Brute Force Attacks

Brute forcing is a method of cracking passwords. It involves rotating through a series of potential passwords (or “strings”) until the correct one is discovered. Depending on the complexity of the password and the power of the computer involved, this can take no time at all, or it can take forever.

There are two forms of brute force attacks: The first is dictionary style, in which many predefined strings from a wordlist (or “dictionary”) are tried. In the second form, random strings are created from random numbers/integers. The former is faster, but does not always work, while the latter is slower but will eventually get it.

Brute force attacks can be done both locally and remotely. Local attacks are for times like, when you have physical access to someone's machine, or a copy of someone's password-protected file on your own computer. Remote attacks are, as the term implies, done remotely over a network or the internet, in situations like getting access to someone's web site or web server. Because many servers are designed to automatically ban the IP addresses of anyone performing multiple login attempts, remote attacks are harder and more time consuming to pull off than local attacks.

The most obvious recommendation people give to prevent (or slow down) brute force attacks is with decent passwords. The longer the password, the better. Don't leave default passwords set, either. Most routers are easily brute forced because they use factory passwords like “admin” or simple words that are easy to hit with a dictionary attack. Some people insist on inserting random symbols or using 1337-speak substitution, but that is not as surefire as prevention as many people assume.

Further roadblocks against brute force attacks depends on the type of system that is password protected. If you have a system that is accessed remotely over the internet, you want to make sure you have brute force detection software running, which automatically sets firewall rules to lock out intruders. There are many packages that do this on the server level, and you will have to search for one that matches your particular operating system. Content management systems like Wordpress have firewall plugins that detect brute force attacks as well.

If you run services like SSH, you can further lock things down by disabling password authentication altogether, and instead using public/private key authentication. This requires the intruder to have a much longer and complicated private key to log in, which is a lot harder to brute force than a standard password. Some services and websites you can also tie in Two-Factor Authentication to further roadblock brute force attacks.

However, these methods are not universally effective in all situations. If someone manages to steal your computer or image the data off your hard drive, they can crack the password leisurely from the privacy of their home without the risk of setting off firewalls. To impede those types of attacks, it helps to have security keys, such as a YubiKey, set up as a second layer of authentication on your operating system, applications, root commands, password manager, or hard drive encryption scheme. This way, even if they crack the password, they still cannot finish unlocking the device without your security key.

Simple brute force attacks can be done manually. However, it is very slow to do it that way, so hackers have created a litany of tools that will perform this type of attack automatically. Here are a few of them:

• Cain & Abel - Windows
• Hashcat - Linux, Windows & Mac
• Hydra - Linux
• John the Ripper - Linux, Windows & Mac
• Medusa
• RainbowCrack

There are also various software packages for generating wordlists and rainbow tables:

• CeWL
• Crunch

A file that contains a large number of words, used for dictionary style attacks. Normally in a .txt format or some other easily readable and editable format.

Note: These links are from the old Insurgency Wiki page, and still need to be gone through and updated. — Humphrey Boa-Gart 2024/10/02 07:17

• ftp://ftp.ox.ac.uk/pub/wordlists/
• ftp://ftp.cerias.purdue.edu/pub/dict/wordlists
• http://www.outpost9.com/files/WordLists.html
• http://packetstormsecurity.org/Crackers/wordlists/