- Listen to our monthly AppSec Stats Flash podcast
- LEARN MORE
Glossary
The Brute Force Attack seeks to determine an unknown value – such as a username, password, or key – by using an automated process to try many possible values. This type of attack takes advantage of the fact that the number of actual values is typically smaller than perceived; for example, while an 8-character alphanumeric password can have 2.8 trillion possible values, many people will select their passwords from a much smaller subset consisting of common words and terms.
There are many methods to stop or prevent brute force attacks.
The most obvious is a strong password policy. Each web application or public server should enforce the use of strong passwords. For example, standard user accounts should have at least eight letters, a number, uppercase and lowercase letters, and a special character. Moreover, servers should require frequent password changes.
The key indication a bad actor is trying to brute force their way into your system is to monitor unsuccessful login attempts. If you see there have been many repeated failed login attempts, be suspicious. Watch for signs related to multiple failed login attempts from the same IP address and the use of multiple usernames from the same IP address.
Other signs can include a variety of unrecognized IP addresses unsuccessfully attempting to login to a single account, an unusual numerical or alphabetical pattern of failed logins, and multiple login attempts in a short time period.
Brute-force attacks take advantage of automation to try many more passwords than a human could, breaking into a system through trial and error. More targeted brute-force attacks use a list of common passwords to speed this up, called dictionary attacks, and using this technique to check for weak passwords is often the first attack a hacker will try against a system.
Tools exist for every possible brute force attack scenario. Popular examples include Aircrack-ng for cracking wireless passwords and John the Ripper for general brute force and dictionary attacks.
In a brute-forcing attack against a service like SSH, it can be done from the command line easily by tools like Sshtrix. In a single line in a terminal, it's easy to launch a dictionary attack against a discovered SSH server using the built-in password list, making services with bad passwords extremely likely to be broken in to.
Types of Brute Force Attacks
Brute Force an extremely common attack method. The tools required to mount an attack are plentiful and easily available and require very little technical skill to use. Large data dumps from previous breaches are easily available on the ‘dark web’.
According to research from Kaspersky there has been a huge increase in brute force attacks targeting RDP endpoints since the onset of the CoVID-19 pandemic. RDP is the protocol used by Microsoft Windows remote desktop client, which has seen an increase in usage as more people begin working from home.