User Tools

Site Tools

tactics:brute-force

Brute Force Attacks

Brute forcing is a method of cracking passwords. It involves guessing the password, over and over again, until the correct one is discovered. Depending on the length & complexity of the password, and the power of the computer involved, this can take no time at all, or it can take forever.

This can be done manually, but it takes forever. Software tools can automate this process. Some software does dictionary-style attacks, where it references a wordlist (or “dictionary”) of predefined passwords to try and log in with. Other tools generate passwords from random numbers/integers, and try to log in with those. The former is faster, but does not always work, while the latter is slower but will eventually get it.

Brute force attacks can be done both locally and remotely. Local attacks are for times like, when you have physical access to someone's machine, or a copy of someone's password-protected file on your own computer. Remote attacks are, as the term implies, done remotely over a network or the internet, in situations like getting access to someone's web site or web server. Because many servers are designed to automatically ban the IP addresses of anyone performing multiple login attempts, remote attacks are harder and more time consuming to pull off than local attacks.

Prevention

Popular webcomic XKCD lays out the 101 on password security. (Click to enlarge)

The most obvious recommendation to prevent brute force attacks is with decent passwords. The longer the password, the better. Don't leave default passwords set, either. Most routers are easily brute forced because they use factory passwords like “admin” or simple words that are easy to hit with a dictionary attack. Some people insist on inserting random symbols or using 1337-speak substitution, but that is not as surefire as prevention as many people assume. Don't use the same password across multiple sites, either. A password manager will simplify the management of these things, and help you generate secure passwords as need be.

Further roadblocks depend on the type of thing that is password protected. If you have a system that is accessed remotely over the internet, you want to make sure you have brute force detection software running, which automatically sets firewall rules to lock out intruders. There are many packages that do this on the server level, and you will have to search for one that matches your particular operating system. Content management systems like Wordpress have firewall plugins that detect brute force attacks as well.

If you run services like SSH, you can further lock things down by disabling password authentication altogether, and instead using public/private key authentication. This requires the use of a long and complicated private key to log in with, which is a lot harder to brute force than a standard password. Some services and websites you can also tie in two-factor authentication to further hinder brute force attacks.

However, these methods are not universally effective in all situations. If someone manages to steal your computer or image the data off your hard drive, they can crack the password leisurely from the privacy of their home without the risk of setting off firewalls. To impede those types of attacks, it helps to have security keys, such as a YubiKey, as a second layer of authentication on your operating system, applications, password manager, or hard drive encryption scheme. This way, even if they crack the password, they still cannot get in without your physical security key.

Software

Kick it enough times and you might get through.

Simple brute force attacks can be done manually. However, it is very slow to do it that way, so hackers have created a litany of tools that will perform this type of attack automatically. Here are a few of them:

There are also various software packages for generating wordlists:

Wordlists/Dictionaries

A file that contains a large number of words, used for dictionary style attacks. Normally in a .txt format or some other easily readable and editable format.

Note: These links are from the old Insurgency Wiki page, and still need to be gone through and updated. — Humphrey Boa-Gart 2024/10/02 07:17

Rainbow Tables

On most modern systems, passwords are stored as hashed values. These hashes are generated with one-way encryption techniques. When you try to log in to one of these types of systems, the password you enter is hashed by one of these one-way algorithms, and compared to the hashed value that is saved.

A similar method to dictionary attacks involve the use of rainbow tables, which are basically dictionaries but of precomputed hash values and whatever password was used to create those hashes. Rather than brute forcing the login screen directly, one might simply make a copy of the hashed passwords on the target machine, and compare those hash values to the hashes in a rainbow table in order to find the password used to log in.

One popular piece of software for rainbow-based cracking is RainbowCrack.

The best defense against here is using large and unique salt values, in addition to hashing. This technique (which is also done by default in most modern systems) necessitates the use of impractically large sets of rainbow tables to pull off this kind of attack.

tactics/brute-force.txt · Last modified: 2024/10/07 07:10 by Humphrey Boa-Gart

Find this page online at: https://bestpoint.institute/tactics/brute-force