Brute forcing is a technique characterized by the attitude, “try and try till you succeed”. It is one of the oldest methods of breaking into something. This technique can be used to attack web server login pages, web applications, and in password cracking, etc. Brute force attacks have been fine tuned to bypass various security controls and evade detection. This attack is one of the sure shot methods of breaking into something given unlimited time and computation power. The hacking community has developed various tools and techniques to perform brute force attacks. Security products are regularly updating their mechanism to detect and throttle such attacks. The attacks can be performed on both offline and online targets, depending on the expected outcome.
The baseline strategy is straightforward. Let’s take a simple example, you have a number lock with 3 digit pin. You don’t know the pin so, so you try different values till the time you discover the right match to unlock the number lock. Below are a few steps for brute forcing:
Identify the target: This can be a windows password to be cracked.
Identify the set of values that you would use to brute force: Set of passwords to be tried to find the correct password.
Try the combinations: Running the combinations on the login screen.
Analyse the result: Failed attempt will give an error (Bad password); while, successful attempt will login (welcome message) to the screen.
Identify the target: Sometimes the sources are defined from where the targets are accessible; e.g. the login pages for network devices. Source IP needs to be configured in the devices from where the attempts can take place. If the IP is not listed, then the page will not get displayed.
Identify the value set: The list can be generated using some strategy or a tool or manually. Dictionary lists, general password lists, default password lists are a few options. Tool dependency or use of scripts to generate custom lists.
Try the combinations: You can sit and manually try, but that would be too time consuming and inefficient. You need a tool to fire the values.
Analyse the result: A script or tool to differentiate between failed and successful attempts.
Finding hidden web pages: Let us consider a website which has some web pages that are not linked to the UI of the application. They were created for troubleshooting and management purposes. These pages links can still be accessed by directly typing the links in the browser. An attacker can get the list of web pages or can create a list of URLs that may work depending on some analysis. The list can then be tried and the response can be analysed in the form of web response codes. A response code of 200 will signify that the web page exists else it does not.
Breaking windows passwords: A windows password can be broken using a tool that uses a password list, which tries the passwords one after the other to break open the authentication. The attack is performed on the files that store the system password and is usually inaccessible to the users while the system (windows) is running.
Breaking webpage authentication: Firing a set of usernames and passwords on the authentication page of the web application. Simple, right?
One of the variants of this attack is reverse brute force attack. In this case, the attacker knows the password but does not know the associated username. The attacker will try the same password for different usernames till the correct combination is identified.
A successful attack will provide the attacker with illegal access to the web application, network device or a system. This can further be used to create an illegal account for persistence and perform other illegal activities. Attackers can also change the configuration of the attacked system so that it does not work as expected. Deleting the logs, disabling the alarm/alerts, shutting down the system, etc., can be one of the attacker’s purpose.
John the ripper is freeware tool used to crack the password for systems. It can crack the passwords that have been stored in encrypted or hashed format. It works in two modes: dictionary mode and brute force mode. In dictionary mode, the user has to provide a dictionary of passwords and John will encrypt the words in the same format as the password to be matched. If the two match, then the password has been cracked. In brute force mode, the software will test for the password using all possible plain text combinations. This will take more time but will be effective. The tool is in command line but has a GUI version as well, which goes by the name of Johnny.
This is a freely available Wi-fi cracking command line tool. It can help to perform monitoring, attacking, testing and cracking various Wi-Fi objects. The wireless packets can be captured and monitored by various tools. They can launch deauthentication attacks and inject packets, perform cracking of WEP or WPA1 protocols. Aircrack is a software suite and contains various other modules that can be used to launch fine tuned attacks. It basically launches a dictionary attack on the Wi-Fi; if the password matches with a word from the dictionary, attack is successful.
Download link: https://www.aircrack-ng.org/doku.php
Hashcat is a free and fast password cracking tool. It supports a lot of Algorithms (50+) and has various attack modes. It can perform brute force attacks, dictionary attacks, hybrid attacks, etc. In brute force mode, the input is character set and length of the password is also known. It will automatically generate the password list and the number of passwords generated and tested will be (character set) ^ length.
Download link: https://hashcat.net/hashcat/
L0pht crack can be used to perform ultrafast password cracking. It uses various attack methods– dictionary, brute force, hybrid and rainbow table attacks. It is fully customisable and has a scheduler as well for automated tasks. It also supports GPU, which can help build a powerful and fast password cracking machine.
Trial version of the tool can be downloaded from: http://www.l0phtcrack.com/
Hydra can be used to perform brute force attacks on remote authentication protocols like https, ftp, telnet, etc. It supports more than 50 protocols and can perform dictionary attacks as well. The tool is available for both windows and linux platforms. It is pre-installed in the kali linux distro. The tool does not come with a prebuilt password list for dictionary attacks. The official page for the tool is dead but the tool can be downloaded from github. Hunt it yourself and enjoy!
