Brute Force Attack
June 22, 2023
A brute force attack attempts to break the code (password, passphrase, encryption key, etc.) by consecutively trying all possible character combinations until the right one is found. Such an attack can be characterized as systematic guessing. In cryptography, the “brute force” term reflects virtually unlimited time or computing power the hacker needs to perform the attack effectively, not the nature of the code breaker’s interaction with the targeted system.
An exhaustive search method, brute force plays a symbolic role in cryptography. Although it is the slowest code-breaking method, it is also the purest in its artless efficiency. Thus, the capacity of a cryptographic protection method (or a particular password or key) against the brute force attack can serve as a criterion of its effectiveness.
Strengths and Weaknesses of Brute Force
As noted above, brute force attacks are virtually impossible to repel. Breaking the password may take years for the offenders. However, they will eventually succeed. Therefore, all protective measures against disputed attacks (except for highly impractical implementations of unconditional security) can be reduced to making brute force useless. And that is relatively easy to do.
Imagine a four-digit code. It will take a human a lot of time to test ten thousand variants to see which one is correct. However, a computer will find the needed combination in less than a second. Regardless of such evident computational dominance of a machine over a human, a strong password will make this advantage irrelevant. An 18-character password featuring lower and upper case letters, digits, and special symbols will keep even the most powerful computer busy for millions of years.
This table shows the difference in the time it takes to hack passwords differing in strength.
Encryption keys used for secure communications can be targeted for hacking attacks as well as passwords, but they are, in the same way, unreachable for brute force attacks nowadays. Bit strings for scrambling transmitted data and unscrambling it upon reception, encryption keys can be pretty long, and breaking them is also a difficult task. For example, AES (advanced encryption standard) featuring 256-bit encryption keys makes reaching the encoded traffic in a reasonable time impossible.
It is a state of affairs for modern broad-market machines. The progress won't cease, though. Quantum computers brought to the world will jeopardize today's best classical encryption methods. IBM's already existing 100+ qubit quantum computer and its successors are impending rivals for 256-bit encryption schemes, most likely to render them obsolete. Ciphering the "classic" machine will take ages to decrypt, but it will be a piece of cake for the powerful quantum computer. Fortunately, such computers will likely be too expensive to be available for everyone.
Modern Technical Issues
Besides strong passwords and long encryption keys, various technical solutions oppose brute force attacks. The programs that receive and check passwords, online or offline, have security measures against brute force. These are CAPTCHA (a well-known quick anti-robot test,) a programmed delay between allowed attempts to enter a password, IP/account blocking if password-guessing becomes evident, etc.
Another brute force countermeasure is data obfuscation which applies to encrypted data. It is an additional technique wherein data is altered by certain algorithms that obscure information for the human eye. Obfuscation has nothing to do with the encryption itself. However, it might save data from being recognized as correctly decrypted or prevent the decrypted information from timely usage by hackers.
What Is Brute Force Good For Then?
What's the point of such an attack if there are so many things that make it useless? - you might ask. That's a reasonable question. The answer is that, although surrounded by outstanding technical protection measures, the human user provides the most critical vulnerability. Few people follow password-related safety rules unless the technology doesn't make them obey prescribed security regulations, of course. Large tech companies, like Apple or Microsoft, takes care of that, but not all companies do so. Passwords like "123" or featuring pet names are still very widespread. Why is it dangerous and hands-untying to brute force attackers is coming up further.
Tools for Brute Force
The Brute Force Attackers use various tools to access your systems. You can use these brute-force attacking tools themselves for penetration.
The penetration test is the practice of trying to check your computers using the same ways hackers do. These tools can help you to make you able to identify low-security holes.
