What Is a Brute-Force Attack?

A brute-force attack is a trial-and-error method used to decode sensitive data like passwords, encryption keys, and login credentials by systematically trying every possible combination until the correct one is found. It is an exhaustive technique that relies on raw computing power rather than employing any intellectual strategy or exploiting specific vulnerabilities.

In a brute-force attack, the attacker submits numerous passwords, passphrases, or encryption keys to eventually guess correctly. This type of cyber-attack is akin to a thief attempting to crack a combination lock by trying every possible number sequence until the lock opens. The key advantage of brute-force attacks is their simplicity and guaranteed success, given enough time and computational resources to stumble upon the correct combination.

However, brute-force attacks are prolonged and inefficient—the time required for a successful breach increases exponentially with longer target strings (passwords or encryption keys). A brute-force attack is not feasible for sufficiently long and complex passwords or encryption keys, taking months or even years to complete on modern hardware.

Brute-force attacks can be launched against an application or on a hashed or encrypted password value. The methods and impacts of these attacks can vary widely based on the target and the attacker’s objectives. Here are the different ways brute-force attacks are used.

Attacking Applications

When targeting web applications, attackers often use automation software to run through a list of usernames and passwords until a match is found. This process is typically automated to increase efficiency and speed. However, many web applications deploy cybersecurity measures, such as rate limiting and account lockouts, to prevent automated brute-forcing. Despite these defences, attackers may still succeed, especially with applications that have weak security protocols.

Steps in Application Attacks:

1. Automation software: Attackers deploy software that systematically tries different username and password combinations.
2. Finding a match: Once a match is found, the attacker gains access to the user’s account.
3. Exploiting access: If no additional protections (like two-factor authentication) are in place, the attacker can exploit the account.

Cracking Stolen Passwords

More commonly, attackers focus on brute-forcing stolen password hashes. This method involves using powerful computing resources to decode hashed passwords. Once the passwords are cracked, attackers can use them to access user accounts across various platforms, especially if users re-use passwords.

Steps in Cracking Stolen Passwords:

1. Obtaining hashes: Attackers acquire hashed passwords from data breaches or other sources.
2. Decoding hashes: Using brute-force techniques, attackers decode the hashes to reveal the plaintext passwords.
3. Accessing accounts: With the decoded passwords, attackers can log into user accounts on different platforms.

Potential Actions Post-Attack

The damage from a successful brute-force attack can vary based on the compromised account’s authorisation level and the application type. Here are potential actions attackers might take:

• Sending phishing messages: Attackers can send messages to employees or other users to trick them into clicking phishing links or opening malware-laden attachments.
• Storing malware: Attackers can store malware on the system or internal infrastructure. If the malware runs on an administrator’s device, it could lead to the theft of higher-level credentials.
• Damaging reputation: Attackers can send malicious messages to customers, damaging the application owner’s reputation.
• Hijacking server processes: Attackers can inject malware into server processes, such as traffic eavesdropping applications.
• Injecting adware: Attackers can inject adware into the application to generate ad revenue.
• Redirecting traffic: Attackers can redirect user traffic to an attacker-controlled server, leading to further exploitation.

By understanding the various methods and motivations behind brute-force attacks, organisations can better prepare and implement effective security measures to protect against these pervasive threats.

A human can type a few passwords into an application per minute, but a computer can process hundreds or thousands of password guesses a minute (depending on connection speed). As a result, attackers use automation to deploy brute-force attacks. Sometimes, they use their own scripts created in their favourite language, such as Python.

