blog posts

Essential facts of Brute Force Attacks (2)

in this article, we will talk about another Important fact of Brute Force Attacks.

The titles you will read in this article

  • How is a brute force attack performed?
  • Brute Force attack tools and software
  • Ways to Protect against brute force attacks

How is a brute force attack performed?

The concept of “brute force attack” may have evoked in your mind the highly professional hacking image of Elliott Alderson, who, with paper and pen, and using his vast intelligence, is guessing different combinations of passwords. But the reality is duller than this picture because cyber-attackers are just as busy as other people, and their lifespan is not enough to guess all the possible combinations of an 8-character password. Instead, these attackers use various scripts, bots, or software to hack passwords in a much shorter time to attack the login page of a website or application.

But discovering the password and matching it to the new user name is the first step in a brute force attack. The main purpose of hackers in a brute force attack is to gain access to the user’s personal and sensitive data, which can be used to infiltrate the network of the organization of which the user is a member.

How easy or almost impossible a brute force attack can depend on the difficulty of the passwords. The reason that no password, even bank card, and PIN passwords, are two digits is that there are only four possible combinations for the two digits and the hacker can guess the password in one second. Instead, if a password of, for example, 8 characters consists of a combination of lowercase and uppercase English letters and numbers (a total of 62 characters), it becomes 62 to the power of 8, which is 218 trillion possible modes!

Brute Force attack tools and software

A cyber-attacker uses software to invert a brute force attack that systematically checks all possible password combinations using computer computing power to finally identify the correct password. Because it takes a long time for humans to try all possible combinations to get the correct password (it takes millions of years for a password of 8 characters or more!), It is not possible to perform brute force attacks without using crack software. Here are some of the most popular tools used in brute force attacks:

  • Aircrack-ng software
  • John the Ripper software
  • Rainbow Crack software
  • L0phtCrack software
  • Ophcrack software

Aircrack-ng software

Aircrack-ng is one of the most popular tools for brute force attacks. This free software is used to crack the WiFi password. How to attack this tool is through a dictionary attack against the Wi-Fi network with IEEE 802.11 standard to guess its password. The success rate of this tool depends on the dictionary containing its password. The better and more up-to-date a dictionary is, the more likely it is to succeed in cracking the password.

Aircrack-ng software is used to determine the security of wireless connections. This software is available for Windows and Linux platforms and can run on iOS and Android.

John the Ripper software

Another popular tool for brute force attack is John the Ripper. This free tool was first developed for Unix systems; But later versions were released for other platforms such as Windows, Ross, BOS, and OpenVMS.

With the help of this tool, weak passwords can be identified or cracked. This tool supports several password crack capabilities and can automatically detect the type of hash used in the password and try to break its encryption. Thus, even some encrypted or hashed passwords are not secure against this software and can be used to measure the security of encrypted keys.

John the Ripper software can perform simple brute force attacks by trying out all possible combinations of letters and numbers. If you have access to a list of passwords, you can use this software to perform dictionary brute force attacks.

Rainbow Crack software

This software generates brute force attacks by generating a rainbow table, which is used to break hash codes. The difference between this tool and other brute force software is that the rainbow tables are pre-calculated and reduce the attack time. Various organizations have published these rainbow charts for the use of all Internet users that can be used in this software.

Rainbow Crack supports all new versions of Windows and Linux.

L0phtCrack software

This software is known for its ability to crack Windows passwords. L0phtCrack uses simple brute force attacks, dictionaries, hybrids, and rainbow tables. The most important features of this software include scheduling, hash extraction from 64-bit versions of Windows, multiprocessor algorithms, and network monitoring and decryption.

Ophcrack software

Ophcrack software is also used specifically to crack Windows passwords. The Windows operating system hashes its users’ passwords by the LM algorithm and stores them in a file called SAM. The SAM file is encrypted in such a way that the user cannot normally read or copy it; But the Ophcrack tool can break the LM hash and extract the password with the help of rainbow tables.

By default, the software includes rainbow tables that can crack passwords of less than 14 characters (consisting of letters and numbers) in minutes. Of course, you can also download other rainbow tables to crack longer passwords.

Using this software locally or to identify vulnerabilities in organizational systems is not a problem and is not illegal, But using them to hack other users’ passwords can have serious consequences.

Ways to Protect against brute force attacks

There are several ways to protect passwords against brute force attacks. Some of which must be followed by the user and some by the website owner. Here are some of the most important ones:

  • Limit the number of times you entered an incorrect password
  • Use strong passwords
  • Alternatives to traditional passwords
  • Multi-factor authentication
  • Captcha

Limit the number of times you entered an incorrect password

One effective way to prevent brute force attacks is to limit the number of times an attacker has the opportunity to try different combinations to find the correct password.

In some websites and services, if the number of times you enter the wrong password is too high. So The user’s account will be blocked and it will not be possible to access it for a certain period of time. Using this method, although it does not prevent the attack; But it interrupts the attacker’s work.

Use strong passwords

One of the best and most effective ways to prevent dictionary brute force attacks is to avoid using words that can be found in the dictionary. Users should also refrain from using their personal information, including bank account numbers. To choose passwords for web services that do not use strong cryptographic keys.

Alternatives to traditional passwords

Another way to reduce brute force attacks is to avoid using traditional passwords. You can use one-time tokens or passwords instead. This will create a unique password for you to access the website each time, preventing brute force attacks.

Multi-factor authentication

The use of tokens is a kind of two-factor authentication or 2FA. This security measure is commonly used in banking transactions. In this method, in addition to using the usual login methods, another level of security is added during the transaction; For example, code is sent via SMS to the user’s smartphone, or two-factor authentication applications such as Google Authenticator automatically generate one-time passwords. Thus, even if the hacker has access to the user’s password. He will need to enter a code to log in, which fortunately he does not have access to.

Show Captcha

Also After several unsuccessful login attempts, authentication systems prevent a brute force attack of bots. There are different types of captcha, including typing the text displayed in the image, checking the I’m not a robot option, or recognizing objects in the images. Captcha capability can be enabled for the first login attempt or after the first failed attempt.

Conclusion

Therefore in this article, we talked about the  Essential facts of Brute Force Attacks and we hope you enjoy reading it.