Name | Description | Language | Price |
---|---|---|---|
Hydra | Brute Force tools for login cracking used either on Linux or Windows/Cygwin. In addition: Solaris, FreeBSD/OpenBSD, QNX (Blackberry 10), and macOS. Hydra supports many protocols such as AFP, HTTP-FORM-GET, HTTP-GET, HTTP-FORM-POST, HTTP-HEAD, HTTP-PROXY, and more. | C | 🆓 |
Gobuster | Gobuster used to brute-force:
|
Go | 🆓 |
BruteX | Brute force all services running on a target:
|
Bash | 🆓 |
Dirsearch | An advanced command-line tool designed to brute force directories and files in webservers (web path scanner). | Python | 🆓 |
Patator | Patator is a multi-threaded tool written in Python, that strives to be more reliable and flexible than his fellow predecessors. | Phyton | 🆓 |
Pydictor | Pydictor is a dictionary builder for a brute-force attack. | Phyton | 🆓 |
Types of Brute Force Attacks
The hackers have developed tools to use the computational powers of the brute force method but avoid its disadvantages. A simple brute force attack uses no outside logic. Since it is not supposed to be successful at hacking strong passwords, hackers should narrow the application area of the brute force method. And they did it. The brute force mechanism spends time and resources on myriads of variants irrelevant to what it can be successful against. However, the method’s variations listed further can be successful against weak or lexeme-based passwords.
Hybrid Brute Force Attack
This type of attack uses a previously gathered set of words and digit combinations, candidates for password bases. It works as a usual brute force attack but concentrates efforts only on variations of the words in the list. The addition to the simple brute force hacking program, in this case, is software that produces the mentioned variations. Hybrid attacks are effective against weak passwords (“111,” “123456”) or name-based passwords combined with numbers (“Richard2000”).
Dictionary Attack
A dictionary attack is an older version of a brute force hybrid attack, or, better to say, what a brute force attack must be combined with to become a hybrid attack. Dictionary attacks are machine-quick trying of different words. It might either be scrolling through a dictionary or using pre-gathered word lists.
Rainbow Table Attack
It is a special variant of lookup tables for reversing cryptographic hash functions. It uses the mechanism of a reasonable compromise between the time of the search (by the table) and the memory it takes to do it. Rainbow tables are used to crack passwords that underwent hashing and attack open-text-based symmetric ciphers. The method is based on the fact that different passwords can produce the same hash. If the malefactors know the hash value, they can use the tables to find the password relatively quickly.
Reverse Brute Force Attack
If criminals lay hands-on leaked passwords but don't know for which login are these passwords, they begin login picking. It is executed the same way as usual brute force attacks on passwords, but it targets the login field. That's where the name of the method comes from. Hackers may also try to check whether any of the clients of a certain service or network uses widespread passwords like "qwertyuiop". However, that is not so effective when there is a possibility to find the login with the use of OSINT - just by searching the email address or username related to the place you're trying to get in via brute force. Another way to get this kind of information is social engineering - and that is exactly what people do.
Credential Stuffing
Since people often use the same passwords and even login-password pairs on different websites, as soon as any of these pairs get in possession of malefactors, the latter can use credential stuffing to test whether these hacked credentials work for any other websites. This process is automated, and hackers can surely add word variation production.
Motivation for Brute Force Attacks
As you have probably noticed, sometimes malefactors attack precise users and their particular accounts, but sometimes they attempt to hack something randomly. Although codebreakers might seem uncertain about their goals, the cybercriminal world is diverse. Thus, crooks will use any hacked account, mailbox, or device. If it is a spear attack, and offenders get what they hunted for exactly, - that's a big win. The victim should be ready to suffer reputational, financial, or political losses. However, if hackers manage to hack at least something, they will know what to do. Gathering information, identity theft, or malware installation (coin miners, ransomware, botnet software, etc.) is very likely to happen. Hackers can monetize any of the named activities on respective black markets.
How to Prevent Brute Force Attacks?
The following security measures will effectively make brute force attacks pointless:- Use strong passwords. A lot of services offer you the recomendation on the strong passwords - do not neglect them;
- Change passwords regularly. It can be leaked regardless of your password strength. To avoid account hijack, it is better to change the passwords at least twice a year. That's especially needed when you use the same or similar password for multiple services;
- Use 2-factor authentication. This option will require confirmation of your identity via your another device after you (or an attacker) enter a correct password;
- Progressive delays in case of wrong password input, CAPTCHA procedures, and account lockouts (when the wrong password is tried over a certain number of times) are also good security features. You can activate them if you administer a workgroup.