Brute Force Attack Prevention Techniques. There are many methods to stop or prevent brute force attacks. The most obvious is a strong password policy. Each web application or public server should enforce the use of strong passwords. Dealing with brute-force attacks. Below, you will find a list of quick actions you can take to protect your machine against brute-force attacks. Download Microsoft’s legacy patch. In May 2019, Microsoft released the CVE-2019-0708 patch to prevent remote code execution via RDP. For instance, a Brute Force attack could attempt to crack an eight-character password consisting of all 95 printable ASCII characters. This would mean that there would be 95 ^ 8 possible combinations (95x95x95x95x95x95x95x95), or 6,634,204,312,890,625 (6.6 quadrillion) passwords.
What is password cracking?Password cracking process involves recovering a password from storage locations or from data, transmitted by a computer system on network. Password cracking term refers to group of techniques used to get password from a data system.
Purpose and reason of password cracking includes gaining an unauthorized access to a computer system or it can be recovery of forgotten password. There might be another reason of using password cracking technique that is for testing password strength so hacker could not hack into system.
Password cracking is normally performed thought repetitive process in which computer applies different combinations of password till the exact match.
Brute Force Password Cracking:Term brute force password cracking may also be referred as brute force attack. Brute force password cracking is respective process of guessing password, in this process software or tool creates a large number of password combinations. Basically it’s a trail-and-error technique used by software to obtain password information from system.
A brute force attack are normally used by hackers when there is no chance of taking advantage of encrypted system weakness or by security analysis experts to test an organization’s network security .This method of password cracking is very fast for short length passwords but for long length passwords dictionary attack technique is normally used.
Time taken by brute force password cracking software to crack password is normally depend upon speed of system and internet connection.
GPU Password Cracking:GPU is graphics processing unit, sometimes also called visual processing unit. Before talking about GPU password cracking we must have some understanding about hashes. When user enter password the password information stored in form of computer hashes using the one-way hashing algorithm.
In this password cracking technique using GPU software take a password guess and look through hashing algorithm and compare it or match it with the existing hashes till the exact match.
GPU can perform mathematical functions in parallel as GPU have hundreds of core that gives massive advantage in cracking password. GPU is much faster than CPU so that’s the reason of using GPU instead of CPU.
CUDA Password Cracking:CUDA Compute Unified Device Architecture is a model for programming and a platform that perform computations in parallel, created by NVIDIA for graphic processing.
CUDA Password cracking includes cracking passwords using Graphics card which have GPU chip, GPU can perform mathematical functions in parallel so the speed of cracking password is faster than CPU.GPU have many 32bit chips on it that perform this operation very quickly.
We can easily access CUDA through libraries, directives and with the help of different programming languages that includes C, C++ and FORTRAN.
Password Cracking ToolsGiven below is the list of Top10 Password cracking tools.
1. Cain and Abel : Top password cracking tool for Windows
Cain & Abel is one of the top cracking tool for password cracking and password recovery for Windows OS.
Cain & Abel can use techniques of Dictionary Attack, Brute-Force and Cryptanalysis attacks to crack encrypted passwords. So it only uses the weakness of system to crack password. GUI Interface of software is very simple and easy to use. But have availability limitation, tool only available for window based systems .Cain & Abel tool have many good features some of the features of tool are discussed below:
Features of Cain & Abel:- Used for WEP (Wired Equivalent Privacy) cracking
- Have ability to record conversation over IP
- Cab be used as Network Password Sniffer
- Ability to resolve addresses IP to MAC.
- Can crack verity of hashes including LM and NT hashes, IOS and PIX hashes, RADIUS hashes, RDP passwords, and lots more than that.
2. John the Ripper : Multi-platform, Powerful, Flexible password cracking tool
John the Ripper is a free multi or cross platform password cracking software. Its called multi platform as it combines different password cracking features into one package.
It’s primarily used to crack weak UNIX passwords but also available for Linux, Mac, and Windows. We can run this software against different password encryptions including many password hashes normally found in different UNIX versions. These hashes are DES, LM hash of Windows NT/2000/XP/2003, MD5, and AFS.
Features of John the Ripper- Supportive with Brute force password cracking and dictionary attacks
- Multi platform
- Available free for use
- Pro version is also available with additional features
3. Aircrack : Fast and effective WEP/WPA cracking tool
Aircrack is a combination different tools used for Wifi, WEP and WPA passwords cracking. With the help of these tools you can crack WEP/WPA passwords easily and effectively
Brute force, FMS attack, and dictionary attacks techniques can be used to crack WEP/WPA passwords. Basically it collects and analyzes encrypted packets then using its different tool crack password out of the packets. Although aircrack is available for Windows but there are different issues with this software if we use this in Windows environment, so it’s best when we use it in Linux environment.
