Brute-force attacks are simple enough to understand but difficult to counter. Even a complex cryptographic system can now be cracked by a brute-force (or brute-force) attack carried out by a series of fast computers. These attacks can be launched against any type of encryption or security system with access credentials (from a simple password for logging into a site or service to the encrypted compressed file), and become faster and more effective every time. as more and more powerful computers are produced.
For small businesses and e-commerce sites, the user registration functionality is a common need. What happens is that users share sensitive data when they register on a site or when they open an account. This data may include their address, their e-mail or even their credit card details. It is a necessity, since it gives users a better experience on the site itself, but it can also happen that the information released is vulnerable in case you were the victim of a brute force attack on your site.
Small business owners and their employees have so much to do every day, so website security tends not to be a priority. As a result, 43% of cyber-attacks are targeted at small businesses.
When it comes to online security vulnerabilities, brute force attacks (or brute force attacks) are one of the most popular methods used by hackers.
Definition
Brute Force Attack is a method used by cyber-criminals to crack account passwords and discover login credentials. This type of attack relies on a dictionary of common words and passwords which is used to attempt to discover the victim’s password. After exhausting all the terms in the dictionary, cyber-criminals move on to more sophisticated techniques, using combinations of characters, until a match is found. It can take thousands of attempts to crack a password; this is why automatic tools are used during a brute force attack that allow a large number of attempts to be made in a short time.
Brute force attacks are on the rise
If malware attacks are becoming more and more invasive, we are seeing a spike in every type of attack, from phishing to ransomware to one of the most common cyber-attacks: the brute force attack. The problem with this type of attack is that it is facilitated by the victims, as many of them reuse passwords, do not resort to a password manager, or generally do not give enough importance to passwords in cyber security.
Passwords make up the “backbone” of basic cybersecurity. In many cases, passwords can be the best or worst security measure for a person or organization. A strong password can prevent brute force attacks and other malware, while a weak password can compromise an entire system.
But brute force attacks don’t just target passwords. In this guide we will cover the basic characteristics of a brute force attack, as well as how to prevent them, the various types of attack and will provide tips on password security to users with experience of different levels.
How does a brute force attack work?
Understanding how a brute force attack works and how it develops isn’t complicated – it’s a way to protect yourself and make life more difficult for hackers.
When a hacker wants to gain access to your site, a user’s account or other encrypted info, he must necessarily do something to decrypt or unblock this information. The process begins by trying different combinations of passwords. This goes on until he can actually successfully decrypt the desired information.
There are thousands of possible password combinations for a single account. The shortest standard length of a password is eight characters. Many websites impose additional security measures, adding complexity to user passwords (for example, the use of upper and lower case letters, alphanumeric combinations and special characters).
These simple tricks can transform a simple password with thousands of combinations to another that includes millions of millions. If you have a simple password, we suggest you read our guide to creating secure passwords. Obviously, for an experienced hacker, this is only a bit lengthy because, with the right tools and the right knowledge, he can still penetrate the site. In fact, there are many tools that are able to generate thousands of possible passwords, proving their effectiveness within a few seconds.
How are brute force attacks used?
Brute force attacks can be launched against an application or against the encrypted value or hash of a password. Web applications are usually equipped with security mechanisms that block the automatic login attempts typical of brute force attacks, so cyber-criminals are much more likely to use this type of attack directly with stolen passwords.
If the attack is launched against an application, automated software will be used which will try a list of usernames and passwords until a match is found. When this happens, the cyber-criminals have access to the user’s account, unless additional security measures have been put in place.
A more common type of brute force attack is to guess the user’s password from the encrypted value or the password hash. A private key is required to decrypt an encrypted password. If an attacker got hold of such a private key, she would be able to crack the password, or she could always use automated tools to try to crack the key’s value.
Passwords are normally saved in a hashed, one-way version and without the possibility of decryption. So cyber-criminals use a dictionary of potential passwords, hash them, and if the value matches the hash of the stolen password, that’s it: the password has been cracked.
Purpose of a brute force attack
Now the bad guys have access to the target’s account, and there are many reasons why this is so appealing to cyber-criminals. They could use it to access the victim’s bank accounts, or steal personally identifiable information (PII).
They could install malware on the victim’s system, or send malicious files to other users on the same network. For example, if an attacker steals the login credentials of an administrator account, she can hijack network traffic, steal confidential data from internal databases, or install malware on critical infrastructures.
The damage resulting from a brute force attack depends on the privilege level of the hacked account, and the type of application to which that account is related.
The 2013 brute force attack on GitHub is considered the largest brute force attack ever recorded in recent history. A large number of accounts were compromised: there were 40,000 IP addresses of hackers involved in the attack, who first operated on those with weak passwords. After the attack, GigHub set up two-factor authentication for its users’ accounts.
In April of the same year, Cloudflare, a well-known web security and performance service, blocked about 60 million brute force requests on WordPress within an hour. Despite this, tens of thousands of websites have been successfully attacked. Following these attacks, WordPress also used two-factor authentication.
