What is Bruteforce attack?
Compared to other techniques used by threat actors, brute force attacks do not need vulnerabilities on a website to work. Instead, these attacks depend on users having weak credentials to succeed. The ease and simplicity of the tactic are why it is pretty popular among enterprising cybercriminals.
A brute force attack is a hacking method where hackers use a trial-and-error method to decode passwords, login credentials, and encryption keys. It is a simple yet reliable tactic for gaining unauthorized access to individual accounts and organizations’ systems and networks. The hacker tries multiple usernames and passwords, often using a computer to test several combinations until they find the correct login information. Other common targets for brute force attacks are API keys and SSH logins. Brute force password attacks are carried by scripts or bots that target a website’s login page.
The name “brute force” comes from attackers using repetitive, forceful attempts to gain access to user accounts. Despite being an old cyberattack method, brute force attacks are tried and tested and remain a popular tactic with hackers. Though surprisingly simple, brute force attacks have a high success rate. Depending on the length and complexity of the password, cracking it may take from a few seconds to many years.
What are the strengths and weaknesses of brute force attacks?
The advantage of brute force attacks is that they are relatively simple to perform, and given enough time and the lack of a mitigation strategy for the target, they always work. Every password-based system and encryption key out can be cracked using a brute force attack. The amount of time it takes to brute force into a system is a useful metric for gauging that system’s level of security.
On the other hand, brute force attacks are very slow, as they may have to run through every possible combination of characters before achieving their goal. This sluggishness will compound as the number of characters in the target string increases (a string is just a combination of characters). For example, a four-character password takes significantly longer to brute force than a three-character password, and a five-character password takes significantly longer than a four-character password. Once character count is beyond a certain point, brute-forcing a properly randomized password becomes unrealistic.
If the target string is sufficiently long, it could take brute force attacker days, months, or even years to decode a properly randomized password. As a result of the current trend of requiring longer passwords and encryption keys, brute force attacks are quite a bit difficult. When good passwords and encryptions are utilized, attackers typically try other methods of code breaking, such as social engineering or on-path attacks.
Goals of brute force attacks
Brute force hacking requires plenty of patience. An attacker may take months or even years to successfully crack a password or encryption key. Cybercriminals have several motivations for enacting brute force attacks. The potential for personal profit or gain is the primary one. However, the potential rewards are:
Exploit advertisements and data: A hacker may launch a brute force attack on a website or multiple websites to earn financial profit from advertising commission. Common methods include:
- By placing spam advertisements on the websites, the attacker can get money every time an advertisement gets clicked or viewed by a visitor.
- Rerouting traffic to a legitimate website to illegal commissioned ad sites.
- Infecting a website and site visitors with malware, such as spyware, that tracks activity. The data collected is then sold to advertisers without the user’s consent.
Personal data theft: Hacking into a user’s personal accounts can provide everything from bank accounts to tax information, and confidential medical information could be found online. Access to an account enables an attacker to spoof a person’s identity, steal their money, sell their credentials to third parties, or use the information to launch various attacks. Personal data and login credentials can be stoled through corporate data breaches that see attackers gain access to organizations’ sensitive databases.
Spread Malware: Hackers may place malicious software on hacked sites that can spread to visitors’ computers. Once downloaded, malware can collect even more private data, hold files for ransom, hijack your internet session, impersonate users through IP spoofing, or otherwise wreak havoc on victims.
Ruin a website’s reputation: Brute force attacks are launched to steal data from an organization, which not only costs them financially but also causes reputational damage. Websites can also be targeted with attacks that infest them with obscene or offensive text and images, thereby denigrating their reputation, which could lead to them being taken down.
Types of Brute Force Attacks
Here are six more common ways hackers’ harness brute force methods.
- Simple Brute Force Attack: A simple brute force attack is where hackers attempt to decode your password without the assistance of scripts or automation. With this attack, weak passwords and PINs are cracked in seconds.
- Dictionary Attack: This type of brute force attack happens when a hacker chooses a target and attempts to crack the latter’s password by trying all possible combinations against their username. Random Words from the dictionary, augmented with special characters and numerals, may also be used for this attack.
- Hybrid Attack: Often, people use a combination of numbers of significance to them – such as a birthday or anniversary date – and words for their passwords. A hybrid attack combines a simple brute force attack and a dictionary attack to guess the aforementioned mixed login combination. Essentially, a hybrid attack starts from external logic to find out which password combination may be correct and goes on to try as many other possible variations.
- Credential Stuffing: Stolen credentials are sold and exchanged between cyber criminals on the dark web. Credential stuffing exploits the fact that users use the same username and passwords across various systems. Threat actors then use these previously-known username-password combinations to log in to user accounts across many websites until they find one that works.
- Reverse Brute Force Attack: A reverse brute force attack starts from a publicly known or leaked password; then, the hacker will use automation to search for a matching username, account number, or key.