Features of Aircrack- Supportive with both Brute force and dictionary attacks cracking techniques
- Available for Windows and Linux
- Available in live CD
4. THC Hydra : Multiple services supportive, Network authentication cracker
THC Hydra is a supper fast network password cracking tool. It uses network to crack remote systems passwords.
It can be used to crack passwords of different protocols including HTTPS, HTTP, FTP, SMTP, Cisco, CVS, SQL, SMTP etc. It will give you option that you may supply a dictionary file that contains list of possible passwords. It’s best when we use it in Linux environment.
Features of THC Hydra- Fast cracking speed
- Available for Windows, Linux ,Solaris and OS X
- New modules can be added easily to enhance features
- Supportive with Brute force and dictionary attacks
Site for Download:
https://www.thc.org/thc-hydra/5. RainbowCrack : New Innovation in Password Hash Cracker
RainbowCrack software uses rainbow tables to crack hashes, in other words we can say it uses process of a large-scale time-memory trade for effective and fast password cracking.
Large-scale-time-memory-trade-off is a process of computing all hashes and plain text using a selected hash algorithm. After calculations, obtained results are stored in the tables called rainbow table. Process of creating rainbow tables is very time consuming but when its done software works very fast.
Password cracking using rainbow table is faster than the normal brute force attack method. It’s available for Linux and Windows operating system.
Features of Rainbow Crack- Support verity of Rainbow tables
- Runs on Windows (XP/Vista/7/8) and Linux operating systems (x86 and x86_64)
- Simple in use
Site for Download:
6. OphCrack : Tool for Windows password cracking
OphCrack used to crack Windows user passwords with the help of rainbow tables that are available in a bootable CD.
Ophcrack is completely free to download, Windows based password cracker that uses rainbow tables to crack Windows user passwords. It normally cracks LM and NTLM hashes. Software has simple GUI and can runs on different platforms.
Features of OphCrack- Available for Windows but also available for Linux, Mac, Unix, and OS X
- Uses for LM hashes of Windows and NTLM hashes of Windows vista.
- Rainbow tables available free and easily for Windows
- To simplify the process of cracking Live CD is available
Site for Download:
http://ophcrack.sourceforge.net/7. Brutus : A brute force attack cracker for remote systems
Brutus is the fastest, most flexible, and most popular software used to crack remote system passwords. It guess password through applying different permutations or by using a dictionary.
It can be used for different network protocols including HTTP, FTP, IMAP, NNTP and other types such as SMB, Telnet etc. It also gives you facility of creating your own authentication type. It also includes extra options of load and resume, so process can be paused when required and you can resume process when you want.
It is only available for windows operation systems. Tool has a limitation that it has not been updated since 2000.
Features of Brutus
- Available for Windows
- Can be used with different network protocols
- Tool have many good extra features
- Support SOCK proxy for all types of authentications
- Capability of error handling and recovery
- Authentication engine is multi stage
Site for Download:
8. L0phtCrack : Smart tool for Windows password recovery
Just like OphCrack tool L0phtCrack is also a Windows passwords recovery tool uses hashes to crack passwords, with extra features of Brute force and dictionary attacks.
It normally gains access to these hashes from directories, network servers, or domain controllers. It is capable of doing hash extraction from 32 & 64 bit Windows systems, multiprocessor algorithms, scheduling, and can also perform decoding and monitoring networks. Yet it is still the easiest to use password auditing and recovery software available.
Features of L0phtCrack
- Available for Windows XP, NT, 2000, Server 2003,and Server 2008
- Can work in both 32- and 64-bit environments
- Extra feature of schedule routine auditing on daily, weekly, monthly bases
- After run it provide complete Audit Summary in report page
Site for Download:
9. Pwdump : Password recovery tool for Windows
Pwdump is actually different Windows programs that are used to provide LM and NTML hashes of system user accounts.
Pwdump password cracker is capable of extracting LM, NTLM and LanMan hashes from the target in Windows, in case if Syskey is disabled, software has the ability to extract in this condition.
Software is update with extra feature of password histories display if history is available. Extracted data will be available in form that is compatible with L0phtcrack.
