Brute Force Attack using Kali Linux Completed

Brute Force Attack using Kali Linux Completed

What's a Brute Force Attack?

A brute force attack uses trial-and-error to guess login info, encryption keys, or find a hidden web page. Hackers work through all possible combinations hoping to guess correctly.

These attacks are done by ‘brute force’ meaning they use excessive forceful attempts to try and ‘force’ their way into your private account(s).

This is an old attack method, but it's still effective and popular with hackers. Because depending on the length and complexity of the password, cracking it can take anywhere from a few seconds to many years.

What do hackers gain from Brute Force Attacks?

Brute force attackers have to put in a bit of effort to make these schemes pay off. While technology does make it easier, you might still question: why would someone do this?

Here’s how hackers benefit from brute force attacks:

Profiting from ads or collecting activity data

Stealing personal data and valuables

Spreading malware to cause disruptions

Hijacking your system for malicious activity

Ruining a website’s reputation

Profiting from ads or collecting activity data.

Hackers can exploit a website alongside others to earn advertising commissions. Popular ways to do this include:

Putting spam ads on a well-traveled site to make money each time an ad is clicked or viewed by visitors.

Rerouting a website’s traffic to commissioned ad sites.

Infecting a site or its visitors with activity-tracking malware — commonly spyware. Data is sold to advertisers without your consent to help them improve their marketing.

Stealing personal data and valuables.

Breaking into online accounts can be like cracking open a bank vault: everything from bank accounts to tax information can be found online. All it takes is the right break-in for a criminal to steal your identity, money, or sell your private credentials for profit. Sometimes, sensitive databases from entire organizations can be exposed in corporate-level data breaches.

Spreading malware to cause disruptions for the sake of it.

If a hacker wants to cause trouble or practice their skills, they might redirect a website’s traffic to malicious sites. Alternatively, they may directly infect a site with concealed malware to be installed on visitor’s computers.

Hijacking your system for malicious activity.

When one machine isn’t enough, hackers enlist an army of unsuspecting devices called a botnet to speed up their efforts. Malware can infiltrate your computer, mobile device, or online accounts for spam phishing, enhanced brute force attacks and more. If you don’t have an antivirus system, you may be more at risk of infection.

Ruining a website’s reputation.

If you run a website and become a target of vandalism, a cybercriminal might decide to infest your site with obscene content. This might include text, images, and audio of a violent, pornographic, or racially offensive nature.

Types of Brute Force Attacks

Each brute force attack can use different methods to uncover your sensitive data. You might be exposed to any of the following popular brute force methods:

Simple Brute Force Attacks

Dictionary Attacks

Hybrid Brute Force Attacks

Reverse Brute Force Attacks

Credential Stuffing

Simple brute force attacks: hackers attempt to logically guess your credentials — completely unassisted from software tools or other means. These can reveal extremely simple passwords and PINs. For example, a password that is set as “guest12345”.

Dictionary attacks: in a standard attack, a hacker chooses a target and runs possible passwords against that username. These are known as dictionary attacks. Dictionary attacks are the most basic tool in brute force attacks. While not necessarily being brute force attacks in themselves, these are often used as an important component for password cracking. Some hackers run through unabridged dictionaries and augment words with special characters and numerals or use special dictionaries of words, but this type of sequential attack is cumbersome.

Hybrid brute force attacks: these hackers blend outside means with their logical guesses to attempt a break-in. A hybrid attack usually mixes dictionary and brute force attacks. These attacks are used to figure out combo passwords that mix common words with random characters. A brute force attack example of this nature would include passwords such as NewYork1993 or Spike1234.

Reverse brute force attacks: just as the name implies, a reverse brute force attack reverses the attack strategy by starting with a known password. Then hackers search millions of usernames until they find a match. Many of these criminals start with leaked passwords that are available online from existing data breaches.

Credential stuffing: if a hacker has a username-password combo that works for one website, they’ll try it in tons of others as well. Since users have been known to reuse login info across many websites, they are the exclusive targets of an attack like this.

Tools Aid Brute Force Attempts

Guessing a password for a particular user or site can take a long time, so hackers have developed tools to do the job faster.