Some additional actions cyber-criminals can take following a successful brute force attack include:
- Send messages to the victim’s colleagues or other users to get them to click on phishing links or open malicious attachments.
- Install malware on the system or network infrastructure. If an administrator device is infected, the attacker can steal high-level credentials.
- Message customers in an attempt to damage the victim’s reputation.
- Hijack server processes to install malicious applications used to intercept outbound and inbound traffic.
- Redirect user traffic to a server controlled by criminals.
- Install adware on systems and applications to earn advertising revenue.
Is a brute force attack legal?
The only time a brute force attack can be considered legal is if you are ethically testing the security of a system with the written consent of the owner.
In most cases, a brute force attack is used to steal user credentials, giving unauthorized access to bank accounts, subscriptions, sensitive files, and so on. All of this obviously makes it illegal.
How to perform a Brute Force attack
This operation is performed by software and is closely related to the computing speed of the computer available.
The login page of a website is identified and – via script or bot – an attempt is made to identify its password.
You do not follow any kind of logical strategy and no previous knowledge or information is used to guess the characters used: you simply try all the possible combinations and wait until you find the right one.
A Brute Force attack, therefore, works thanks to algorithms and if the target string is particularly long and complex, it can take days or months – in some cases even years – to be able to decipher it.
For this reason, it is sometimes preferred to resort to other techniques such as social engineering or Directory Traversal attacks.
The advantage of this method is that it is practically always applicable and there are no encryption keys or password-based systems that cannot be decrypted. The times can be very long, but sooner or later it works.
In addition to being essentially foolproof, a Brute Force is also very easy to cast.
Popular attack tools
Brute force attacks are usually automatic. A real person can only test a few passwords per minute, while a computer can test hundreds or thousands of combinations per minute, also depending on the connection speed. Cyber-criminals use automation to launch their own brute force attacks. It is not uncommon to see them use their own custom scripts, developed in their favorite programming languages, such as Python for example.
Examples of brute force password attack programs:
- Aircrack-ng
- John the Ripper
- L0phtCrack
- Hashcat
- DaveGrohl
- Ncrack
In addition to password cracking tools, criminals also use tools to scan for vulnerabilities, to identify out-of-date software and discover information about the targeted application. Network administrators should always keep public servers up to date, and apply the latest security patches, as well as use specific software to identify system scans.
Recovery Software Tools
To perform an effective Brute Force, it is essential to have tools that guarantee power and reliability.
Let’s see which are the most effective and used software.
Hydra: it is perhaps the most valid and known tool for unleashing Brute Force attacks. It is very powerful and is mainly used to decrypt remote authentication services. It can support more than fifty protocols, including http, https, telnet, ftp and smb.
Hashcat: is one of the fastest tools ever to crack and recover passwords. It’s free and available for Linux, OS X, and Windows. Its strong point is the ability to harness the computing power not only of the CPU, but also of the graphics processors (GPU).
JTR: is an open source software that can perform classic Brute Force attacks or dictionary attacks. In addition to identifying passwords and data, it can also automatically identify the type of encryption used, called hash. It is available for every operating system – Windows, Linux and Mac OS – and can be downloaded for free or in a paid pro version.
Types of brute force attacks
The essence of brute force attacks is to “guess” the victim’s credentials, trying every possible combination, until a match is found. However, criminals use a multitude of strategies to get the best results. It is essential for organizations to know each type of brute force attack to implement the appropriate defense strategies.
Some types of brute force attacks include:
Simple brute force attack
The simple brute force attack, as the name suggests, is the most basic of all types. During such attack, the attacker tries to guess the user’s password manually, without the use of software tools.
Cyber-criminals guess the user’s password by trying a combination of values based on known information about the victim. This can, for example, be information found online or obtained through social engineering attacks.
The attacker bases his tactic on trying commonly used weak passwords such as 123456, qwerty, password, and password123. Unfortunately, even the simple brute force attack can be quite effective, as we have repeatedly seen that many people continue to use weak or poor passwords to protect their online accounts.
Dictionary Attack
While a dictionary attack does not strictly meet the criteria for qualifying as a brute force attack, the two are closely related. Simply put, a dictionary attack is a method of trying to crack the password by trying a large number of common words and their variants. To do this, hackers use software that can make thousands of hypotheses every second using dictionary databases, hence the name of the attack. Over the years, dictionary attacks have declined in popularity as new types of attacks have risen to prominence.
Hybrid Brute Force Attack
As the name suggests, a hybrid brute-force attack combines a dictionary attack with a brute-force attack for a better chance of success. Often the hybrid attack is used when the attacker already knows the username of his prey.
A hybrid attack is designed to try a variety of uncommon password combinations such as MonkeyBig123. In most cases, the attacker starts with a list of words and then tries to change characters and add special symbols or numbers to get as many variations on the starting words as possible.
Reverse brute force attack
Think of a reverse brute force attack as something totally opposite to a hybrid attack. A reverse brute force attack requires the attacker to know the password in advance and then try to guess the username.
In attacks of this type, criminals take a list of known passwords, often from dark web marketplaces, and try it on a list of possible usernames, until one is found that works with and allows so. to access an application.
