A brute force attack is one of those cyberattacks that even a novice hacker can handle, But the consequences for victims can be catastrophic. Read this article to know more about this attack, tools, and ways to protect it.
“It’s really exciting. It’s kind of like hunting, But not hunting animals, But hunting hashes. The best form of vertical missile game! ”
This is the profession of a cybersecurity expert who checks the security of passwords and uses a brute force attack to do so. Of course, he warns that if you use this type of attack for illegal purposes, you should also wait for the consequences.
Brute Force attack can be both one of the simplest methods of password detection with a high success rate and a relatively complex and at the same time low success method. To get acquainted with this type of cyber attack, the tools used for this attack and the methods of protection against it are included in this article.
The titles you will read in this article:
- What is a brute force attack?
- Types of brute force attacks
- Hackers target brute force attacks
- Weaknesses and strengths of brute force attacks
- How is a brute force attack performed?
- Brute Force attack tools
- Ways to Protect against brute force attacks
- Ways to create a strong password
- Check the security level of the password
- Has my password been revealed?
What is a brute force attack?
A brute force attack, also known as an Exhaustive Search attack, is one of the most common cyberattacks to find users’ passwords or hidden pages on websites.
This type of cyberattack is the equivalent of this familiar scene in the movies: the door is locked and the character of the thief has key categories, But he does not know which key to unlocking the door. Time is also very tight and the landlord may arrive at any moment. That’s why the character in the movie starts trying all the keys until one of them finally unlocks the door.
The same is true of the brute force attack, except that the attacker, instead of forcing himself into the house, intends to enter other users’ online accounts without permission. Through this attack, the hacker guesses all the possible combinations of the desired password until he finally gets the correct answer.
A brute force attack, although it seems so simple that even very novice hackers can handle it, can be very time consuming; For example, if the website that was attacked by Brute Force used encryption keys to hide or so-called hash passwords, it may be almost impossible to detect passwords through this attack, depending on the type of encryption key. However, if the password is weak, a simple brute force attack can guess it correctly in a matter of seconds.
It is true that brute force attacks are based on speculation and are even referred to as unconscious attacks, But it is very common because in many cases it is done successfully. According to Verizon, in a massive breach of data, 80 percent of password disclosures were carried out through brute force attacks.
Types of brute force attacks
Simple brute force attacks: In this attack model, hackers use software tools to guess and discover users’ passwords. This attack only works if the password is weak and easily guessed.
Dictionary attacks: In this type of attack, the hacker targets a specific username and with the help of a dictionary or a list of common passwords that have been exposed in the violated attacks, begins to try each of these passwords to finally get the password. Reach the intended username; For example, if your chosen password is 12345, this password has been detected in 2,493,390 data breaches so far and you can be sure that it exists in all dictionaries used in brute force attacks.
Reverse brute force attacks: This model of attack, as its name implies, is the opposite of a simple brute force attack; This means that the hacker does not target a specific username, but identifies a list of common passwords and matches them to millions of usernames so that he can finally match the passwords with their username.
Disclosed passwords can be easily found on the Dark Web. Hackers attack various websites, steal a list of passwords stored on their servers, and then publish it on the Dark Web. Other groups of hackers also use these passwords to launch inverted brute force attacks to find the username associated with each password and gain access to the user account.
Hybrid brute force attacks: In this type of attack, attackers resort to advanced tools to obtain passwords that can, in a shorter time and using the power of computer processors, simultaneously several possible combinations of complex and complex passwords. Try letters, numbers, and symbols to get the correct password.
While weak and common passwords can be easily guessed by hackers or scripts and bots, strong and complex passwords can only be detected with the help of special tools. In other words, even strong passwords are not safe from brute force attacks.
Credential Stuffing: If a hacker can find the right combination of username and password for an account on one website in a brute force attack, then he will try this combination on several other websites. Because many users are accustomed to using a combination of usernames and passwords to log in to different websites, they become easy prey for this model of attack.
