Differences

This shows you the differences between two versions of the page.

--- tactics:brute-force [2024/10/03 06:20] – [Software] Humphrey Boa-Gart
+++ tactics:brute-force [2024/10/07 11:10] (current) – [Prevention] Humphrey Boa-Gart
@@ Line 1: / Line 1: @@
 ====== Brute Force Attacks ======
-**Brute forcing** is a method of cracking passwords. It involves rotating through a series of potential passwords //(or "strings")// until the correct one is discovered. Depending on the complexity of the password and the power of the computer involved, this can take no time at all, or it can take forever.
+**Brute forcing** is a method of cracking passwords. It involves guessing the password, over and over again, until the correct one is discovered. Depending on the length & complexity of the password, and the power of the computer involved, this can take no time at all, or it can take forever.
-There are two forms of brute force attacks: The first is dictionary style, in which many predefined strings from a wordlist //(or "dictionary")// are tried. In the second form, random strings are created from random numbers/integers. The former is faster, but does not always work, while the latter is slower but will eventually get it.
+This can be done manually, but it takes forever. Software tools can automate this process. Some software does **dictionary-style attacks**, where it references a wordlist //(or "dictionary")// of predefined passwords to try and log in with. Other tools generate passwords from random numbers/integers, and try to log in with those. The former is faster, but does not always work, while the latter is slower but will eventually get it.
 Brute force attacks can be done both **locally** and **remotely**. Local attacks are for times like, when you have physical access to someone's machine, or a copy of someone's password-protected file on your own computer. Remote attacks are, as the term implies, done remotely over a network or the internet, in situations like getting access to someone's web site or web server. Because many servers are designed to automatically ban the IP addresses of anyone performing multiple login attempts, remote attacks are harder and more time consuming to pull off than local attacks.
@@ Line 10: / Line 10: @@
 ===== Prevention =====
-{{ :tactics:xkcd_password_strength.png?400|}}
+[{{ :tactics:xkcd_password_strength.png?300|Popular webcomic **XKCD** lays out the 101 on password security. //(Click to enlarge)//}}]
-The most obvious recommendation people give to prevent //(or slow down)// brute force attacks is with decent passwords. The longer the password, the better. Don't leave default passwords set, either. Most routers are easily brute forced because they use factory passwords like "admin" or simple words that are easy to hit with a dictionary attack. Some people insist on inserting random symbols or using 1337-speak substitution, but that is not as surefire as prevention as many people assume.
+The most obvious recommendation to prevent brute force attacks is with decent passwords. The longer the password, the better. Don't leave default passwords set, either. Most routers are easily brute forced because they use factory passwords like "admin" or simple words that are easy to hit with a dictionary attack. Some people insist on inserting random symbols or using 1337-speak substitution, but that is not as surefire as prevention as many people assume. Don't use the same password across multiple sites, either. A [[security:password-managers|password manager]] will simplify the management of these things, and help you generate secure passwords as need be.
-Further roadblocks against brute force attacks depends on the type of system that is password protected. If you have a system that is accessed remotely over the internet, you want to make sure you have brute force detection software running, which automatically sets firewall rules to lock out intruders. There are many packages that do this on the server level, and you will have to search for one that matches your particular operating system. Content management systems like Wordpress have firewall plugins that detect brute force attacks as well.
+Further roadblocks depend on the type of thing that is password protected. If you have a system that is accessed remotely over the internet, you want to make sure you have brute force detection software running, which automatically sets firewall rules to lock out intruders. There are many packages that do this on the server level, and you will have to search for one that matches your particular operating system. Content management systems like Wordpress have firewall plugins that detect brute force attacks as well.
-If you run services like [[tools:ssh|SSH]], you can further lock things down by disabling password authentication altogether, and instead using public/private key authentication. This requires the intruder to have a much longer and complicated private key to log in, which is a lot harder to brute force than a standard password. Some services and websites you can also tie in [[security:2fa|Two-Factor Authentication]] to further roadblock brute force attacks.
+If you run services like [[tools:ssh|SSH]], you can further lock things down by disabling password authentication altogether, and instead using public/private key authentication. This requires the use of a long and complicated private key to log in with, which is a lot harder to brute force than a standard password. Some services and websites you can also tie in [[security:2fa|two-factor authentication]] to further hinder brute force attacks.
-However, these methods are not universally effective in all situations. If someone manages to steal your computer or image the data off your hard drive, they can crack the password leisurely from the privacy of their home without the risk of setting off firewalls. To impede those types of attacks, it helps to have [[gear:security-key|security keys]], such as a [[gear:yubi|YubiKey]], set up as a second layer of authentication on your operating system, applications, root commands, password manager, or hard drive encryption scheme. This way, even if they crack the password, they still cannot finish unlocking the device without your security key.
+However, these methods are not universally effective in all situations. If someone manages to steal your computer or image the data off your hard drive, they can crack the password leisurely from the privacy of their home without the risk of setting off firewalls. To impede those types of attacks, it helps to have [[gear:security-key|security keys]], such as a [[gear:yubi|YubiKey]], as a second layer of authentication on your operating system, applications, password manager, or hard drive encryption scheme. This way, even if they crack the password, they still cannot get in without your physical security key.
 ===== Software =====
+[{{ :tactics:brute_force_attack_protection_thumbnail.png|Kick it enough times and you might get through.}}]
 Simple brute force attacks can be done manually. However, it is very slow to do it that way, so hackers have created a litany of tools that will perform this type of attack automatically. Here are a few of them:
@@ Line 30: / Line 32: @@
   * [[arms:john-the-ripper|John the Ripper]] - Linux, Windows & Mac
   * [[arms:medusa|Medusa]]
-  * [[arms:rainbowcrack|RainbowCrack]]
+  * [[arms:sqldict|SQLdict]]
-There are also various software packages for generating wordlists and rainbow tables:
+There are also various software packages for generating wordlists:
+  * [[arms:cewl|CeWL]]
   * [[arms:crunch|Crunch]]
@@ Line 47: / Line 50: @@
   * [[http://www.outpost9.com/files/WordLists.html]]
   * [[http://packetstormsecurity.org/Crackers/wordlists/]]
+===== Rainbow Tables =====
+On most modern systems, passwords are stored as hashed values. These hashes are generated with one-way encryption techniques. When you try to log in to one of these types of systems, the password you enter is hashed by one of these one-way algorithms, and compared to the hashed value that is saved.
+A similar method to dictionary attacks involve the use of **rainbow tables**, which are basically dictionaries but of precomputed hash values and whatever password was used to create those hashes. Rather than brute forcing the login screen directly, one might simply make a copy of the hashed passwords on the target machine, and compare those hash values to the hashes in a rainbow table in order to find the password used to log in.
+One popular piece of software for rainbow-based cracking is [[arms:rainbowcrack|RainbowCrack]].
+The best defense against here is using large and unique [[security:cryptography#salting|salt values]], in addition to hashing. This technique //(which is also done by default in most modern systems)// necessitates the use of impractically large sets of rainbow tables to pull off this kind of attack.
 {{tag>Tactics}}

User Tools

Site Tools

Differences