Recently software is updated to new version called Fgdump as Pwdump not work fine when any antivirus program is running.
Features of Pwdump
- Available for Windows XP, 2000
- Powerful extra feature are available in new version of Pwdump
- Ability to run multithreaded
- It can perform cachedump (Crashed credentials dump) and pstgdump (Protected storage dump)
Site for Download:
10. Medusa : Speedy network password cracking tool
Medusa is remote systems password cracking tool just like THC Hydra but its stability, and fast login ability prefer him over THC Hydra.
It is speedy brute force, parallel and modular tool. Software can perform Brute force attack against multiple users, hosts, and passwords. It supports many protocols including AFP, HTTP, CVS, IMAP, FTP, SSH, SQL, POP3, Telnet and VNC etc.
Medusa is pthread-based tool, this feature prevent unnecessarily duplicate of information. All modules available as an independent .mod file, so no modification is required to extend the list that supports services for brute forcing attack.
Features of Medusa
- Available for Windows, SunOS, BSD, and Mac OS X
- Capable of performing Thread based parallel testing
- Good feature of Flexible user input
- Due to parallel processing speed of cracking is very fast
Site for Download:
While the growing complexity and sophistication of cyber attacks is a very real and dangerous threat to organizations, requiring advanced security defences, cyber attacks that use simple (and sometimes even outdated) methods still prove useful to attackers.
Some old and nearly forgotten types of cyber attacks are re-entering the cyber landscape. A recent report indicates a 400% increase in brute force attacks on remote desktop protocols (RDPs) following the worldwide increase in remote workers. And while brute force attacks are a familiar topic and the epitome of “old school”, they are still effective and popular with cyber criminals.
That’s why we’re taking a deep dive into this type of attack, one that’s making a big comeback. We’ll define, explore and share how to protect against brute force attacks—so you don’t have to fall victim to an attacker’s “simple solution”.
What are brute force attacks?
“Brute force attack” refers to a method used to obtain private information such as usernames, passwords, passphrases, and similar. By repeatedly submitting different combinations of credentials, attackers can ultimately guess them correctly, and gain access to the data those credentials protect. Brute force attacks are often referred to as “brute force cracking” as well, as they fundamentally use brute force—in this case, computational power—to try and crack something—in this case, the credentials that guard sensitive data (or any data valuable to attackers). Common targets for brute force attacks are cracking passwords and encryption keys as well as API keys and SSH logins.
To imagine this scenario outside of the cyber realm and in the real world, try picturing a brute force attack like a thief trying to break into a safe by attempting every possible combination of numbers. That just wouldn’t be effective if done manually, on the spot.
More often than not, attackers carry out brute force attacks using an automated tool, script or bot to run through every possible combination of information needed until they can guess the one that grants them access. For example, by using a list of commonly used credentials, and even real user credentials obtained through security breaches and data leaks from breaches on the dark web, bots can systematically attack the target and do the attackers’ work for them.
The success of a brute force attack is measured in the time it takes to successfully crack a password/credential, which can be anywhere from a few seconds to a few years. Modern computers and technology allow attackers to crack an 8-character alphanumeric password in a few hours, and weak encryption in a few months which isn’t that rare to see in cases of advanced persistent threats.
As password length increases, the time it takes to brute force it increases as well. The same goes for the encryption key: a key with 128-bit encryption will have 2128 combinations and 256-bit encryption will have 2256 combinations. Even with current technology, that amount of combinations for 256-bit encryption would take attackers several years to guess them all.
How brute force attacks are used
While not the most sophisticated of cyber attacks, brute force attacks are both reliable and simple to perform, as all attackers have to do is to let their machines do the work. Given the frequent lack of protection and mitigation strategy on the target’s end, this often proves quite effective. But even the simplest of defences, such as a long and complex password, can make for a timely process and could deter attackers.
When targets employ such seemingly basic strategies for protection, they increase the difficulty with which attackers might succeed in gaining unauthorized access. In fact, the time it takes to brute force a system and gain access is a valuable metric that security teams can use to test their network and system security.
The goal of a brute force attack can be anything including the theft of personal information that can be used to access accounts and different resources, credential harvesting for sale to third parties or on the dark web, identity theft to commit fraud, misappropriation of goods, launching of further attacks, redirection of domains to websites containing malware, and much, much more.