Cain is a free tool that is used to perform password recovery, as per the developer. It can sniff the password and can perform password cracking using brute force, dictionary and rainbow attacks. This can also sniff LAN switches and various encrypted protocols as well, including https. It can also perform cryptanalysis attacks using rainbow table, which can be easily generated. It can perform attacks on VoIP networks, can launch Wi-Fi attacks and find cached passwords. The tool is detected as malicious software by most of the anti-virus solutions. To use this tool without any interruption, provide an exception on the anti-virus for this software.
Download Cain and Abel from this link: http://www.oxid.it/cain.html
Now that we have discussed the tools, we are aware of the damage that can be inflicted. We will discuss a few techniques that can be used to ensure that our resources do not end up compromised as a result of such attacks. The attack should be detected and remediated in time before an event turns into an incident.
The number of invalid attempts can be restricted; and after that, no request should be entertained. This is harsh, but an effective way to stop the attackers from randomly guessing the credentials.
Account to be locked after a fixed number of invalid authentication attempts. This is mostly done with banking accounts and even ATM pins. The account will get locked after a certain number of invalid attempts and the user has to contact the admin to unlock the account. This can be worse in a way that the attacker can end up locking the user accounts. To resolve this, there can be a process for the users to unlock the account on his own using secondary media, such as a linked email or mobile phone.
If there is an invalid login attempt, the account will be locked out for a fixed duration. The duration will increase with successive invalid attempts. This policy has been implemented by IPhone. The phone will increase the lockdown duration and it can reach up to years. “Your iPhone is locked out for 65 years”- Silly but effective.
Notify the user or administrator In case of a failed or successful login attempt. Various banking websites have the practice of notifying the user that your account has been accessed on so and so time. If this is not you, please change the password immediately. Same can be done for administrative logins. Admin can then take actions to secure the account and check for logs if a login or any unintentional activity has been performed.
Related reading: 5 Amazing Ethical Hacking Techniques
Set up a monitoring system that can detect the anomaly in behaviours. A user has been accessing the website for last 1 week during 9AM to 3PM. Now if the system sees that there are various attempts during 3AM, does this ring a bell? Someone is surely attempting a brute force attack. One brute force attempt from America and within a couple minutes an attempt is made from Russia. How can the user travel from America to Russia within a few minutes? This is an anomaly – Impossible travel scenario. A fine-tuned brute force attack.
Whitelist the source, so that only legitimate sources can access the target. Sources can be IP whitelisting or MAC binding. The best case is to bind the ID with a particular source IP and MAC address. The attacker needs to have the right combination of IP, MAC address, username and password.
Ensure that the password complexity is enabled, so that it takes more time for the attacker to break in. A complex password can have:
Length more than 8 characters
Both upper case and lower case alphabets
Non repeated letters for more than 2 times
As complex the password, the more time it takes for the attacker to break it.
Do not use default credentials for any account or device. It is a common practice for the system admins to keep system defaults. This way they do not need to remember complex passwords and have multiple accounts. This is a low hanging fruit for the attackers. An attacker can get into the system in no time with this strategy.
Something you know and something you have. You know the password and you have the one time password sent by an authorised party. A correct combination of username, password and OTP will only allow the access. This is time taking, but an effective method. Even if the attacker has access to the phone, it requires manual intervention each time the OTP is generated as it gets expired in a few minutes.
Mostly brute force attempts are performed using a tool or script. Very rarely there is a human sitting and trying out the combinations. The system can ask the user to complete a simple challenge to ensure that there is human sitting on the other end. The challenge can be as simple as performing a single digit addition or copying a word from the picture displayed.
In this article we have discussed the various tools and techniques that attackers use to perform brute force attacks. Organisations have taken measures to protect the systems and networks from getting brute forced. Web applications are often monitored for load and traffic, the traffic is then monitored for response codes served. Any anomaly, if detected, will alert the security monitoring team. The team can then, either block the target or implement immediate controls for throttling the attack. To reduce the risk, security experts in organizations should disable the services that are not required. Hence, organizations should hire qualified security professionals who have in-depth awareness about hacking procedures and who should regularly update their mechanism to detect and thwart such attacks.
Bonus scenario: A web application does not show any response message when the user logs in. If the credentials are correct, it logs in to the authorised account or reloads the same page. In both scenarios the response code is 200. How will an attacker decide on the fail/pass criteria for the attack?
Answer: One of the possible answers is to analyse the response time. In one of the applications analysed, the response time to serve the page when the authentication is successful is comparatively larger than the time to serve a page with a fail error message.