甚至数年。

 

转载于:https://www.cnblogs.com/sec875/articles/10015910.html