Cyber Attack Guide – Brute Force Attacks
Some people use the internet to watch cat videos and communicate with friends. Others depend on it for their livelihood.
Regardless of which group you fall into, you need to have a clear grasp of basic cybersecurity concepts.
For example, you have to be aware of what a brute force attack is, how dangerous it can be, and what you can do to protect yourself against it. Let’s make sure this is the case.
Table of Contents:
The State of Cybersecurity
Brute force attacks are among the oldest forms of cybercrime, but they continue to be extremely popular with hackers today. In fact, they are likely to become even more prevalent in the near future.
According to Panda Security, in 2020, there were on average 1 million brute force attempts against RDP connections every day.
Bear in mind these are only the attacks aimed at Microsoft’s remote administration protocol. This figure doesn’t cover brute force attempts on websites and other online services.
But why are they so common? And what do hackers stand to gain from them?
What is a Brute Force Attack?
The basic premise of a brute force attack is pretty simple – a hacker uses trial and error to guess the target’s password and gain unauthorized access to a computer-stored resource. A successful brute force attack opens a range of opportunities for all sorts of criminal activity.
If the attack targets your website, the hackers can deploy malicious ads, collect activity data, and redirect users to deceptive pages that collect login credentials and other sensitive information.
Suppose the attackers are trying to break into your home computer. In that case, they can deploy malware on it, steal your files, and hijack the system for further malicious activity (e.g., enrolling it into a botnet and using it for DDoS attacks).
If the attack infiltrates an entire network, the damages could be devastating for all users.
How do Brute Force Attacks Work?
A typical brute force attack makes many unsuccessful login attempts before it yields results. Usually, the hackers have a username and a list containing millions of passwords. They need to go through all these passwords one by one until they find the correct one.
It’s not something a human being can do manually, which is why there are plenty of tools that automate the process. Here are some of them:
- THC Hydra – Designed to work against a number of communication protocols like Telnet, FTP, HTTP, HTTPS, SMB, etc., THC Hydra is one of the most popular brute force tools for attacking remote authentication services.
- Ncrack – Ncrack is available for Linux, BSD, Windows, and macOS, and it works against RDP, SSH, HTTP, HTTPS, SMB, POP3, FTP, Telnet, and VNC.
- John the Ripper – John the Ripper is one of the most popular brute force tools. It’s packed with features and can even work against databases of encrypted passwords.
- Aircrack-ng – Aircrack-ng targets Wi-Fi passwords. Available for Linux and Windows, it uses user-compiled dictionaries to guess the passwords of in-range wireless networks.
- L0phtCrack – L0phtCrack is a feature-packed tool designed to crack Windows passwords.
It’s good to note that brute force attacks are not always ill-intentioned.
Most of the tools you see above were developed by security professionals for the purpose of penetration testing and educating users on the importance of password strength.
Still, as they are freely available, many cybercriminals use them to crack the passwords of unsuspecting users. You may think that in light of all this, launching a brute force attack is relatively easy.
That’s not exactly the case.
Making a large number of guesses in a short period of time requires a lot of hardware resources. As powerful as modern computers are, they often struggle to efficiently crack complex passwords in their default configuration. To get around this, hackers often employ the computing power of their machines’ GPUs (Graphics Processing Units) – a practice also employed by cryptocurrency miners.
The gains depend on the individual setup, but modern GPUs can usually multiply the number of guesses per second several hundred times.
Types of Brute Force Attacks
There are quite a few aspects to a brute force attack that make its categorization a bit more complex than it normally would be. Depending on the mechanism used for password extraction, you have:
Online brute force attacks
This is the more straightforward approach to brute-forcing. Hackers interact directly with an online service’s login interface (it could be a web page or a command-line-based prompt) and try many different sets of credentials until they get lucky and guess the correct user/pass combo.
Offline brute force attacks
An offline brute force attack starts with a stolen database. According to password storage best practices, service providers must never store user passwords in plain text. When you create an account, the host should put your password through a cryptographic function called hashing before storing it in a well-protected database.
Hashing is a bit like encryption in that it transforms your plaintext password into an unreadable string of letters and digits. The difference is, hashing is a one-way function. There’s no decryption key that turns the hash back into a plaintext password.
The idea here is that if hackers steal the user database, they still wouldn’t have the login credentials required to take over other user accounts.
This is where offline brute force attacks come in handy for them.
Hackers can calculate the hash values of popular passwords and check for matches in the stolen database. If there’s a match, they know which password the victim has used. It’s considered “offline brute-forcing” because the criminals don’t interact directly with the service during the actual password cracking.
In terms of the type of data used during login attempts, you can divide brute force attacks into several different types:
Simple brute force attacks
In this type of attack, the attacker identifies a targeted username and makes multiple password guesses. The guesses are usually based on some sort of logic or mechanism (e.g., “aaa”, “aab”, “aac”, “aad”, etc.). This type of attack works well with PIN codes.
In a dictionary attack, the attacker doesn’t generate their password guesses on the spot.
