Brute Force Attack

The Brute Force Attack seeks to determine an unknown value – such as a username, password, or key – by using an automated process to try many possible values. This type of attack takes advantage of the fact that the number of actual values is typically smaller than perceived; for example, while an 8-character alphanumeric password can have 2.8 trillion possible values, many people will select their passwords from a much smaller subset consisting of common words and terms. 

How to prevent Brute Force Attacks? 

There are many methods to stop or prevent brute force attacks. 

The most obvious is a strong password policy. Each web application or public server should enforce the use of strong passwords. For example, standard user accounts should have at least eight letters, a number, uppercase and lowercase letters, and a special character. Moreover, servers should require frequent password changes. 

The key indication a bad actor is trying to brute force their way into your system is to monitor unsuccessful login attempts. If you see there have been many repeated failed login attempts, be suspicious. Watch for signs related to multiple failed login attempts from the same IP address and the use of multiple usernames from the same IP address. 

Other signs can include a variety of unrecognized IP addresses unsuccessfully attempting to login to a single account, an unusual numerical or alphabetical pattern of failed logins, and multiple login attempts in a short time period. 

How Attackers use Brute Force Attacks?

Brute-force attacks take advantage of automation to try many more passwords than a human could, breaking into a system through trial and error. More targeted brute-force attacks use a list of common passwords to speed this up, called dictionary attacks, and using this technique to check for weak passwords is often the first attack a hacker will try against a system. 

What are Brute Force Attack Tools?

Tools exist for every possible brute force attack scenario. Popular examples include Aircrack-ng for cracking wireless passwords and John the Ripper for general brute force and dictionary attacks. 

In a brute-forcing attack against a service like SSH, it can be done from the command line easily by tools like Sshtrix. In a single line in a terminal, it's easy to launch a dictionary attack against a discovered SSH server using the built-in password list, making services with bad passwords extremely likely to be broken in to. 

Types of Brute Force Attacks 

• Dictionary – A dictionary attack uses a dictionary of possible passwords, often compiled from stolen passwords from previous data breaches.
• Simple Brute Force - Mostly used against local files such as stolen user data, this,iterates through all possible password combinations.
• Hybrid – This is a combination of a dictionary attack and simple brute force. It begins with a dictionary of valid passwords and applies small variations to them, such as changing case or incrementing numbers.
• Reverse – This attack instead  uses a common or generic password and tries to brute force usernames against it.
• Credential Recycling – This is the practice of reusing username and password combinations gathered in previous brute force attacks.
• Rainbow Table Attacks – These attacks don’t target passwords. They target the hash function used to encrypt the credentials using a precomputed dictionary of plain text passwords with a specific hash and comparing the hashed result to the stored hash value.

How Common are Brute Force Attacks? 

Brute Force an extremely common attack method. The tools required to mount an attack are plentiful and easily available and require very little technical skill to use. Large data dumps from previous breaches are easily available on the ‘dark web’. 

According to research from Kaspersky there has been a huge increase in brute force attacks targeting RDP endpoints since the onset of the CoVID-19 pandemic. RDP is the protocol used by Microsoft Windows remote desktop client, which has seen an increase in usage as more people begin working from home.