Online vs Offline Password Attacks

Online vs Offline Password Attacks: A Comprehensive Guide for GIAC GCIH Certification

Introduction

Understanding the distinction between online and offline password attacks is a foundational concept for the GIAC Certified Incident Handler (GCIH) certification. This topic falls squarely within the Password Attacks and Exploitation Frameworks domain and is frequently tested because it demonstrates a candidate's understanding of how attackers compromise credentials and how defenders can mitigate these threats.

Why This Topic Is Important

Password attacks remain one of the most common and effective vectors used by adversaries to gain unauthorized access to systems, networks, and data. As an incident handler, you must be able to:

- Identify the type of password attack being used during an incident
- Understand the tools and techniques associated with each attack type
- Recommend appropriate countermeasures and detection strategies
- Differentiate between online and offline attacks in forensic analysis

The GCIH exam expects candidates to not only define these attack categories but also apply their knowledge to real-world scenarios involving tool selection, attack feasibility, and defensive measures.

What Are Online Password Attacks?

An online password attack occurs when an attacker attempts to authenticate against a live service or system by submitting password guesses directly to the target. The attacker interacts with the authentication mechanism in real time.

Key Characteristics of Online Attacks:

- The attacker sends credential guesses to a live, running service (e.g., SSH, RDP, HTTP login, FTP, SMB)
- Each guess requires a network request and a response from the target system
- The attack speed is limited by network latency, server response time, and account lockout policies
- These attacks are much slower than offline attacks because of the round-trip communication required
- They are more easily detected because they generate authentication logs, failed login events, and network traffic
- Account lockout policies, rate limiting, CAPTCHA, and multi-factor authentication (MFA) are effective countermeasures

Common Online Attack Tools:

- Hydra (THC-Hydra): A fast and flexible online password cracking tool supporting numerous protocols including SSH, FTP, HTTP, SMB, RDP, MySQL, and many more
- Medusa: A parallel, modular brute-force login tool similar to Hydra
- Ncrack: Developed by the Nmap team, designed for high-speed network authentication cracking
- Burp Suite: Can be used for brute-forcing web application login forms via the Intruder module
- CrowBar: Specializes in protocols that are not well-supported by other tools (e.g., RDP, VNC, OpenVPN)

Common Online Attack Techniques:

- Brute Force: Trying every possible combination of characters systematically
- Dictionary Attack: Using a pre-compiled list of common passwords or words
- Password Spraying: Trying a small number of commonly used passwords against many accounts simultaneously to avoid lockout thresholds
- Credential Stuffing: Using previously breached username/password pairs against other services, exploiting password reuse

What Are Offline Password Attacks?

An offline password attack occurs when an attacker has already obtained a copy of the password data (typically password hashes or encrypted password files) and attempts to recover the plaintext passwords without interacting with the target system.

Key Characteristics of Offline Attacks:

- The attacker first exfiltrates or captures password hashes (e.g., from /etc/shadow, SAM database, NTDS.dit, captured network handshakes)
- Cracking occurs on the attacker's own hardware, with no network interaction with the target
- Attack speed is limited only by the attacker's computational resources (CPU, GPU power)
- These attacks are much faster than online attacks — billions of guesses per second are possible with modern GPUs
- They are virtually undetectable by the target organization since no authentication attempts are made against the live system
- Account lockout policies and rate limiting have no effect on offline attacks
- Strong, slow hashing algorithms (bcrypt, scrypt, Argon2) and salting are the primary defenses

Common Offline Attack Tools:

- John the Ripper: A versatile, open-source password cracker that supports numerous hash formats and cracking modes
- Hashcat: The world's fastest password recovery tool, leveraging GPU acceleration to crack hashes at extraordinary speeds
- Ophcrack: Uses rainbow tables to crack Windows LM and NTLM hashes
- L0phtCrack: A Windows-focused password auditing and recovery tool
- Cain & Abel (legacy): A Windows tool that could perform various password recovery operations

Common Offline Attack Techniques:

- Brute Force: Exhaustively trying all possible character combinations against the hash
- Dictionary Attack: Hashing words from a wordlist and comparing them to the target hash
- Rainbow Table Attack: Using precomputed tables of hash-to-plaintext mappings for rapid lookups. Note: Salting defeats rainbow tables because each salt creates a unique hash even for the same password.
- Rule-Based/Hybrid Attacks: Applying transformation rules to dictionary words (e.g., appending numbers, replacing letters with symbols) to generate candidate passwords
- Mask Attacks: A targeted brute-force approach in Hashcat where the attacker defines a pattern or structure for the password

How the Attack Process Works — Step by Step

Online Attack Flow:
1. Attacker identifies a target service (e.g., SSH on port 22)
2. Attacker selects a tool (e.g., Hydra) and a wordlist or brute-force parameters
3. The tool sends login attempts directly to the service over the network
4. The service responds with success or failure for each attempt
5. If successful, the attacker gains access with valid credentials
6. Detection: Failed login attempts appear in system logs (e.g., /var/log/auth.log, Windows Security Event Log Event ID 4625)

