Introducing Brute Force Attack

Back to Blog
26Aug

Introducing Brute Force Attack

By Testing , , , Comments Off on Introducing Brute Force Attack

What is Brute Force Attack?

A brute force attack or brute force cracking is the cyber attack equivalent of trying every key on your key ring, and unfortunately finding the right one.

Brute force attacks are simple and reliable. Attackers let a computer do the work – trying different combinations of usernames and passwords, for example – until they find one that works. Catching and neutralizing a brute force cracking in progress is the best counter: once attackers have access to the network, they are much harder to catch.

Types of Brute Force Attacks

The most common brute force attack is a dictionary attack, where the attacker works through a dictionary of possible passwords and tries to crack them using them all. Dictionary attacks start with some assumptions about common passwords to try to guess from the list in the dictionary. These types of attacks tend to be somewhat outdated, given newer and more effective techniques.

Recent computers prepared within the last few years can brute force crack an 8-character alphanumeric password – capitals and lowercase letters, numbers, and special characters – in about two hours. Computers are so fast that they can brute-force decrypt a weak encryption hash in a month. Such types of brute force attacks are known as an exhaustive key search, where the computer system tries every possible combination of every possible character to find the right combination of passwords.

Credential recycling is another type of brute force attack that reuses usernames and passwords from other data violations to try to break into different systems.

The reverse brute-force attack uses a general password like “password,” and subsequently tries to brute-force a username to go with that password. Since “password” is one of the most common passwords in 2017, this technique is more successful than you might think.

Motives Behind Attacks

Brute force attacks occur in the very early stages of the cyber kill chain, mostly during the reconnaissance and infiltration stages. Hackers need access or points of entry into their targets, and brute force techniques are a “set it and forget it” method of gaining that access. Once they have entered the network, hackers can use brute force techniques to escalate their privileges or to run encryption downgrade attacks.

Hackers also use brute force attacks to look for hidden web pages. Hidden web pages are websites that live on the internet, but these are not linked to other pages. A brute force attack tests different addresses to see if they return a valid web page, and will find out a page they can exploit. Things like a software vulnerability in the code they could use for infiltration – like the vulnerability used to infiltrate Equifax or a web page that contains a list of usernames and passwords exposed to the world.

There is small finesse involved in a brute force attack, so attackers can automate several attacks to run in parallel to expand their options of finding a positive – for the – result.

How to Defend Against Brute Force Attacks?

Brute force attacks take time to run. Some attacks can take weeks or a few months to provide anything useful. Most of the stand against these attacks involves increasing the time required for success beyond what is technically possible, but that is not the only defense.

  • Increase password length: Many more characters equal more time to brute force crack.
  • Increase password complexity: Many more options for each character also increase the time to brute force crack.
  • Limit login attempts: Brute force attacks increment a counter of multiple failed login attempts on most directory services – a good security against brute force attacks is to lock out users after some failed attempts, thus nullifying a brute force attack in progress.
  • Implement Captcha: Captcha is one of the common systems to verify a human is a human on websites and can stop brute force attacks in progress.
  • Use multi-factor authentication: Multiple-factor authentication adds a second layer of security to each login attempt that requires human intervention which can stop a brute force attack from success.

The proactive way to stop brute force attacks starts with monitoring the systems. Various monitors Active Directory activity and VPN traffic to detect brute force attacks in progress. We have got threat models that monitor lockout behaviors (often a sign that there’s a brute force attack underway), threat models that detect potential credential stuffing, and more – all designed to find and prevent brute force attacks before the attack explodes.

Conclusion

It’s better to detect an attack in progress and actively stop the attack than it is to hope your passwords are uncrackable. Once you find and stop the attack, you can even blacklist IP addresses and prevent further attacks from the same computer.

Share this post

Author

Vishnu Yash Tripathi

Vishnu Yash Tripathi is a module lead engineer at Devstringx Technologies for the last 6 years. He has 09 years of experience in manual, security, automation, and software testing. Based on his in-depth experience in the IT industry, he creates informative and engaging content. He has worked on the OWASP guideline for security testing using various security testing tools. His visionary leadership and flamboyant management style have produced fruitful results for the company.

Back to Blog

Related Posts

protractor
31May

Getting Started With Protractor A Test Automation Framework

About Protractor It is a test automation framework that is used for automating web application testing. It combines technologies such as...

Read More
Feature image for cucumber testing blog
06Jan

What Is Cucumber? A Detail Guide On Cucumber Testing Tool – Devstringx

To Understand what is Cucumber, we must first understand What Is Behaviour Driver Development (BDD)? What Is BDD? BDD is one of...

Read More
Contract Testing
15Mar

How to Start Writing the Contract Testing for Consumer? – Devstringx

What Is Contract Testing? The contract is a common term used to describe the document which share by 2 parties i.e....

Read More
image of Write excel in cypress
13Jan

How to Read & Write Excel Data in Cypress? – Guide By Experts

File conversion is one method we could use to read data from excel files. Due to Cypress's lack of support.xlsx...

Read More
Feature image for software testing blog
21Feb

Tips to Enhance the Efficiency of the Software Testing Process – Devstringx

Software testing is about much more than simply locating and fixing errors. It's a strategic measure to ensure quality software,...

Read More
Feature image for top Manual testing blog
30Jan

Top 10 Manual Testing Tools for QA – Devstringx

Manual Testing Tools  Are you looking for a reliable way to test products and services? Manual software testing tools provide an...

Read More
Banner for Smoke Testing
11Oct

What Is Smoke Testing? – Devstringx

What Is Smoke Testing? Smoke testing is also known as build verification testing. Smoke testing is a high-level test performed on an...

Read More
ETL Testing
12Oct

What is ETL Testing: Importance, Process, and Types | Devstringx

What Is ETL Testing? ETL Stands for Extraction, Transformation, and Load. So Basically ETL is a process of how data is...

Read More
Feature image for QA Team management blog
23Feb

Tips on Effective Offshore QA Team Management – Devstringx

Nowadays, an increasing number of companies are enlisting offshore QA teams to support their product development process. Organizations such as...

Read More
Feature image for Reading Email Using Java POP3 blog
19Apr

How to Read Email Using Java POP3? – Devstringx

In today's world, email is one of the most widely used means of communication. Many applications and websites rely on...

Read More