Attackers in possession of a password – which they most likely obtain from hacked databases – use it to trace usernames associated with it.
Credential stuffing
Users often have a nasty habit of using the same passwords for different accounts and websites.
This means that if cyber-criminals come into possession of the victim’s credentials on one website, they would test the same credentials on other websites as well to see if they can access additional victim accounts.
So simply, Credential stuffing is the type of attack attackers carry out when they already have a set of usernames and passwords at their disposal. Hackers can obtain entire databases of stolen login credentials and then try to apply them to the account they are trying to access. This type of attack can be particularly devastating if the attacked user reuses the same passwords on multiple accounts.
Rainbow Table Attack
A rainbow table attack is a password cracking method that uses rainbow tables to break password hashes in a database. Websites or apps don’t store passwords in plain text; instead, they encrypt hashed passwords. Once the password is used to log in, it is immediately converted into a hash. The time after the user logs in using their passwords, the server checks if the password matches the hash created earlier. If the two hashes match, the user is then authenticated. The tables used to store password hashes are known as rainbow tables.
In most cases, the hacker who launches a rainbow table attack should have the rainbow table at their disposal. They can often be bought on the dark web or stolen. During the attack, attackers use the table to decrypt password hashes and then gain access to a password in clear text.
The Speed of a Brute-Force attack
Regarding the speed with which a brute force attack can be conducted, it all depends on the hardware used. Intelligence agencies (but also hackers on paper) can build huge servers specialized in shared computing, weighed only to find encryption keys or to break them.
The method often exploits the potential of modern GPUs, the same used for games and cryptocurrencies, capable of working at absurd speeds on billions of data in a second and cracking any simple password or standard protocol (at the cost of electricity and very high management costs).
How to prevent brute force attacks
Network administrators have several strategies available to prevent brute force attacks. The first step is to establish password creation rules, which prevent users from setting insecure passwords. For non-critical systems, passwords should be at least 10 characters long, and include uppercase, lowercase, special characters, and numbers. For critical systems, passwords should be no less than 12 characters. With today’s computers, it would take decades to decrypt an encrypted password with a brute force attack.
Password security tips for users
Password security is also important for normal users. You may not be able to check back-end security, but just follow these simple tips to create more complex passwords:
Don’t reuse passwords: Never reuse a password for more than one account. Each account should have only one strong password.
Don’t use commonly used words or phrases: Commonly used phrases and words are very easy for cyber-criminals to guess. Use only unique letter combinations and avoid saying them explicitly.
Use a password generator: A password generator creates a random password based on certain personal parameters. You can decide the number of characters, the combination of letters, symbols and numbers and much more.
Don’t use personal information: Most of us use personal information to make it easier for us to remember our passwords, but this is a quick way to fall victim to breaches. Never use dates of birth, addresses, or other personal or business information in passwords.
Use a password manager – Perhaps the best thing to do is use a password manager. These versatile and secure cybersecurity tools allow you to create, store and manage passwords for multiple accounts. Your passwords will be organized neatly and you won’t have to use personal information to remember them.
Hashing: is one of the most used methods to make life difficult for hackers, using strong hashing algorithms can slow down brute force attacks. These hash algorithms like SHA1 and MD5 do extra mathematical work on a password before storing it.
Obviously, a good way to slow down brute force attacks requires using the latest and most up-to-date security protocols. For example, for Wi-Fi we must refer to WPA3 (still not very widespread), while for the other types of encryption the AES-256 protocol (often combined with Hash) has become a standard secure enough to protect against an attack. conducted without the necessary resources (nothing is inviolable, only it takes too long and must really be worth it).
Additional defense strategies against brute force attacks include:
Using salts: A salt is a set of random bits used in password hashing. Using a salt reduces the chances of success of brute force attacks, because cyber-criminals should know the password and the value of the salt.
Limited Authentication Attempts: The application can limit the number of login attempts before locking an account or showing a CAPTCHA in case too many attempts are made. This system blocks automatic brute force attacks or slows them down to the point that they are no longer sustainable.
Blocking accounts after too many login attempts: This will stop the brute force attack.
Block suspicious IP addresses: If too many login attempts are made from the same IP address, the system can automatically block the IP for a certain period, or the administrator can manually add the IP address to a block list.
Two-factor authentication (2FA): In the event that the attacker manages to find the victim’s password with a brute force attack, he would then have to pass the additional authentication in order to access the account.
Configure the MFA whenever possible: Multi-factor authentication is an additional layer of security that requires additional steps to verify the user’s identity. Today, most online services provide users with a way to set up MFA. In most cases, MFA works via authentication apps or text messages. With MFA enabled on your accounts, even if they manage to obtain your username and password, attackers will have no way to bypass an additional authentication step without direct access to your devices.
Conclusions
A brute force attack is not a walk in the park and we will hardly become a victim of this type of attack: obviously we always try to use up-to-date encryption protocols, we use complex passwords that are difficult to find in a dictionary and we activate all the security systems offered by a site (such as two-factor authentication), so as to give any Sunday hacker a hard time and prevent access to our services.