A brute force attack is a method of trying to guess passwords, login credentials, encryption keys, hidden web pages, and content and gain unauthorized access to data, systems, or networks. It is a trial and error approach that seeks to exhaust all possible combinations to arrive at the correct password.
To learn more about brute force attacks, how they are performed, what kinds of attacks exist, and how to prevent them, keep reading.
Brute force attack meaning
The name of this attack is derived from its method – there is no complex strategy behind it. Instead, it is a forceful attempt at arriving at the correct result, which may utilize millions of combinations.
Though it is an old attack type and can take a long to yield results, it is still popular. In preparation for a more profound attack, brute force can be used when other vulnerabilities cannot be exploited as part of a larger attack scenario, such as in the DROWN attack or during the surveillance and infiltration phases.
A successful brute force attack can result in attackers hijacking an account or system, injecting malware, stealing or corrupting data, redirecting traffic from a website, etc.
Ideally, brute force attacks seek to exploit identification and authentication vulnerabilities and failures, one of the vulnerabilities listed in the OWASP Top 10 2021 edition.
When used to guess passwords, a brute force attack can be very efficient against short or commonly used passwords, but it will slow down and run into difficulties when dealing with longer ones. The longer a password is, the greater the resources and time required to guess it.
How is a brute force attack performed?
The convenience of a brute force attack is a “set it and forget it” approach requiring minimal attention. Since some tool is usually used, once it is launched, the attack is carried out automatically and either works or doesn’t.
In particular, if no account lockout policy locks login attempts after a certain number of unsuccessful tries, this creates the necessary conditions for the attack to run. The primary way this attack is executed is via GET or POST requests.
In its simplest form, when trying to crack credentials, an application or script (bot) is launched that attempts every possible combination of numbers, letters, and characters to guess a password. In some instances, lists of commonly used credentials or leaked credentials may be used to increase the chance of success since a lot of passwords are weak and similar.
One way that attackers equip themselves to perform such an attack is via the dark web. Brute force malware kits are frequently sold on the dark web and include the tools required to launch an attack and lists of leaked credentials. In addition, bot kits can also be purchased on the dark web. These provide access to botnets – hijacked computers whose processing power is used to launch a brute force attack.
Examples of brute force attacks
Following are the main types of brute force attacks, based on their attack vector and method.
Other types of attacks not listed here include mask attacks, permutation attacks, rule-based attacks, etc.
Simple brute force attack
This is the most straightforward type of brute force method. It is also known as an exhaustive key search attack. It utilizes tools or scripts that automate the process of guessing a password and makes many consecutive guesses until it arrives at the correct answer.
Depending on the computing power of the attacker, they may be able to make thousands of guesses or more per second. This approach pretty easily cracks simple passwords that lack differences in letter cases and symbols.
A dictionary attack attempts to crack user passwords by utilizing common phrases or words. This may include using words from a dictionary and number combinations, but it frequently also uses lists of leaked credentials (known as credential recycling).
This approach may further be developed to check for variations of words that use different lower or uppercase letters or that substitute letters with special characters, also known as leetspeak. The dictionary attack is more specific and relies on certain phrases being more commonly utilized as passwords but is limited by the logic provided with – i.e., it will not attempt unlikely or random combinations.
Hybrid brute force attack
A hybrid attack utilizes the simple and dictionary attacks together. The initial approach may be based on some external logic, such as the dictionary attack. The possible suggestions will then be modified as is done in the simple attack – all sorts of variations will be tested.
For example, it is common for people to use strings of numbers at the end of their passwords – such as “1234”, the year of their birth, etc. In this case, using a dictionary approach, a common password will be tested, and many combinations of numbers will be attached at the end and exhausted in all possible ways.
Credential stuffing tests a known (stolen or leaked) combination of username and password from one website in many other websites. It is based on the logic that people sometimes reuse their usernames and passwords.
Reverse brute force attack
Typically attackers start by knowing usernames and trying to guess passwords. In a reverse brute force attack, attackers know passwords and try out different combinations of usernames or account numbers.