Examples of cyber attacker tools used to brute-force passwords:

• Aircrack-ng: A comprehensive suite of tools for auditing and securing Wi-Fi networks by cracking WEP and WPA/WPA2 encryption keys, creating fake access points, and capturing and analysing network traffic.
• John the Ripper: An open-source password cracking tool that supports a wide range of cipher and hash types, including Unix, macOS, and Windows user passwords, web applications, and database servers.
• L0phtCrack: A Windows password auditing and recovery tool that uses dictionary, brute-force, and hybrid attacks to recover passwords from password hashes.
• Hashcat: The world’s fastest and most advanced password recovery tool, capable of leveraging GPU power to crack a wide range of hashed passwords using various attack modes such as dictionary, combination, mask, and hybrid attacks.
• DaveGrohl: A tool designed for brute-forcing web applications, particularly useful for testing the security of web forms and login pages (not covered in the provided sources).
• Ncrack: A high-speed network authentication cracking tool designed for testing network services like SSH, RDP, and FTP by performing brute-force attacks (not covered in the provided sources).
• OphCrack: A Windows password cracker based on rainbow tables, known for its speed and efficiency in cracking Windows passwords.
• RainbowCrack: A tool that uses rainbow tables to crack password hashes by reversing cryptographic hash functions, significantly speeding up the cracking process.
• Cain and Abel: A multi-purpose password recovery tool for Windows that can perform various functions, including packet analysis, VoIP recording, and wireless network scanning, as well as dictionary and brute-force attacks on password hashes.
• Medusa: A parallel, modular, and login brute-forcer that supports many protocols, including HTTP, FTP, and SMB, designed to be fast and efficient for penetration testing.

In addition to password-cracking tools, attackers will run system vulnerability scanners to identify outdated software and discover information about the target application. Administrators should always keep public-facing servers updated and patched and use monitoring software to identify scans on the system.

“Brute force attack” is an umbrella term covering various password-cracking methods that rely on trial and error.

These are some brute-forcing techniques:

• Simple brute-force attack. Bad actors use automated scripts to try out possible passwords until the correct one works. Simple brute-force attacks can be very time-consuming because they systematically try all possible permutations of characters in a sequence. The longer the password, the longer it takes.
• Dictionary attack. These attacks are less about quantity and more about quality. Instead of trying every possible combination of legal characters, bad actors start with the assumption that users are likely to follow certain patterns when they create a password. So, they will hone in on the most probable words rather than trying everything.
• Hybrid attack. These attacks are a mix of dictionary and simple brute force attacks. In this situation, a hacker obtains a user’s stolen password for one site. After learning about the breach, the user changes that compromised password. The user learns it has been compromised and changes it. The attacker will now try out variations of the old password using a brute force method that automates adding numbers, letters, and more.
• Reverse brute-force attack. Reverse brute-force password methods take a list of known passwords and automatically submit them to an application until a username is found. Attackers who use this method often download a list of stolen passwords from darknet markets and apply them to user accounts to find a credential match.
• Credential stuffing. With credential stuffing, users typically use the same passwords across several sites. An attacker who gains access to user passwords on one site will try the same ones on others. Here’s how it works: Pairs of compromised usernames and passwords are added to a botnet that simultaneously automates the process of trying stolen credentials on multiple sites. These attacks aim to identify account combinations that work and can be re-used across multiple sites.

Several strategies are available to administrators to help them prevent and detect brute-force attacks. The first step is to create better password rules so that users cannot create weak passwords. For non-critical systems, passwords should be at least ten characters long and include uppercase letters, special characters, and numbers. For critical systems, passwords should be at least twelve characters long. With strong password encryption, a computer would take several decades to finally brute-force a password.

