In the world of cybercrime, brute force is an activity that includes repeated consecutive attempts to try various password combinations to break into any website or unlock a device. This attempt is carried out by hackers using bots that they maliciously install on other computers in order to increase the computing power needed to launch these types of attacks.
So what is a brute attack?
Bruteforce is the easiest way to access a site, device, or server (or anything else that is password protected). He tries various combinations of usernames and passwords again and again until an input occurs. This recurring action is like an army attacking a fort.
To some, such a description of the brute force attack gives reason to think that anyone can do it. These are really simple actions, but success will not always succeed.
Typically, each common identifier (e.g. admin) has a password. All you have to do is try to guess it. For example, if this is a two-digit combination, you have 10 digits from 0 to 9. This means that there are 100 possibilities. You can pick them up manually and enter them one by one.
But the truth is that not a single password in the world consists of two characters. Even the contact numbers used on mobile phones or at the bank consist of at least 4 characters.
On the Internet, 8 characters are usually the standard for the shortest password. In addition, complexity is added in the fact that alphabets are included in passwords to make them more secure. Letters can be used both in upper and lower case, which makes the code sensitive to its switching.
So, if there is an alphanumeric 8-character password, how many possible combinations will you have to pick up? There are 26 alphabetic letters in the English language. If you count them in both upper and lower case, you get 26 + 26 = 52. Then you need to add the numbers: 52 + 10 = 62.
So, there are a total of 62 characters. For an 8-character password, this will be 628, which will make 2.1834011 ร 1014 possible combinations.
If you try to use 218 trillion combinations in one attempt per second, it will take 218 trillion seconds, or 3.6 trillion minutes. Simply put, it will take about 7 million years to crack the password with the final combination. Of course, the process may take less, but this is the maximum time for selecting this value. It is clear that manual brute force is impossible.
Then how can this happen?
If you are interested in breaking passwords, you will have to use computers. To do this, write a few simple lines of code. Such programming skills are basic to any encoder.
Now suppose you have developed a password unlock program that tries 1000 combinations per second. Time is reduced to 7 thousand years. It is still impossible to do this, therefore a supercomputer is needed.
If the machine can try 1 ร 109 attempts per second, then in just 22 seconds all 218 trillion attempts will be tested. Computing resources of this kind are not available to ordinary people. However, hackers are not regular users. They can collect computing resources in various ways, for example, by developing a powerful computing mechanism using software and the like.
In addition, the above calculation exists for all possible combinations of an 8-character password. But what if its length is 10 or 100 characters? That is why it is very important to have additional security levels to detect and reject hacking attempts.
Why are they doing that?
With brute force, a hackerโs motive is to gain illegal access to a targeted website and use it to perform another type of attack or steal valuable data. It is also possible that an attacker infects a resource with malicious scripts for long-term goals, without even touching a single thing and leaving no traces. Therefore, it is recommended to conduct frequent crawls and follow the recommendations for protecting the site.
What to do?
There are many tools to protect various applications that will deprive the user of the ability to attack after a certain number of attempts.
For example, for SSH, you can use Fail2ban or Deny hosts. These programs will reject the IP address after several incorrect attempts. These tools do a good job. However, they cannot always protect.
Recently, there has been an exponential increase in brute attacks. They come from around the world, becoming more sophisticated every day. Therefore, all users should try to be vigilant. So, how to protect yourself from brute force?
Password length
The first step to preventing an attack should be a longer password. Currently, many websites and platforms force their users to create an access code of a certain length (8-16 characters).
Password Complexity
Another important thing is to create a complex password. It is not recommended to invent them like iloveyou or password123456. The password must consist of uppercase and lowercase letters, as well as numbers and special characters. Difficulty delays the hacking process.
Ultimate Login Attempts
A simple but very powerful action is to limit attempts to log into your account, if it is a site or server. For example, if a site receives five failed login attempts, it must block this IP for a certain period of time to stop further attempts.
Modifying the .htaccess File
Adding a few rules to your .htaccess file can further enhance the security of your site. The goal is to allow access to wp-admin only to the specific IP addresses listed in it.