Brute force attacks are usually part of a bigger cyber attack, serving as the first step when attempting to breach a system and gain unauthorized access to sensitive data. And when it comes to the cyber attack life cycle, brute force attacks are usually used in the initial reconnaissance phase—to carry out a cyber attack cyber criminals need entry points to their targets and brute force attacks are a perfect hands-off solution to obtain those entry points.
Attackers use automated brute force attacks and run them parallel while trying to crack credentials, and even after gaining access to a network they can run further brute force attacks to perform privilege escalation.
Types of brute force attacks
While brute force attacks boil down to inputting every possible combination of desired information until access is granted, there are different methods in which cybercriminals can carry out these attacks. We’ve already mentioned some common examples but there are others, both simple and advanced.
Brute Force Attack Tool For Android
Dictionary attacks
The most basic, and somewhat outdated, type of brute force attack is the dictionary attack. Using this method, an attacker starts with assumptions of common passwords and builds a dictionary of possible passwords (some of the most popular and still widely used passwords are “password1234”, “123456” and “admin”). They then go through their dictionary and input each entry until hitting on the correct password. Dictionary attacks are often used against multiple targets, requiring a large number of attempts due to their simplicity and frequent lack of effectiveness against more advanced targets.
Credential stuffing
In credential stuffing, already breached and known username and password pairs are used in the attempt to gain access to multiple services, applications and sites. This type of attack exploits the fact that many users reuse passwords across different accounts.
Simple brute force attacks
Trying every possible combination must yield results at least once, right? That’s the logic in place here: a simple brute force attacks can use different methods, such as inputting all possible passwords one at a time and using a systematic approach to guess them, without any outside logic. This type of brute force attack is commonly used to gain access to local files, as there’s no limit to the number of attempts possible.
Hybrid brute force attacks
Hybrid brute force attacks can be seen as the combination of dictionary and simple brute force attacks. Starting with a predetermined list of passwords (such as in the dictionary attack), hybrid brute attacks use external logic to determine which password will be the most likely to succeed (instead of inputting every password). Password variations can include adding numbers or changing letter cases, providing more possibilities to enter.
Reverse brute force attacks
A reverse brute force attacks involves using a small number of common passwords and repeatedly testing them against multiple accounts. What’s “reverse’’ in this type of attack is the fact that it doesn’t try to guess a password, but rather uses generic passwords and brute forces the username. This type of brute force attack is usually used to carry out more targeted attacks against a particular network.
Rainbow table attacks
Rainbow table attacks differ from other types of brute force attacks as they don’t target passwords, but hash functions that are used to encrypt credentials. Once a user enters a password, it is converted to a hash value. Then, if the hash value of that password matches the stored hash value, the user is authenticated and can log in. Attackers have found a way to exploit this process—by using a precomputed dictionary of plaintext passwords and their hash values, or “rainbow table”, attackers can determine passwords by reversing the hashing function.
Well-known cases of brute force attacks
Brute force attacks are widespread and frequent; it’s safe to say that almost every organization, almost every individual even, has experienced at least one such attempt. However, there have been a few notable cases throughout the years, with targeted organizations suffering massive losses.
Here are a few well-known cases of brute force attacks:
GitHub
In 2013, GitHub was the victim of a successful brute force attack which compromised several of their accounts. Cybercriminals executed brute force login attempts from 40,000 unique IP addresses, in order to access several accounts using weak passwords. It remains unclear how many accounts were actually affected, and GitHub is taking steps to ban weak passwords in the aftermath of this brute force attack.
Firefox
In 2018, Firefox’s “master password” protection was discovered to be using a weak mechanism dependent on the deprecated SHA-1 hashing algorithm. The algorithm was meant to protect access to users’ stored passwords, but was easily cracked with a brute force attack. This bug remained unfixed for nine years, with Firefox finally deploying a fix in 2019 to resolve the issue.
Alibaba
In 2015, Alibaba’s popular e-commerce platform Taobao was affected by a large-scale brute force attack, with about 21 million accounts affected in the breach. A database containing 99 million usernames and passwords was used to brute force Taobao accounts; one in five of those attempts was successful due to the bad practice of users reusing passwords.
Northern Irish Parliament
2018 saw another notable brute force attack. In March, Stormont, the email service at the Northern Ireland Parliament, was hit with a brute force attack that allowed attackers access to the email accounts of several Parliament members.
How to spot a brute force attack
During the initial phases of a cyber attack, detecting brute force attacks as they happen, and before they’re successful, can mean the difference between suffering a hazardous data breach and getting out unscathed. There are key indicators of attack to watch out for that can tell you if your site is under a brute force attack, and most of them are concerned with monitoring login activity.
