Cetas Blog Post

Defending Against Brute Force Attacks

September 1, 2022

Over the past few years, there have been several attempts of brute force attacks against many organizations. For every successful event of an attack, there is a huge loss of personal data and distrust of the client. In 2016 Alibaba became a victim of a brute-force attack, around 21 million accounts were compromised. Then after a few years in 2018 another victim Magento got hit with a brute-force attack. Through research, they found thousands of compromised user credentials on the dark web.

What is Brute Force?

Brute force is a technique in which a hacker tries to crack the credentials. Brute-force is a trial-and-error method in which the attacker tries to guess the combinations of username and password to gain unauthorized access. As the passwords get more complicated, the time require to crack them increases exponentially. It's a simple yet exhausting process, as it required a lot of free time and computing power. For better understanding let's take a simple 8-character password, which can give billions of combinations. As the length and complexity of a password increase, the time required to crack it doubles. Attackers use different tools and scripts to perform a brute-force. These tools try different possibilities to get access.

Types of Brute Force Attacks

There are different type of brute-force attack techniques used by attackers:

Simple Brute Force Attack

As the name says a simple brute force attack is a technique in which an attacker tries to guess the user name and password. Many people still use default passwords or easy passwords, like "qwerty" or "0123456" which don't add special characters, and so on. These passwords can be easily guessed and require less amount time for it.

Dictionary Attack

A dictionary attack is a technique in which an attacker tries a combination of phases and words, plus leaked passwords that can be bought from the dark web. This is an old fashion way but still very effective, mostly people create passwords that can be remembered easily, like common phases, pin-code, location, etc. The attacker has this stored list(dictionary), from this list different combinations are tried to gain unauthorized access.

Credential Stuffing

When the account is compromised the leaked data is put on sale on the dark web. The hackers try to get their hands on those leaked credentials. In a credential stuffing attack, the attacker uses those leaked credentials and try different combination across multiple websites to gain access to it. Most people tend to use the same username and passwords across multiple platforms, which makes it easier to gain control over the account, this can sometimes provide access to people’s bank accounts and services.

Hybrid Brute Force Attack

A hybrid Brute Force Attack is a combination of different brute-force techniques. In this, the attacker combines a dictionary attack and a simple brute force attack. The attacker already knows the account he wants to crack, to guess the missing segments the attacker automates a dictionary attack to gain access to the account.

Reverse Brute Force Attack

A reverse Brute Force Attack is a technique in which attackers already know the common password/key, which is used to log in or unlock files. The attacker tries this password on millions of users or different networks to find the matching credentials to exploit the account.

Rainbow Table Attack

The Rainbow table attack is a very unique way to perform brute force. In the Rainbow Table Attack, the attacker targets the hash function instead of passwords. When a user tries to log in to any platform their credentials are first converted into a hash and then sent forward. The attacker intercepts these hash values and then performs a rainbow table attack to convert those hash values into characters.

Tools Used in Brute Force Attacks

There are many free tools available on the internet, such as:

Image

Aircrack-ng

Aircrack-ng is network software that is used to perform brute-force attacks. The suite consists of a detector, packet sniffer, WEP/WPA/WPA2-PSK cracker, and analysis tool for 802.11 Wifi. It works with any wireless network interface which supports raw monitoring mode and can sniff 802.11a/802.11b/802.11g.

Hashcat

Hashcat is another type of free tool available on Windows, Mac OS, and Linux platforms. It has different core attack modes and can also perform rule-based attacks and toggle-case attacks.

John the Ripper

John the Ripper is another tool for password cracking. It's an open-source password cracking tool developed for Unix systems. It can auto-detect password hash types and use them most frequently for password testing and cracking purpose.

L0phtCrack

L0phtCrack is a password auditing tool. It can perform dictionary, brute-force, hybrid attacks, and rainbow table attacks.

How to Defend Against Brute Force Attacks

As now we are in Information Age, most of the manual labor can be achieved via different network services e.g.: banking, shopping, etc. Every individual now has multiple accounts on a different platform, to make it easy to remember the password/username they chose day-to-day words or easily guessable passwords.

People should be made aware to increase the complexity of passwords, for example, if people use "good morning" as their password, they need to add a special character, lower case, upper case, and numeric "G0oDm0rN!nG" after making those changes the complexity of new password requires more time and computing power to crack. Same way different policies should be made for the security of their clients.

People should make use of Multi-factor Authentication (MFA), which requires the user to pass two or more verification phases to gain access. OTP is a great example of Multi-factor Authentication, it's valid for little time depending on the industry which provides better security against brute-force attacks.

As brute force is a trial-and-error method to gain access to the resources, after setting a certain baseline account can be locked after severe login failed attempts and can only be unlocked after proper verification from an administrator.

Adding a CAPTCHA box is another best way to limit the attempts of brute force attacks performed by bots. There are different types of captcha options text images, identifying and checking different boxes which limit the hacker’s chances of getting a successful result.

Brute-force attacks can be easily identified, industries should provide real monitoring services for their networks, and check for unusual behavior such as the increase in the volume of login failed or rare location login activity. Increase the awareness of employees about security protocols and policies. disable any ex-employee or unused account, as they may provide back door entry to the network.