CompTIA Security+ Password Attacks - Zero-Fluff, Hands-On Guide

CompTIA Security+ Password Attacks: Zero-Fluff, Hands-On Guide

(Brute Force, Dictionary, Rainbow Tables, Spraying)

1. What This Is & Why It Matters

Password attacks are the #1 initial access vector in real-world breaches. If you’re a SOC analyst, pentester, or sysadmin, you will see these attacks daily—whether in logs, SIEM alerts, or failed login attempts.

Why this matters in production: - Brute force attacks can lock out legitimate users (DoS) or crack weak passwords in minutes. - Dictionary attacks exploit human laziness (e.g., Password123, Winter2024). - Rainbow tables bypass hashing by precomputing password hashes—if you’re not using salts, you’re toast. - Password spraying evades lockout policies by trying one password across many accounts (e.g., Spring2024! on every user).

Real-world scenario: You’re a security engineer at a mid-sized company. Your SIEM flags 500 failed login attempts in 5 minutes from a single IP. Is this a brute force attack? A misconfigured script? Or a password spray trying Company123! on every account? You need to know how these attacks work to respond correctly.

2. Core Concepts & Components

? Brute Force Attack

• Definition: Trying every possible combination of characters until the password is cracked.
• Production insight: Modern GPUs can crack an 8-character lowercase password in ~2 hours. A 12-character mixed-case + symbols password takes centuries.
• Example: a, b, c, ..., aa, ab, ac, ..., 123456, ...

? Dictionary Attack

• Definition: Using a predefined list of common passwords (e.g., rockyou.txt, leaked password dumps).
• Production insight: 80% of breaches involve weak or reused passwords. If your users pick Password123, a dictionary attack will crack it instantly.
• Example wordlists:
• rockyou.txt (14M passwords, leaked from a 2009 breach)
• SecLists (GitHub repo with 100+ wordlists)

? Rainbow Table Attack

• Definition: A precomputed table of password hashes (e.g., MD5, SHA-1) to reverse-engineer passwords without brute-forcing.
• Production insight: Rainbow tables fail against salted hashes (a random value added before hashing). If your database stores SHA256(password + salt), rainbow tables are useless.
• Example:
• Without salt: SHA256("password123") = ef92b778...
• With salt: SHA256("password123" + "x7Fk9") = 3a1b5c... (unique per user)

? Password Spraying

• Definition: Trying one common password (e.g., Company2024!) across many accounts to avoid lockout policies.
• Production insight: Most effective against SSO, VPNs, and email portals (e.g., OWA, Outlook Web Access). A single successful hit gives attackers a foothold.
• Example:
• Attacker tries Spring2024! on [email protected], [email protected], [email protected]...
• If bob reused Spring2024! from a breached site, the attacker gets in.

? Account Lockout Policy

• Definition: A security control that locks an account after X failed attempts.
• Production insight: Password spraying bypasses this by trying one password per account. Brute force is stopped by lockout, but spraying isn’t.
• Example:
• Lockout after 5 failed attempts-Brute force fails.
• Spraying 1 attempt per account-No lockout, but may trigger SIEM alerts.

? Salting (Password Hashing)

• Definition: Adding a random value (salt) to a password before hashing to prevent rainbow table attacks.
• Production insight: Always use bcrypt, Argon2, or PBKDF2—never MD5 or SHA-1 for passwords.
• Example (Python): python import bcrypt password = b"SuperSecret123" salt = bcrypt.gensalt() hashed = bcrypt.hashpw(password, salt) print(hashed) # b'$2b$12$N9qo8uLOickgx2ZMRZoMy...'

? Credential Stuffing

• Definition: Using leaked username/password pairs from one breach to attack other services.
• Production insight: Reused passwords = instant compromise. If a user’s LinkedIn password (Password123) is leaked, attackers will try it on your corporate VPN.
• Example:
• [email protected]:Password123 (leaked from a 2020 breach)
• Attacker tries [email protected]:Password123 on your SSO portal.

3. Step-by-Step Hands-On: Simulating & Defending Against Password Attacks

Prerequisites

Kali Linux (or any Linux with hydra, hashcat, john) ? Target system (e.g., a test SSH server, a local web app with login) ? Wordlist (rockyou.txt or SecLists)

? Task 1: Brute Force an SSH Password with Hydra

Goal: Crack a weak SSH password using brute force.

1. Set up a test SSH server (or use a lab like Hack The Box). bash sudo apt update && sudo apt install openssh-server -y sudo systemctl start ssh
2. Create a weak password user (for testing only!): bash sudo adduser testuser # Set password to "password123" (weak, for demo)
3. Run Hydra (brute force SSH): bash hydra -l testuser -P /usr/share/wordlists/rockyou.txt ssh://127.0.0.1 -t 4 -vV
4. -l testuser-Target username
5. -P rockyou.txt-Password wordlist
6. ssh://127.0.0.1-Target service
7. -t 4-4 parallel threads

8. -vV-Verbose mode

9. Expected output: [22][ssh] host: 127.0.0.1 login: testuser password: password123 ? Lesson: Weak passwords fall in seconds.