Instead, they use a list of commonly used passwords and try them in combination with the targeted username. Dictionary attacks tend to be relatively successful because a large number of people use common passwords like “password,” “123456,” and “letmein.”
Hybrid brute force attacks
Hybrid attacks combine the types of brute-forcing we already described to create probable passwords.
For example, during a hybrid attack, hackers will first try “Password,” If it doesn’t work, they’ll attempt to break in using “Password123.” Hybrid attacks exploit people’s tendency to use close variations of the same passwords, especially when they face character requirements.
Reverse brute force attacks
In a reverse brute force attack (also referred to as password spraying), instead of using millions of passwords in combination with a single username, attackers use a relatively limited number of passwords with many different usernames. By doing this, they are once again trying to exploit people’s habits of protecting their online accounts with the same memorable credentials.
This type of attack is becoming more and more popular by the day – a trend facilitated by people’s tendency to reuse the same password on multiple accounts.
Online services of all shapes and sizes suffer data breaches, and vast databases of login details become freely available on underground forums and marketplaces all the time. Cybercriminals know how rampant password reuse is, and they try username and password pairs stolen from one online service against many others.
Because they have used the same credentials across multiple websites, victims often lose control over several accounts in a single breach.
What To Do in Case of a Brute Force Attack?
Brute force attacks are rarely quiet.
How quickly a sysadmin can detect it depends on the individual setup, but a large number of login attempts is bound to show up on the radar sooner or later. But what should you do if you’re in charge of the attacked network and you see an attempted break-in?
Preparation is more important than reaction when it comes to fighting off brute force attacks, but there are a few things you can do to thwart hackers’ efforts if you see them trying to brute force their way into your network.
Cybercriminals aren’t renowned for their patience, and if they fail to compromise the targeted account quickly – they’ll just grow bored and move on to easier targets.
To slow attackers down, you can impose a limit on the number of unsuccessful login attempts. After several tries, users who can’t enter the correct login details will be temporarily locked out of their accounts. It may frustrate people who struggle to remember their passwords, but ultimately, it’s for everyone’s greater good.
You may consider a policy that involves a more permanent lockdown for accounts that accumulate a more significant number of failed logins. In such cases, the affected users should regain access to their profiles after they contact you directly.
If you see an obvious brute force attack aimed at one or several accounts – you could consider disabling the login functionality or at least resetting the user passwords to minimize the chances of credential stuffing.
Blocking IPs that generate far too many login attempts might not be a bad idea, either.
Some of the measures mentioned earlier can be applied beforehand, and you also need to ensure your password storage policy is in line with the industry’s best practices.
Implementing a two-factor authentication option, setting up a CAPTCHA challenge on the login page, and imposing sensible rules for password length and complexity are all factors that can effectively deter brute force attacks without causing users too much discomfort.
What Can Your Hosting Provider Do?
As a website owner, it is your responsibility to keep your users’ data safe. A good hosting provider will always help you with this.
Adequate password requirements, CAPTCHA challenges in the client area, and additional security features like two-factor authentication can discourage attackers right from the get-go. Built-in password generators on the account creation forms can also improve your project’s overall security posture.
There are now services that check whether an account password has been leaked during a previous data breach. The checks are pretty much instantaneous and can be implemented in the account creation form.
A lot of the protection is down to the complexity of user login credentials. By pushing them toward harder-to-crack, unique passwords, hosts can improve your chances of withstanding a brute force attack.
The setup itself can play a significant role as well.
A properly configured firewall is sometimes enough to discourage hackers. Additional anti-brute-force tools give hosting providers a simple, easy-to-implement solution for what continues to be one of the most pressing problems modern website owners face.
Unlike other aspects of our online lives, the username/password scheme for logging into accounts has remained pretty much unchanged over the decades. The same goes for brute force attack – one of the oldest methods for compromising computer system integrity and stealing user data.
Because about 60% of the global population is now online, everything is on a massive scale. Luckily, decades of experience and innovation means that both users and hosting companies can be better prepared to defend themselves against brute force attempts.
What is a brute force attack?
During a brute force attack, hackers use trial-and-error to guess the target’s password. Attackers use automated scripts that make thousands of login attempts per second until they get the correct username/password pair and gain access to the victim’s account. Usually, the hackers use either lists of commonly used passwords or leaked login data from unrelated security incidents.
Is brute-forcing illegal?
Brute force attacks have an application in penetration testing. For example, a website owner can commission a brute force attack against their server to see how well their security measures are holding up.
However, if a hacker attacks and gains access to the server without the owner’s consent, the brute force attempt is considered a form of cybercrime and is therefore illegal.
How long does it take to crack a password?
According to Varonis, an eight-character password containing letters, numbers, and special characters can be cracked by a modern computer in as little as two hours.
That said, it might not be a bad idea to take this estimate with a pinch of salt. The time required to crack a password depends on many different factors, including the password’s complexity, the attacking computer’s hardware resources, and even the type of brute force attempt.