Hackers target brute force attacks
Brute force attacks are usually used to gain access to users’ personal information, including passwords, usernames, and pins, and hackers use scripts, bots, or special software for these attacks. The goals that hackers pursue from committing a brute force attack include the following:
- Theft of personal information such as a password or username to access online accounts and network resources
- Collect users’ personal information for sale to third parties
- Appear in the role of user to send phishing links and fake content
- Damage the reputation of the organization by disclosing the information of their users
- Redirect domains to websites that have malicious content
Of course, brute force attacks are also carried out for useful purposes. Many IT professionals use this attack model to test network security, and in particular, the strength of the encryption method used on the network to prevent possible future hacker attacks.
Weaknesses and strengths of brute force attacks
The biggest advantage of a brute force attack (from a hacker’s point of view, of course!) Is its simplicity, and it will always be successful if there is enough time and a risk reduction strategy on the part of the user. Any system based on passwords and encryption keys can be hacked with a brute force attack. In fact, how long it takes for a system to infiltrate with a brute force attack is a practical measure of a system’s level of security.
However, brute force attacks are very slow, as they must try every possible combination of characters to reach their goal. This slowness will increase as the number of password characters increases. In other words, hacking a four-character password through brute force will take longer than hacking a three-character password, and thus hacking a five-character password will be more difficult than hacking a four-character password. When the number of characters in the password exceeds a certain limit, it will be almost unrealistic to accidentally discover it by a brute attack.
If the string of password characters is long enough, it may take days, months, or even years to force it. This is why most websites ask you to choose a password of at least eight characters to increase the cracking time.
Choosing strong passwords and using cryptographic keys to hide passwords from hackers have made it more difficult to implement brute force attacks. However, in such cases, hackers resort to other methods to achieve their goals; Such as social engineering in which the user’s behavior and habits are used against him or on-path attacks in which the hacker tracks or manipulates the exchanged information by being in the path of information exchange (eg browser and web server).
How is a brute force attack performed?
The concept of a “brute force attack” may have evoked the image of a highly professional hacker the size of Elliott Alderson, who, with paper and pen and using his vast intelligence, is guessing different combinations of passwords. But the reality is duller than this picture, because cyber-attackers are just as busy as other people, and their lives are not enough to guess all the possible combinations of an 8-character password. Instead, these attackers use various scripts, bots, or software to hack passwords in a much shorter time to attack the login page of a website or application.
But discovering the password and matching it to the new user name is the first step in a brute force attack. The main purpose of hackers in a brute force attack is to gain access to the user’s personal and sensitive data, which can be used to infiltrate the network of the organization of which the user is a member.
How easy or almost impossible a brute force attack can depend on the difficulty of the passwords. The reason that no password, even bank card, and PIN passwords, are two digits is that there are only four possible combinations for the two digits and the hacker can guess the password in one second. Instead, if a password of, for example, 8 characters is made up of a combination of uppercase and lowercase English letters and numbers (62 characters in total), it becomes 62 to the power of 8, which is 218 trillion possible modes!
Hackers increase password cracking speed by combining CPU and GPU processing power
On this account, it would be unrealistic to assume that brute force attacks are carried out by individuals alone. Human life is not enough to try 218 trillion possible states, so these tools help. If you have a bot that checks a combination every second, it would take 218 trillion seconds, or 7 million years, for an 8-character password to crack (assuming the correct answer is the last guess). With the help of special software, the supercomputer can check 9 possible states of 9 per second, which means that all possible combinations are tested in just 22 seconds!
Running brute force software requires a lot of computing power, which hackers have come up with. Combining CPU processing power with a computer graphics processing unit can speed up the password recovery process by up to 250 times faster than the CPU alone. For example, for a six-character password that includes numbers, there are about 2 billion possible combinations. It will take more than two years to crack this password with a powerful processor that tests 30 different passwords every second; But by adding powerful graphics card processing power to the brute force process, the same computer can test 7,100 passwords per second, and the whole process will take only 3.5 days.
Brute Force attack tools and software
A cyber attacker uses software to attack a reverse brute force that systematically checks all possible password combinations using computer computing power to finally identify the correct password. Because it takes a long time for humans to try all possible combinations to get the correct password (millions of years for a password of 8 characters or more!), It is not possible to carry out brute force attacks without using cracked software. Here are some of the most popular tools used in brute force attacks:
Aircrack-ng is one of the most popular tools for brute force attack. This free software is used to crack the WiFi password. How to attack this tool is through a dictionary attack against the Wi-Fi network with IEEE 802.11 standard to guess its password. The success rate of this tool depends on the dictionary containing its password. The better and more up-to-date a dictionary is, the more likely it is to succeed in cracking the password.