The following strategies can also be used to stop brute-force attacks:

• Rate limit password attempts: The application can limit the number of password attempts before locking the account and display a CAPTCHA when too many attempts are made. Limiting the attempts prevents automated brute-force attacks and makes running through hundreds of potential passwords infeasible.
• Lock accounts after too many login attempts: This will disrupt the attacker’s continued brute-force attacks by temporarily locking the account after a set number of failed login attempts. Implementing progressive delays is also effective by locking the account for increasing periods after each failed attempt.
• Block suspicious IP addresses: If an IP address sends too many login attempts, the system could either block the IP automatically for a short while, or an administrator can manually add it to a “blacklist”. This helps prevent repeated attacks from the same source.
• Use two-factor authentication: This type of multi-factor authentication requires users to enter two forms of identification to sign in. The process uses knowledge, location, possession, and time factors to confirm a user’s identity, making it much harder for attackers to gain access even if they have the password.
• Employ strong password policies: Enforce strong, unique passwords that are difficult to guess. Passwords should be long (at least 10-12 characters) and include a mix of uppercase and lowercase letters, numbers, and special characters. Regularly update and change passwords to reduce the risk of compromise.
• Use CAPTCHA: Adding a CAPTCHA box to the login process can prevent automated scripts from attempting to brute-force passwords. CAPTCHA options include typing images of text on the screen, checking more than one image box, and naming objects.
• Monitor server logs: Regularly monitor server logs for unusual login attempts and patterns that may indicate a brute-force attack. Set up alerts to notify administrators of suspicious activity in real-time.
• Use a “Blacklist” of IP addresses: Maintain a blacklist of IP addresses known to be used in attacks. Regularly update this list to protect against new threats.
• Get rid of old accounts: Remove or disable old and unused accounts to reduce the number of potential entry points for brute-force attacks.
• Salting password hashes: Use “salting” in cryptographic hashing to strengthen passwords. Adding random letters and numbers (salt) to passwords before hashing them makes it significantly harder for attackers to use precomputed tables (rainbow tables) to crack the hashes.
• Encrypt passwords with high encryption rates: Use the highest available encryption rates, such as 256-bit, to protect system passwords. Robust encryption makes it much more difficult for brute-force attacks to succeed.

By implementing these strategies, organisations can significantly reduce the risk of successful brute-force attacks and protect their systems and data from unauthorised access. Monitoring software detects brute-force attacks and alerts administrators of suspicious behaviour. When brute-force attacks are detected, the application could be under an account takeover attempt. These attacks could merit additional network reviews to determine if a data breach has occurred.

Proofpoint offers a comprehensive suite of cybersecurity solutions designed to protect organisations from various threats, including brute-force attacks. By leveraging Proofpoint’s advanced technologies and expertise, businesses can significantly enhance their defences against these relentless attacks.

Proofpoint’s Business Email Compromise (BEC) and Email Account Compromise (EAC) Protection solutions are specifically tailored to safeguard organisations against brute-force attacks targeting email accounts. These solutions employ a multi-layered approach to detect and prevent unauthorised access attempts, ensuring the integrity and confidentiality of email communications.

• Advanced threat detection: Proofpoint’s solutions leverage sophisticated algorithms and machine learning models to identify and block brute-force attacks in real-time. By analysing login patterns, IP addresses, and other behavioural indicators, Proofpoint can accurately distinguish legitimate access attempts from malicious ones.
• Adaptive access controls: Proofpoint’s adaptive access controls dynamically adjust security measures based on the risk level associated with each login attempt. This includes implementing rate-limiting, CAPTCHA challenges, and account lockouts to disrupt and prevent successful brute-force attacks.
• Comprehensive reporting and alerting: Proofpoint’s solutions provide detailed reports and real-time alerts, enabling security teams to monitor and respond promptly to potential brute-force attack attempts. This visibility empowers organisations to take proactive measures and mitigate risks effectively.
• Automated incident response: In the event of a successful brute-force attack, Proofpoint’s solutions can automatically initiate incident response actions, such as account lockouts, password resets, and notifications to affected users and administrators. This streamlined response minimises the potential impact and ensures swift remediation.

With Proofpoint’s protection, organisations can significantly enhance their defences against brute-force attacks, safeguarding their email accounts and sensitive data from unauthorised access. Proofpoint’s advanced technologies and cybersecurity expertise provide a comprehensive and proactive approach to mitigating the risks associated with these persistent threats. To learn more, contact Proofpoint.