Ruslan Rakhmetov, Security Vision
In this review we will look at a method of attacking an authentication system or encryption by brute forcing all possible combinations. Brute force is based on brute computational force and gets its name from that. This method of brute forcing passwords or ciphers (without using logical or cryptographic vulnerabilities) is based on the attacker trying all possible variants until he or she finds the correct one (by brute force).
Bruteforce is a trial and error method that can be found in everyday life. Imagine you have a bunch of 1000 keys, but you can't remember exactly which one fits the door. You can start trying them one by one. In the digital world, a lock is an authorisation system and keys are possible passwords.
It doesn't take too much time to go through a simple password. For example, if you forget the four-digit PIN for your bank card, you can start trying all the variants: 0000, 0001, 0002... If the PIN consisted of five or twenty digits, it would increase the security, but banks usually limit the number of attempts (usually 3 per day) - if you get it wrong three times, the card is blocked. So, to protect yourself, you can install a stronger lock (complex password), use an electronic fingerprint lock (2FA), or simply limit the number of entry attempts, stretching out the attack process as much as possible.
The idea of the method is quite simple: if the password or key is short enough, the attacker can simply try all possible variants until he enters the correct one. However, the methods of brute force and possible acceleration options may differ, so we suggest distinguishing several types of bruteforce attacks:
Classic (Brute Force) - a complete search of all possible combinations of characters without taking context into account. Short and weak passwords can be easily conquered with this method, a six-character password (letters and numbers) will require two to six billion variants (36⁶ = 2,176,782,336 using Latin characters and numbers and 43⁶ = 6,321,363,049 using Russian letters instead). More complex passwords will be much harder and therefore longer to find using this method.
Dictionary Attack, when an attacker uses a ready-made list of passwords instead of a full search (e.g., rockyou.txt and weakpass databases of escaped passwords). Although this method is statistically faster than the classical method, it is ineffective against unique passwords.
Hybrid Attack is the most sophisticated variant that uses passwords from the dictionary and adds numbers, special characters, capital letters to them (as if it makes password mutate into P@ssword1 or Pa$$w0rd!).
The pre-calculated hash attack (Rainbow Tables) uses pre-calculated hash tables to find passwords instantly. This method allows you to find variants much faster by using hashes (e.g. MD5 hash 5f4dcc3b5aa765d61d8327deb882cf99 is password), but requires large storage to work with and is suitable for obsolete hashes (MD5, SHA1). We have already told you about hashes and encryption earlier.
At the very beginning of this review we mentioned that bruteforce attacks usually do not exploit vulnerabilities directly (in compromised systems), but can exploit vulnerabilities in other devices to infect them and make them "work" for themselves. A traditional attack is launched from a single device (its processing power is limited), while Distributed Brute Force uses hundreds or thousands of computers (e.g., botnet networks) to:
- to check multiple passwords in parallel;
- avoid IP blocking;
- to distribute the load between the different machines.
Then the attack can look more complex. It all starts with creating a network of attacking machines with a single control centre (just as SOAR orchestrates the tasks and systems of SOC centres, the attacker manages a network of infected PCs and IoT devices). Powerful GPU farms or cloud servers are also suitable. All the attacker's tasks are divided into parts: one group of computers tests passwords from aaaaaaaa to fffffffff, another group tests passwords from gggggggg to mmmmmm, etc. This way the attack is parallel (not sequential) and therefore faster. If one of the machines finds the correct password, it reports it to the botnet operator. This method avoids blocking, as attacks are launched from different locations (from different IP addresses).
Modern graphics cards (NVIDIA RTX 4090 and 50) can check millions of passwords per second, and below is a small evaluation of the classic brute force for different variants:
Password 123456 (10⁶, a million variants) is instantaneous, password123 (10¹²) takes a couple of seconds 2 seconds, p@ssW0rD!2024 (10²⁰) takes about 5 years (although it looks like it could have ended up in a database of ready-made dictionaries), but a truly unique password like u6$F1g!rL$93*k (10³²) will take millions or billions of years to crack (it's hard to say for sure, as progress may allow for faster brute force processes during this time).
In 2016, the Mirai botnet infected millions of devices (IP cameras, routers) and used them for SSH passwords to servers. Over the past five years, there have been cases of attackers renting capacity in AWS, Google Cloud, Azure and other cloud infrastructures to launch attacks from there. Any, even the most complex passwords can be picked, but if it costs too much or takes a huge amount of time - an attacker may not be interested in it (For example, picking a Bitcoin private key is practically impossible in practice, but an attack is theoretically possible).
Sometimes, instead of finding a password for one login, it uses one password for multiple logins (i.e. reverse bruteforce): if an attacker has password123, he checks it on millions of e-mail accounts. In general, there are many applications, e.g.:
- Account hacking (password selection for social networks, mail, online banking);
- Theft of cryptocurrencies (brute forcing of Bitcoin, Ethereum private keys) protected by passwords;
- Server hacking (password recovery for SSH, RDP, FTP, VPN);
- Wi-Fi hacking (WPA2/WPA3 password brute force);
- Cracking encrypted files (brute force passwords for ZIP, RAR, PDF);
- Decrypt hashes (search for the original password by hash).
Bruteforce is used by both attackers and cybersecurity professionals to test the resilience of systems, which is why we've covered this attack today. To conclude this article, let's look at the most effective ways to protect against bruteforce:
1) Use long and complex passwords (14+ characters is best);
2) Use password managers passwords to generate and store instead of saving them in the browser (if the browser does not support master passwords);
3) Come up with unique passwords (so one "leaked" account won't affect dozens or even hundreds of others);
4) Enable basic two-factor authentication (2FA), even if the password is compromised, you will need a second factor to log in;
5) Access to the most critical data can be provided with hardware key authentication (FIDO2, YubiKey as a second or third factor), eliminating the possibility of tampering over the network;
6) Enable limiting login attempts if possible (temporary lockout after 3-5 errors);
7) Activate IP blocking after several attempts (fail2ban, CSF), so you can protect yourself from a lone attacker for a while and buy time to change your password;
8) Ensure log monitoring (tracking failed login attempts, e.g. using SIEM solutions);
9) Web forms and sites can be protected using CAPTCHA and reCAPTCHA;
10) And networking from unsecured Wi-Fi networks can be secured with a VPN.
 2 - копия.jpg)
.jpg)
