Network Security Essentials. Fifth Edition by William Stallings. Chapter 11. Intruders.
by William Stallings
They agreed that Graham should set the test for Charles Mabledene. It was neither more nor less than that Dragon should get Stern’s code. If he had the ‘in’ at Utting which he claimed to have this should be possible, only loyalty to Moscow Centre would prevent it. If he got the key to the code he would prove his loyalty to London Central beyond a doubt.
—Talking to Strange Men, Ruth Rendell
1. Try default passwords used with standard accounts that are shipped with the system. Many administrators do not bother to change these defaults.
2. Exhaustively try all short passwords (those of one to three characters).
3. Try words in the system’s online dictionary or a list of likely passwords.
Examples of the latter are readily available on hacker bulletin boards.
4. Collect information about users, such as their full names, the names of their
spouse and children, pictures in their office, and books in their office that are
related to hobbies.
5. Try users’ phone numbers, Social Security numbers, and room numbers.
6. Try all legitimate license plate numbers for this state.
7. Use a Trojan horse (described in Chapter 10) to bypass restrictions on access.
8. Tap the line between a remote user and the host system.
(This table can be found on page 348 in the textbook.)
USTAT Actions versus SunOS Event Types
Observed Password Lengths [SPAF92a]
Passwords Cracked from a Sample Set of 13,797 Accounts [KLEI90]
(This table can be found on page 364 in the textbook.)
* Computed as the number of matches divided by the search size. The more words that needed to be tested for a match, the lower the cost/benefit ratio.