This method involves guessing a large number of possible user/password combinations until one combination is successful. While in theory this method is futile and infeasible due to the large size of the search space, in practice there are techniques that can be employed to reduce the number of guesses required to find a valid combination.
There are many techniques (usually related to minor vulnerabilities in the database server) that allow an attacker to find valid account names and then search for the corresponding passwords. Finding user accounts can be easy, especially when they are assigned in a systematic way within the organization, e.g. john.smith or JohnDoe.
There are numerous optimizations that can be applied to the "guessing" of passwords. These optimizations rely on what are known as "password rules," which are a compilation of social observations related to the way that people choose passwords. For instance, the account "John" might have passwords JohnJohn, nohj, John1234 and so on. In a large user base, password rules greatly reduce the number of guesses necessary for an account/password match.
Default Accounts and Passwords
Many database servers and applications deployed over them come bundled with default accounts configured with default passwords. Unless all of the defaults are changed by the administrator upon installation, these accounts provide an easy access point for uninvited guests. Also, poor installation and configuration may allow anonymous database access to users. Even if access privileges granted to anonymous users are minimal, this is a crack an attacker may use to gain access.
Thick-Client Applications
A thick-client application that is installed on a workstation communicates directly with the database server. In order for the application to communicate with the database server it must have a set of valid credentials. The credentials are either supplied by the end-user when running the software or more commonly embedded within the application code or in a local configuration file. In either case, an attacker with a text editor can easily get hold of this set of credentials.
Social Engineering
This term is used to describe a set of techniques, including eMail messages and phone calls, where a would-be attacker tricks an individual into disclosing a personal set of credentials. Perpetrators employing social engineering techniques have been known to trick administrators into providing them with a freshly assigned set of credentials.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.