- Password Spraying: Traditional brute force attacks attempt to guess passwords for single accounts only. On the other hand, password spraying takes the opposite approach and tries to apply a single password combination to several accounts. This prevents account lockout policies from detecting the activity. Password spraying targets victims using single sign-on (SSO) and cloud-based applications that rely on federated logins. SSO enables a single authentication credential to access various systems within a single organization. At the same time, federated logins allow users to use a single authentication token to gain access to multiple systems across different enterprises.
Brute force attack tools
- Aircrack-ng: Aircrack-ng is a brute force Wifi password tool that is available for free. It comes with WEP/WPA/WPA2-PSK cracker and analysis tools to perform attacks on WiFi 802.1 and can be used for any NIC that supports raw monitoring mode.
- DaveGrohl: DaveGrohl is a brute forcing tool for Mac OS X that supports dictionary attacks. It has a distributed mode, that enables an attacker to execute attacks from multiple computers on the same password hash.
- Hashcat: Hashcat is a CPU-based password cracking tool available for free. It works on Windows, Mac OS, and Linux systems, and works in many types of attacks, including simple brute force, dictionary, and hybrid.
- THC Hydra: THC Hydra cracks passwords of network authentications. It performs dictionary attacks against more than 30 protocols, including HTTPS, FTP, and Telnet
- John the Ripper: This is a free password-cracking tool that was developed for Unix systems. It is now available for 15 other platforms, including Windows, OpenVMS, and DOS. John the Ripper automatically detects the type of hashing used in a password and can be run against encrypted password storage.
- L0phtCrack: L0phtCrack can be used in simple brute force, dictionary, hybrid, and rainbow table attacks to crack Windows passwords.
- NL Brute: An RDP brute-forcing tool that has been available on the dark web since at least 2016.
- Ophcrack: Ophcrack is a free, open-source Windows password cracking tool. It uses LM hashes through rainbow tables.
- Rainbow Crack: Rainbow Crack generates rainbow tables to use while executing an attack. Rainbow tables are pre-computed and so reduce the time required to perform an attack.
How to Protect Against Brute Force Attacks
Organizations can strengthen cybersecurity against brute-force attacks by using a combination of strategies, including the following:
Increase password complexity. This can extend the time required to decrypt a password. Implement password manager rules, like minimum passphrase length, compulsory use of special characters, etc. Follow these guidelines when creating a password:
- Do not use your personal information for your passwords. Avoid using your birthday, name, or email address for your passwords.
- Never recycle passwords for your accounts. Use unique password combinations for each of your online accounts.
- 30% of recycled or modified passwords could be cracked in 10 guesses. Use long passphrases that contain spaces and unique characters. Include numbers, symbols, and uppercase and lowercase characters in your passwords.
- Create a password that is longer than six characters. Ideally, passwords should be at least 15 characters long.
- Do not use dictionary words from any language. It is best to use random character strings rather than words.
Limit failed login attempts. Protect systems and networks by implementing rules that log a user out for a specified amount of time after repeat login attempts.
Encrypting and hashing. 256-bit encryption and password hashes exponentially increase the time and computing power required for a brute-force attack. In password hashing, strings are stored in a separate database and hashed. So, the same password combinations have a different hash value.
Implement CAPTCHA. These prevent the use of brute-force attacking tools, like John the Ripper, while still keeping networks, systems, and websites accessible for humans.
Enact two-factor authentication. This is a type of multifactor authentication that adds an additional layer of login security by requiring two forms of authentication — as an example, to sign in to a new Apple device, users need to put in their Apple ID along with a six-digit code, which is displayed on another one of their devices previously marked as trusted.
A good way to secure against brute-force attacks is to use all or a combination of the above strategies.
What are examples of bruteforce attacks?
- In 2009, Attackers targeted Yahoo accounts using automated password cracking scripts on a Yahoo web services-based authentication application thought to be used by internet service providers and third-party web applications.
- In 2015, threat actors breached nearly 20,000 accounts by making millions of automated brute force attempts to access the Dunkin mobile app rewards program for DD Perks.
- In 2017, cybersecurity criminals used brute-force attacks to access the U.K. and Scottish Parliament internal networks.
- In 2018, brute-force attackers cracked passwords and sensitive information of millions of Cathay Pacific airline passengers.
- In 2018, it became known that a Firefox bug exposed the browsers’ master password to brute-force attacks against insufficient Secure Hash Algorithm 1 hashing left unfixed for almost nine years.
- In 2021, the National Security Agency warned of brute-force password attacks being launched from a specially crafted Kubernetes cluster by a unit within Russia’s foreign intelligence agency.
- In 2021, hackers gained access to T-Mobile testing environments and then used brute-force attacks and other means to hack into other IT servers, including those that contained customer data.
Authsafe can help to mitigate bruteforce attack