Aircrack-ng software is used to determine the security of wireless connections. This software is available for Windows and Linux platforms and can run on iOS and Android.
John the Ripper software
Another popular tool for brute force attack is John the Ripper. This free tool was first developed for Unix systems; But later versions were released for other platforms such as Windows, Ross, BOS, and OpenVMS.
With the help of this tool, weak passwords can be detected or cracked. This tool supports several passwords cracking capabilities and can automatically detect the type of hash used in the password and try to break the encryption. Thus, even some encrypted or hash-modified passwords are not secure against this software and can be used to measure the security of cryptographic keys.
John the Ripper software can perform simple brute force attacks by testing all possible combinations of letters and numbers. If you have access to a list of passwords, you can use this software to perform dictionary brute force attacks.
Rainbow Crack software
This software generates brute force attacks by generating a rainbow table, which is used to break hash codes. The difference between this tool and other brute force software is that the rainbow tables are pre-calculated and reduce the attack time. Various organizations have published these rainbow charts for the use of all Internet users that can be used in this software.
Rainbow Crack supports all new versions of Windows and Linux.
This software is known for its ability to crack Windows passwords. L0phtCrack uses simple brute force attacks, dictionaries, hybrids, and rainbow tables. The most important features of this software include scheduling, hash extraction from 64-bit versions of Windows, multiprocessor algorithms, and network monitoring and decryption.
Ophcrack software is also used specifically to crack Windows passwords. The Windows operating system hashes the passwords of its users by the LM algorithm and stores them in a file called SAM. The SAM file is encrypted in such a way that the user cannot normally read or copy it, But the Ophcrack tool can use the rainbow tables to break the LM hash and extract the password.
By default, the software includes rainbow tables that can crack passwords of less than 14 characters (consisting of letters and numbers) in minutes. Of course, you can also download other rainbow tables to crack longer passwords.
Ophcrack is open source and free for Windows and Linux operating systems.
Hashcat software claims to be the fastest CPU-based password cracking tool. It supports a variety of hash algorithms, including LM, MD4, and MD5, and is capable of simple brute force, hybrid, dictionary, and several other attack models.
Using this software locally or to detect vulnerabilities in organizational systems is not a problem and is not illegal, But using them to hack other users’ passwords can have serious consequences.
Ways to protect against brute force attacks
There are several ways to protect passwords against brute force attacks, some of which must be followed by the user and some by the website owner. Here are some of the most important ones:
1.Limit the number of times you entered an incorrect password
One effective way to prevent brute force attacks is to limit the number of times an attacker has the opportunity to try different combinations to find the correct password.
In some websites and services, if the number of incorrect passwords is exceeded too much, the user account will be blocked and it will not be possible to access it for a certain period of time. Using this method, however, does not prevent the attack; But it interrupts the attacker’s work.
On the other hand, limiting the effort to log in to an online account is done without careful thought and planning, it may impose additional costs on the organization. For this reason, it is necessary to first examine whether this method is a suitable method for protecting the company’s infrastructure.
2.Use strong passwords
One of the best and most effective ways to prevent dictionary brute force attacks is to avoid using words that can be found in the dictionary. Users should also refrain from using their personal information, including bank account numbers, to choose passwords for web services that do not use strong encryption keys.
The world of technology, though, is moving toward passwordless systems; But there is still a long way to go until that day. Therefore, it is good to get acquainted with the methods of choosing a strong password that is not easily detected in brute force attacks, which we will examine in the following.
3.Alternatives to traditional passwords
Another way to reduce brute force attacks is to avoid using traditional passwords. You can use one-time tokens or passwords instead. This will give you a unique password each time you access the website and prevent brute force attacks.
The use of tokens is a type of two-factor authentication or 2FA. This security measure is commonly used in banking transactions. In this method, in addition to using the usual login methods, another level of security is added during the transaction; For example, code is sent via SMS to the user’s smartphone, or two-factor authentication applications such as Google Authenticator automatically generate one-time passwords. Thus, even if the hacker has access to the user’s password, he will need to enter a code to log in, which fortunately he does not have access to.