? Task 2: Crack a Windows NTLM Hash with Hashcat (Rainbow Table Alternative)

Goal: Crack a Windows password hash using a wordlist.

1. Dump a Windows NTLM hash (from a test machine or lab): Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: (This is a blank password hash for demo purposes.)

2. Save the hash to a file (hash.txt): bash echo "31d6cfe0d16ae931b73c59d7e0c089c0" > hash.txt

3. Run Hashcat: bash hashcat -m 1000 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
4. -m 1000-NTLM hash mode
5. -a 0-Straight (dictionary) attack

6. rockyou.txt-Wordlist

7. Expected output: 31d6cfe0d16ae931b73c59d7e0c089c0: (blank) ? Lesson: Unsalted hashes are trivial to crack. Always use bcrypt/Argon2 for passwords.

? Task 3: Password Spraying with Burp Suite (Web App Attack)

Goal: Simulate a password spray against a web login.

1. Set up a test web app (e.g., DVWA, OWASP Juice Shop).
2. Intercept a login request with Burp Suite:
3. Configure browser to use Burp as proxy (127.0.0.1:8080).
4. Submit a login attempt.
5. Send to Intruder (for spraying):
6. Right-click request-Send to Intruder.
7. Set attack type to "Pitchfork".
8. Payload 1 (username): admin, user1, user2, user3
9. Payload 2 (password): Spring2024! (same for all)
10. Run the attack.
11. If any account uses Spring2024!, Burp will show a 200 OK (success). ? Lesson: Password spraying works because users reuse passwords.

4.-Production-Ready Best Practices

? Security

• Enforce strong passwords (12+ chars, mixed case, symbols).
• Bad: Password123
• Good: J7#kL9@mP2!qR4$
• Use MFA everywhere (TOTP, FIDO2, SMS as last resort).
• Rate-limit login attempts (e.g., 5 attempts per 15 minutes).
• Monitor for brute force/spraying (SIEM alerts for failed logins from a single IP).
• Salt & hash passwords properly (bcrypt, Argon2, PBKDF2—never MD5/SHA-1).

? Cost Optimization

• Block known malicious IPs (use threat intel feeds like AbuseIPDB).
• Automate lockout after X failed attempts (but don’t lock out admins!).
• Use CAPTCHA after 3 failed attempts (annoying but effective).

Reliability & Maintainability

• Log all failed login attempts (store for 90+ days for forensics).
• Rotate passwords every 90 days (but not too frequently—users will write them down).
• Use a password manager (Bitwarden, 1Password) to prevent reuse.

? Observability

• Alert on:
• 5+ failed logins in 1 minute (brute force).
• 1 failed login across 10+ accounts in 5 minutes (spraying).
• Logins from unusual locations (e.g., Tor exit nodes).
• SIEM rules (Splunk example): spl index=auth sourcetype=linux_secure "Failed password" | stats count by src_ip, user | where count > 5 | sort -count

5. Common Mistakes & Traps

6.-Exam/Certification Focus (CompTIA Security+)

? Typical Question Patterns

1. "Which attack tries one password across many accounts?"
2. ? Password spraying

3. Brute force (tries many passwords on one account)

4. "What prevents rainbow table attacks?"

5. ? Salting

6. Encryption (doesn’t stop precomputed hashes)

7. "Which hashing algorithm is best for passwords?"

8. ? bcrypt/Argon2

9. MD5/SHA-1 (too fast, vulnerable to brute force)

10. "How do you stop brute force attacks?"

11. ? Account lockout + rate limiting
12. ? Strong passwords alone (still vulnerable to spraying)

? Key Trap Distinctions

? Scenario-Based Question

"A company’s VPN logs show 100 failed login attempts from a single IP in 5 minutes. What type of attack is this, and how should they respond?" --Brute force attack-Block the IP + lock the account. --Password spraying (would be one attempt per account).

7.-Hands-On Challenge (With Solution)

Challenge:

You find a leaked database with unsalted SHA-1 password hashes. How do you crack them quickly?

Solution:

1. Download a wordlist (rockyou.txt).
2. Use Hashcat in dictionary mode: bash hashcat -m 100 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt
3. -m 100-SHA-1 mode
4. -a 0-Dictionary attack
5. Why it works: SHA-1 is fast to crack with a wordlist. Salting would have prevented this.

8.-Rapid-Reference Crib Sheet

Exam Alerts: - "Which attack bypasses lockout policies?"-Password spraying - "What prevents rainbow tables?"-Salting - "Best hashing algorithm for passwords?"-bcrypt/Argon2

9.-Where to Go Next

1. OWASP Password Storage Cheat Sheet (Best practices for hashing)
2. Hashcat Wiki (How to crack hashes)
3. SecLists GitHub (Wordlists for testing)
4. Have I Been Pwned (Check if your password is leaked)

Final Takeaway

Password attacks are the #1 way attackers get in. If you only remember 3 things, make them:
1. Brute force = many passwords on one account-Lockout policies stop this.
2. Password spraying = one password on many accounts-MFA stops this.
3. Rainbow tables = precomputed hashes-Salting + bcrypt stops this.

Now go break (and then secure) something. ?