Brute Force is an old and popular technique for attackers to gain unauthorized access to an account or resource.
Its popularity is not going down any time soon.
Of course not! 2020 security reports reveal that 80% of data breaches involved brute-forcing or the use of stolen credentials.
And brute force attacks are not something to take lightly.
A successful attack can give access to protected functionality, sensitive information, or a personal account. With these types of information, a hacker could commit fraud, steal personal belongings or even achieve the complete takeover of your server.
In a Brute force attack, the offender tries to access a secured service or resource by trial and error. For example, it may try all the possible user:password pairs till finding the correct combination to get access to your preferred chat service.
Other common targets include:
Trying all the combinations till guessing doesn’t sound like a tactic prone to succeed. The possibilities grow faster than exponentially with the length of the secret. By making a password just a few characters longer, we can arrive at an ENORMOUS number.
For example, a secret composed of numbers, symbols, upper and lower letters total 74 possible characters for the first digit. A ten digits secret has 4,923,990,397,355,877,376 possible combinations!
Attackers had refined their guesses and tools over time.
An average machine decades ago could only try a few thousand passwords per second. Nowadays, your daily-use laptop can test 1,000,000 combinations per second easily. Specialized hardware can perform a lot better.
How much time would an attacker need to crack a password having only lower-case letters and numbers?
As you can see, in these conditions, a hacker could get any secret of six digits length in less than one hour!
But attackers can still improve that performance A LOT MORE by using the fact that secrets are not usually random.
Users tend to create passwords easy to remember, and so, easy to predict. The path’s URL on a website also has names following a certain logic.
With that in mind, attackers may not try all possible combinations but only the most likely. Thereby, lowering the number of possibilities radically.
This type of Brute Force is called Dictionary Attack.
There exist plenty of lists with common user:password combinations for all the popular services, such as email and social media. And they are publicly available. For example, in the SecLists project. We will return to this topic in the next sections.
We can classify Brute Force attacks by the targets and methods used.
Exhaustive Search or Simple Brute Forcing
The attacker tries all the possible combinations of characters and lengths allowed. That is the case we analyzed with the numbers in previous sections.
The attacker uses a list of words with a high likelihood of being the secret. This attack is the reason you shouldn’t use human-generated passwords.
Dictionary files usually come from past breaches. Another common source is default credentials. You should always change the default credentials of all your devices!
BruteX is an open-source tool that automates this type of attack. It includes lists with default/usual credentials for different services.
The targets are the website’s sub-directories known for containing sensitive information.
For example, sometimes developers forget to delete backup files or leave them with open permissions. In that case, anyone browsing their correct path could find them. Backup files usually contain information that is not meant to be seen by anyone, such as financial balances.
All the most popular web pen-testing tools can perform this type of attack, and they even come with lists of common paths to check. An example is Nikto.
Here the attackers use our known credentials from past breaches to break into other services belonging to us.
This attack is highly successful in practice because we tend to repeat passwords over different accounts.
Even if your account credentials were not dumped in previous hacks, you could be at risk. Your password could appear in a common-passwords list. These are the dictionary files used by the attackers in their automated attacks.
Here you can check if your credentials were leaked in past breaches.
That is why you should not secure an account only with a password. Use multi-factor authentication instead. We will talk more about that in the next sections.
Here are some tips to better protect yourself!
The National Institute of Standards and Technology (NIST) last recommendations highlight the importance of using Password Managers.
A Password Manager is a software or hardware providing functionality to generate, store and manage secure passwords. Secure passwords are long and complex enough (they seem random).
Human-generated passwords are weak and predictable, or hard to remember. Avoid them!
If you need to create a password by yourself, these recommendations will protect you better against brute-forcing attacks:
Methods of authentication for login seek to identify:
Web Services usually offer using two of them. Two-Factor-Authentication (2FA) is exactly that.
According to Microsoft, multi-factor authentication can prevent 99.9% of account compromise attacks.
A brute-forcing attempt won’t succeed if it needs to provide your voice, hand, or iris fingerprint. As a plus, you won’t need to remember anything. Neither receive a code nor install an app on your phone (like when using authenticator apps).
With anti-automation defenses in place such as CAPTCHA, a brute force attack would run remarkably slower.
Even a dictionary attack would be harder to perform; the offender’s IP would be blocked after a few failed connection attempts.
We are never exempt from a zero-day vulnerability or human error. That’s why security should be applied in layers, protecting each part of your system.
A vital line in your defenses should have anti-automation capabilities. BitNinja offers that in a great way, and even more!
BitNinja AntiFlood and Captcha modules cover you against automation attacks by blacklisting IPs attempting recurrent connections.
Even if CAPTCHA gets bypassed somehow, the BitNinja SenseLog module will detect and ban malicious IPs and brute force attempts.
BitNinja counts with features backed by state-of-art technology in different areas:
We will use the open-source tool Nikto to brute force directories and files in a website. We will look for sensitive information left publicly accessible.
The target will be a web app specially designed for these kinds of demonstrations.
We finally found an accessible file, which Nikto parsed and marked as possibly containing interesting data.
The code in the discovered file indicates too open permissions. That is an open door for everyone to read the data in the web app –also the sensitive one.
We can see three vulnerabilities in this example: crossdomain.xml file was left available to the public, to open permissions to read the data in the web app, and the lack of anti-automation defenses.
With BitNinja in place, the attacker’s IP would have been blacklisted after the firsts failed brute force attempts. As a result, this sensitive file wouldn’t have been found.
Apache/Nginx access and error logs, system-wide logs, exim4 logs, postfix logs, and more. Here is the complete list.
You can specify custom log paths in the module’s configuration too.
Yes, the BitNinja Malware Detection module detects infected files and places them in quarantine to prevent further damage to your server.
This module has unique technology to be resource-friendly and for having a very low false-positive rate. Read more about it here.
Brute Force Attack could end up taking over your server. Cybersecurity is not optional anymore. It is a must! If you haven’t tried BitNinja yet, don’t forget to register for the 7-day free trial! No credit card needed!
We are always happy to help you! If you have any questions, check out our Knowledgebase, feel free to ask at [email protected], or you can even reach us on the Dashboard chat!
Let’s make the internet a safer place together!
Start the 7-day free trial with full functionality without spending a cent.
After the “Hello, Peppa!” zero-day botnet, our Attack Vector Miner detected another zero-day...
At the end of the last year, we made...