Using captcha
Captcha is now widely used on many sites. It does not allow bots to execute automated scripts, used mainly in Brute Force attacks. Installing captcha on a website or blog is quite simple.
Install the Google invisible reCaptcha plugin and go to your Google account. Now go back to the plugin settings page and determine the places where you would like the user to enter captcha first before performing the actual task.
Two-factor authentication
Two Factor Authentication is an additional line of defense that can protect your account from brute force. The chances of a successful attack on 2FA secure sites are very small. There are various ways to implement it on the site. The easiest is to use any of the two-factor authentication plugins.
If we talk not about our own site, but about other resources (for example, to prevent the routerโs brute force), the methods can be as follows:
- Create a unique password for each account.
- Make frequent password changes.
- Avoid sharing credentials through insecure channels.
Call forwarding
Brute force attack is another term associated with breaking a password. In this case, the attacker tries to use the same password for multiple usernames. In this case, the hacker knows the password, but there is no idea about the user names. In this case, he can try the same password and try to guess different logins until he finds a working combination. This usually happens bruteforce WiFi and other connections.
An attack is commonly used to crack passwords. Hackers can use brute force in any software, website or protocol that does not block requests after several invalid trials.
Many password cracking tools are known for various protocols. Some of them are worth considering in detail. In order to use such applications, just download and start attacking. Since some of them use several mechanisms at the same time, you should study this in detail. This will help protect against attacks, as well as check all of their systems for vulnerability.
Aircrack-ng
This is a popular wireless password cracking tool available for free. It comes with a WEP / WPA / WPA2-PSK cracker and analysis tools to carry out an attack on WI-Fi 802.11. Aircrack NG can be used for any network adapter that supports raw monitoring.
It mainly performs dictionary attacks against the wireless network to guess the password. As you already know, the success of a conditional attack depends on the complexity of the passwords. The better and more effective the combination, the less likely it is that a hack will occur.
The application is available for Windows and Linux bruteforce. In addition, it has been ported to iOS and Android platforms.
John the ripper
This is another amazing tool that does not need any instructions. It is often used for long bruteforce passwords. This free software was originally developed for Unix systems. Later, the authors released it for other platforms. Now the program supports 15 different systems, including Unix, Windows, DOS, BeOS and OpenVMS. It can be used either to identify vulnerabilities or to crack passwords and violate authentication.
This tool is very popular and combines various functions. It can automatically detect the type of hash used in the password. Thus, the code can be run in an encrypted password store.
In principle, a brute force program can perform a rude attack with all possible passwords, combining text and numbers. However, it can also be used with a dictionary.
Rainbow crack
This software is also a popular password brute force tool. It generates tables for use during an attack. Thus, the code is different from other traditional forced molding tools. Rainbow tables are pre-computed. This helps reduce attack time.
It is good that there are various organizations that have already published pre-computer tables of this software for all Internet users. This tool is still under active development. It is available for both Windows and Linux and supports all the latest versions of these platforms.
L0phtCrack
The program is known for its ability to crack Windows passwords. She uses dictionaries, brute force, hybrid attacks and rainbow tables. The most notable features of l0phtcrack are scheduling, extracting hashes from 64-bit versions of Windows, multiprocessor algorithms, and network monitoring and decoding.
Ophcrack
Another brute force tool that is used to crack Windows passwords. It breaks the password using LM hashes through tables. This is a free open source program. In most cases, it can crack a Windows password in a few minutes.
Crack
This is one of the oldest password cracking tools. It can be used for UNIX systems, including bruteforce on Android. Used to check weak passwords by performing an attack through dictionaries.
Hashcat
Some argue that this is the fastest processor-based password cracking tool. It is free and comes on Linux, Windows, and Mac OS platforms. Hashcat supports various hashing algorithms, including LM hashes, MD4, MD5, SHA families, Unix crypt formats, MySQL, Cisco PIX. The program supports various attacks, including Brute-Force, Combinator, dictionaries, fingerprint attack, and much more.