Password spraying attack
This approach is utilized when account lockout policies are in place and attackers are limited in the number of attempts they can make. For example, instead of trying out many different combinations of passwords, they will take one password known to be commonly used and try it out on many other accounts.
Rainbow table attack
This attack relies on reversing cryptographic hash functions. To crack credentials, attackers will use a pre-computed table or dictionary of plaintext passwords and the hash functions that correspond to them. However, the approach is limited as it can only be used to guess hash functions of a certain length.
A botnet attack relies on harnessing the power of many machines at once to perform a brute force attack of any kind. By infiltrating and hijacking whole networks of computers, attackers solve the issue of lacking computing power to execute brute force attacks quickly. Moreover, using a botnet helps to hide the attackers further.
Brute force attack tools
There are many different brute-force tools that attackers utilize. Some of these tools are designed to perform attacks only against specific systems, whereas others can be used to target a variety of systems. Here are some of the most popular tools.
A suite of tools is used to determine wireless networks’ security and crack their passwords via a detector, packet sniffer, and a WEP/WPA/WPA2-PSK cracker and analysis tool for Wi-Fi 802.11. It can target network interface controllers (NIC) that support raw monitoring mode.
John the Ripper
One of the most popular tools, John the Ripper, runs on 15 different platforms and combines a variety of tools in one. It can detect hundreds of cipher and hash types and features a customizable cracker. Among others, it supports a dictionary and a simple brute force approach.
This tool is mainly used to crack Windows passwords via simple brute force, dictionary, hybrid, and rainbow table attacks. It is also utilized to audit passwords.
Ophcrack is another tool utilized to crack Windows login passwords. Its attack method uses LAN Manager (LM) hashes via rainbow tables.
As its name suggests, this tool uses rainbow tables to crack passwords. In addition, it is faster than other tools due to its tables being pre-computed.
Hydra is a parallelized network login cracker specifically used to crack network protocol passwords. Penetration testers commonly use it.
Hashcat is known for its support of many different hashing algorithms and attack types. In addition, it is arguably the fastest CPU-based cracking tool because it involves the graphics processing unit (GPU).
This tool is an open-source tool for Mac OS X. It utilizes dictionary and increment attacks and features a distributed mode, allowing attackers to use several computers simultaneously.
Ncrack is another popular network authentication cracking tool. It supports a variety of network protocols and attack types.
Brute force attack prevention
To protect against brute force attacks, organizations can implement some or all of the following measures:
- Institute a lockout policy – limit the number of login attempts and lock accounts after several failed attempts.
- Implement progressive delays – slowed down attacks significantly by introducing delays between each failed login attempt.
- Use Captcha – brute force tools cannot perform captcha tasks which creates a hurdle for the automated nature of this attack.
- Institute a strong password policy – reject weak passwords as a principle and require robust and complex passwords and periodic password change.
- Close down unused accounts – remove unused accounts with high-level permissions as they constitute a severe risk.
- Use multi-factor authentication – MFA provides an additional security layer that requires a greater degree of security compromise to be successful.
- Provide high encryption – the higher the encryption rate, such as 256-bit encryption, the more difficult it is to brute force a password.
- Randomize password hashes – hash salting introduces random strings of characters to passwords, making the hash randomized.
- Hunt threats – proactive threat hunting can spot attempts at successful brute force attacks.
Brute Force Attack Video Explanation
How do brute force attacks work?
In their most straightforward form, brute force attacks seek to crack a password by exhausting all possible combinations through trial and error. For example, an attacker may attempt millions of combinations to guess a password.
How to protect against a brute force attack?
One of the best ways to protect against a brute force attack is to have a non-predictable, long, and complex password and to avoid reusing it. Using a password manager can help with securely keeping track of passwords.
Are brute force attacks dangerous?
If successful, a brute force attack could lead to unauthorized access, leaked credentials, data theft, hijacked accounts or systems, malware spreading, and more.