After several unsuccessful login attempts, authentication systems prevent brute force attacks. There are different types of captcha, including typing the text displayed in the image, checking the I’m not a robot option, or recognizing objects in the images. The captcha feature can be enabled for the first login attempt or after the first failed attempt.
Ways to create a strong password
Perhaps the most effective factor in protecting against brute force attacks is choosing a strong password; But what features should the password have to reduce the possibility of it being detected by brute force attacks? Here are some tips for creating a strong password:
Long passwords with a variety of characters: If possible, choose 10-character passwords that include symbols or numbers. Such passwords generate 171.3 quintiles or 1.71 per 1020 possible combinations. Using a GPU that tests 10.3 billion hashes per second, it takes approximately 526 years to crack this password. Of course, a supercomputer can crack this password in a matter of weeks; For this reason, adding more characters makes it harder for you to discover your password.
Use complex passphrases: Because not all websites support very long passwords or are difficult to remember, you can use long one-word passphrases instead. Dictionary attacks are specifically designed to detect one-word passwords, and they crack passwords with almost no hassle. For this reason, to increase cybersecurity, it is necessary to combine passwords that consist of several words with additional characters and symbols.
It is better not to use your mind to choose the phrase passage, because the human mind is not able to think of words that do not follow the natural pattern of language, and brute force tools can easily guess such words. For this reason, the use of the Diceware method is recommended. Dysor is a list of 7,776 English words, with a 5-digit number from one to six next to each word. Now, by rolling the dice five times, write down the number combination that is obtained and select the word for it from the list of divisors. Repeat this as long as you want your phrase to last until you come up with a phrase that is completely random and has high entropy.
If your chosen phrase consists of five words, there are 7,765 possible combinations for it, and it takes 14 quintiles (14 to 18 zeros) to guess. According to a 2013 Edward Snowden warning, it would take 27 million years to guess the seven-word pass with the help of a tool capable of one trillion guesses per second.
It is good to use a passphrase instead of a long one-word password to make it easy to remember. For example, it is easier to maintain “bolt vat frisky fob land hazy rigid” than “d07; oj7MgLz ‘% 8”, but cracking it through a brute force attack is extremely difficult and time-consuming.
Set password rules: The best passwords are the ones you can easily remember; But for someone who reads it, it is completely meaningless. When creating a passphrase, you can delete the vowels of the word or use only the first two letters of the word; For example, use wd instead of wood.
Avoid using common passwords: Brute force attacks are based on a list of common passwords leaked in data breach attacks. If your chosen password is common, even if it consists of 8 characters, it is very likely to be on this list and can be cracked in a matter of seconds.
Use unique passwords for each website: In order not to fall victim to Credential Stuffing attacks, you need to be careful not to use one password more than once. To increase security, it is even better to change your username for each website. That way, if one of your accounts is hacked, the other accounts will be safe.
Use password management: Password management applications automatically generate complex passwords and store user login information on various websites. This way, you can access all your online accounts by logging in to the password management application. These applications allow you to create long and very complex passwords without having to worry about remembering them.
Check the security level of the password
If you want to know how strong your chosen password is and how long it takes for the brute force tool to crack it, you can use the Kaspersky password check site. For example, the website calculates that an eight-character password with a combination of uppercase and lowercase letters, numbers, and symbols takes 12 days to be cracked by a regular computer.
However, keep in mind that many services are not really able to detect the degree of difficulty of the password; For example, a website that Intel launched a few years ago to check the security of users’ passwords (and is no longer available) estimates that it will take six years to crack the BandGeek 2014 password, when in fact hackers were able to crack it in the same way. Crack the first few seconds. Similarly, Kaspersky’s website estimates that the password will take three months to crack.
Has my password been revealed?
One of the most recommended methods when setting a password is to use unique passwords for each website; For example, if your password has been leaked in a data breach attack and made available to hackers on the Dark Web, the password is no longer secure and will be cracked in a matter of seconds by brute force software.
One way you can check if your chosen password has been leaked in data breach attacks is to use the Have I Been Pwned website; For example, this website reviews 123456 and tells you that this password has been leaked 24,230,577 times in data breaches and is not secure at all. If one of your passwords is revealed, change it as soon as possible.
How confident are you Wironal users in your passwords? Have your online accounts ever been attacked by brute force?