If your network administrators notice many repeated failed logins coming from the same IP address, the same IP address used to access multiple usernames, or different IP addresses attempting to access the same username, that can mean a brute force attack is taking place. Furthermore, an unusual pattern of failed login attempts, such as a sequential alphabetical or numerical pattern, multiple logins at odd hours or even a successful login event that was followed by the use of an untypical amount of bandwidth, can indicate not only that a brute force attack is occurring, but that attackers might have already breached the network and are exfiltrating data.
How to protect against brute force attacks
While brute force attacks might be simple and sometimes ineffective, it’s still a risk not to take them seriously. They rely on two very common and very bad cybersecurity habits—weak passwords and inefficient network administration. Fortunately, there are many easy-to-implement protection methods and techniques that will cost attackers more time and resources to carry out a successful brute force attack—making your organization a less attractive target.
Here are some of the best practices and protection measures against brute force attacks available:
Enforce strong password policies
A strong password policy, and strong passwords themselves, form the first line of defense in protecting confidential information. A password policy is a set of rules used to improve the security of a system by motivating users to create and maintain secure passwords and store them properly. The first part of this means using a strong password mandated for every account on a network. Criteria for strong passwords include:
- At least 8 characters
- Not containing any personal information, especially a real name, username or company name
- Passwords must be different across all accounts
- No repetition of previously used passwords
- Avoiding the complete spelling of any words
- No numbers following a numerical sequence (such as “1234…”)
- A combination of uppercase letters, lowercase letters, numbers and special characters
Also critical to strong password policy is enforcing rules about how often passwords need to be changed, and notifying users when that time comes. A good password policy will also be communicated to all users and explored with security awareness training.
Use a password manager
With all of the criteria that goes into having secure and complex passwords in mind, and knowing that a strong password policy requires having all different passwords for all accounts, remembering and storing all of them can be a hassle. This is why using a password manager is a great way to enforce and maintain a secure password policy that will be easy to implement for all users on a network.
Not only are password managers useful for storing and automatically filling out complex passwords, they can also help create more secure passwords and provide notification regarding any unsafe credential practices. To learn more about some of the best solutions out there, refer to our list of top 5 secure password managers.
Use MFA
As even complex passwords don’t guarantee safety from brute force attacks, adding an additional layer of security to all of the accounts on your network is crucial. And for this purpose we have MFA, or multi-factor authentication.
Multi-factor authentication considers the use of two or more methods of authentication in order to access an account. Those authentication factors are: knowledge (something only the user knows, such as a password, username, the answer to a security question, etc.), possession (something a user possesses, such as a one-time SMS password or security token), inherence (something a user “is”, as in biometrics), and finally, location.
The use of MFA is often cited as the first and possibly most important step in creating barriers that will keep attackers from gaining unauthorized access to accounts. It’s absolutely crucial for protecting against brute force attacks; even if attackers can guess a user’s password, they’ll be faced with yet another layer of protection to break through.
Limit login attempts
As indicators of brute force attacks, login activity and attempts are among the clearest, and improving the monitoring and rules around login activity is an important protection method against brute force attacks. A surefire method of prevention is to lock out users from logging into their accounts after a set number of attempts, and unlocking them after a period of time or manually, by an administrator. Another method is to implement time delays between login attempts, as some brute force attacks are based on a large number of attempts in a short amount of time.
Brute Force Attack Software For Windows 10
Implement CAPTCHA
The CAPTCHA system is commonly used on many websites and services, to verify whether a user is human and to stop active brute force attacks as they occur. Tools like these, with the most famous being reCAPTCHA, require users to complete a task that’s simple for a human, but not for a brute force tool. Such a task might be having to identify images containing a certain element, or a pattern of letters and numbers, in order to complete a successful login.
Summary
Never underestimate the power of a simple cyber attack method in the hands of malicious actors. When we see that even large organizations with advanced security defenses fall victim to seemingly simple brute force attacks, who’s to say that we won’t?
Fortunately, simple attacks like brute force attacks require simple solutions: basic and fundamental practices that maintain a strong general security posture go far in defending against these types of attacks.
Brute Force Attack Software For Android
Sara believes the human element is often at the core of all cybersecurity issues. It’s this perspective that brings a refreshing voice to the SecurityTrails team. Her ability to bridge cognitive/social motivators and how they impact the cybersecurity industry is always enlightening.