Offline Attack Flow:
1. Attacker gains access to password hashes through exploitation, privilege escalation, or data breach (e.g., dumping SAM via mimikatz, extracting NTDS.dit, capturing a WPA2 handshake)
2. Attacker transfers the hashes to their own cracking rig
3. Attacker uses a tool like Hashcat or John the Ripper to compute hashes of candidate passwords and compare them to the stolen hashes
4. When a computed hash matches a stored hash, the plaintext password is recovered
5. The attacker can then use the recovered password to authenticate to the target system
6. Detection: The hash extraction phase may be detectable, but the cracking phase itself is invisible to the target

Key Differences at a Glance

Speed: Online attacks are slow (limited by network and service); offline attacks are fast (limited only by hardware)
Detection: Online attacks are easily detected via logs and monitoring; offline attacks are undetectable during the cracking phase
Lockout Policies: Effective against online attacks; completely ineffective against offline attacks
Prerequisites: Online attacks require network access to the service; offline attacks require prior access to password hashes
Tools: Hydra, Medusa, Ncrack for online; Hashcat, John the Ripper, Ophcrack for offline
Countermeasures: Online — lockout policies, rate limiting, MFA, CAPTCHA, monitoring; Offline — strong hashing algorithms, salting, encryption of hash stores, limiting hash exposure

Defensive Countermeasures

Against Online Attacks:
- Implement account lockout policies (e.g., lock after 5 failed attempts)
- Use progressive delays or exponential backoff on failed logins
- Deploy multi-factor authentication (MFA)
- Use CAPTCHA on web login forms
- Monitor and alert on excessive failed authentication attempts
- Implement IP-based blocking or geo-fencing
- Use password spraying detection tools that correlate failed logins across multiple accounts

Against Offline Attacks:
- Use strong, slow, adaptive hashing algorithms: bcrypt, scrypt, or Argon2 instead of fast algorithms like MD5 or SHA-1
- Always use unique, random salts for each password hash to defeat rainbow table attacks
- Protect hash stores with strict access controls (e.g., restrict access to /etc/shadow, protect SAM and NTDS.dit)
- Enforce strong password policies (length, complexity) to increase the keyspace attackers must search
- Regularly audit for compromised credentials using breach databases
- Use credential guard and other memory protections to prevent hash dumping

Exam Tips: Answering Questions on Online vs Offline Password Attacks

1. Tool-to-Category Mapping: If the question mentions Hydra, Medusa, or Ncrack, it is almost certainly referring to an online attack. If it mentions Hashcat, John the Ripper, or rainbow tables, it is an offline attack. Memorize which tools belong to which category.

2. Scenario-Based Questions: Pay close attention to what the attacker already has. If the attacker has obtained password hashes and is cracking them on their own machine, it is an offline attack. If the attacker is sending login attempts to a live service, it is an online attack.

3. Countermeasure Questions: If a question asks which defense is effective, remember that account lockout policies stop online attacks but NOT offline attacks. Conversely, salting stops rainbow table attacks (offline) but has no relevance to online attacks. Match the countermeasure to the correct attack type.

4. Speed and Detection: Questions may describe an attack that is generating thousands of failed login entries in logs — this is an online attack. If the question states the attack leaves no trace on the target, think offline.

5. Password Spraying vs Brute Force: Know that password spraying is an online technique specifically designed to evade account lockout by trying only a few passwords per account across many accounts. This is a frequently tested distinction.

6. Credential Stuffing: This is an online attack that uses credentials from previous data breaches. It exploits password reuse and is different from traditional brute force or dictionary attacks.

7. Rainbow Tables vs Salting: A very commonly tested concept. Rainbow tables are precomputed lookup tables for offline cracking. Adding a salt (a random value appended to the password before hashing) makes rainbow tables ineffective because the attacker would need a separate table for every possible salt value.

8. Hash Algorithm Matters: For offline attacks, the choice of hashing algorithm is critical. Fast algorithms (MD5, SHA-1, NTLM) are easily cracked with modern GPUs. Slow algorithms (bcrypt, scrypt, Argon2) dramatically increase the time required per guess, making large-scale offline cracking impractical.

9. Prerequisite Access: Offline attacks require a preliminary step — the attacker must first obtain the hashes. Questions may test whether you understand that hash extraction (e.g., using mimikatz, pwdump, or extracting NTDS.dit) is a separate step that precedes the offline cracking.

10. Read Carefully for Keywords: Words like "live service," "authentication attempts," "login page," and "failed logins" point to online attacks. Words like "hash dump," "cracking rig," "GPU," "precomputed tables," and "SAM database" point to offline attacks.

11. Understand Pass-the-Hash: This is neither a traditional online nor offline password attack — it is a technique where the attacker uses the hash itself to authenticate without ever cracking it. Know this distinction, as the exam may use it as a distractor.

12. Practice with Tool Syntax: The GCIH exam may present command-line examples. Be familiar with basic Hydra syntax (e.g., hydra -l admin -P wordlist.txt ssh://target) and Hashcat syntax (e.g., hashcat -m 1000 -a 0 hashes.txt wordlist.txt) so you can identify the attack type from the command.

Summary

The distinction between online and offline password attacks is fundamental to incident handling. Online attacks target live services, are slower, and are detectable but can be mitigated with lockout policies and MFA. Offline attacks target stolen hashes, are faster, and are undetectable during cracking but can be mitigated with strong hashing algorithms and salting. For the GCIH exam, focus on mapping tools to attack types, matching countermeasures to the correct attack category, and carefully analyzing scenario-based questions for contextual clues about whether the attack is online or offline.