Automated tools help with brute force attacks. These use rapid-fire guessing that is built to create every possible password and attempt to use them. Brute force hacking software can find a single dictionary word password within one second.

Tools like these have workarounds programmed in them to:

Work against many computer protocols (like FTP, MySQL, SMPT, and Telnet)

Allow hackers to crack wireless modems.

Identify weak passwords

Decrypt passwords in encrypted storage.

Translate words into leetspeak — "don'thackme" becomes "d0n7H4cKm3," for example.

Run all possible combinations of characters.

Operate dictionary attacks.

Some tools scan pre-compute rainbow tables for the inputs and outputs of known hash functions. These “hash functions” are the algorithm-based encryption methods used to translate passwords into long, fixed-length series of letters and numerals. In other words, rainbow tables remove the hardest part of brute force attacking to speed up the process.

GPU Speeds Brute Force Attempts

Tons of computer brainpower is needed to run brute force password software. Unfortunately, hackers have worked out hardware solutions to make this part of the job a lot easier.

Combining the CPU and graphics processing unit (GPU) accelerates computing power. By adding the thousands of computing cores in the GPU for processing, this enables the system to handle multiple tasks at once. GPU processing is used for analytics, engineering, and other computing-intensive applications. Hackers using this method can crack passwords about 250 times faster than a CPU alone.

So, how long would it take to crack a password? To put it in perspective, a six-character password that includes numbers has approximately 2 billion possible combinations. Cracking it with a powerful CPU that tries 30 passwords per second takes more than two years. Adding a single, powerful GPU card lets the same computer test 7,100 passwords per second and crack the password in 3.5 days.

Steps to Protect Passwords for Professionals

To keep yourself and your network safe, you'll want to take your precautions and help others do so as well. User behavior and network security systems will both need reinforcement.

For IT specialists and users alike, you’ll want to take a few general pieces of advice to heart:

Use an advanced username and password. Protect yourself with credentials that are stronger than admin and password1234 to keep out these attackers. The stronger this combination is, the harder it will be for anyone to penetrate it.

Remove any unused accounts with high-level permissions. These are the cyber equivalent of doors with weak locks that make breaking in easy. Unmaintained accounts are a vulnerability you can’t risk. Throw them away as soon as possible.

Once you’ve got the basics down, you’ll want to bolster your security and get users on board.

We’ll begin with what you can do on the backend, then give tips to support safe habits.

Passive Backend Protections for Passwords

High encryption rates: to make it harder for brute force attacks to succeed, system administrators should ensure that passwords for their systems are encrypted with the highest encryption rates possible, such as 256-bit encryption. The more bits in the encryption scheme, the harder the password is to crack.

Salt the hash: administrators should also randomize password hashes by adding a random string of letters and numbers (called salt) to the password itself. This string should be stored in a separate database and retrieved and added to the password before it's hashed. By salting the hash, users with the same password have different hashes.

Two-factor authentication (2FA): additionally, administrators can require two-step authentication and install an intrusion detection system that detects brute force attacks. This requires users to follow-up a login attempt with a second factor, like a physical USB key or fingerprint biometrics scan.

Limit number of login re-tries: limiting the number of attempts also reduces susceptibility to brute-force attacks. For example, allowing three attempts to enter the correct password before locking out the user for several minutes can cause significant delays and cause hackers to move on to easier targets.

Account lockdown after excessive login attempts: if a hacker can endlessly keep retrying passwords even after a temporary lockout, they can return to try again. Locking the account and requiring the user to contact IT for an unlock will deter this activity. Short lockout timers are more convenient for users, but convenience can be a vulnerability. To balance this, you might consider using the long-term lockdown if there are excessive failed logins after the short one.

Throttle rate of repeated logins: you can further slow an attacker’s efforts by creating space between each single login attempt. Once a login fails, a timer can deny login until a short amount of time has passed. This will leave lag-time for your real-time monitoring team to spot and work on stopping this threat. Some hackers might stop trying if the wait is not worth it.

Required Captcha after repeated login attempts: manual verification does stop robots from brute-forcing their way into your data. Captcha comes in many types, including retyping the text in an image, checking a checkbox, or identifying objects in pictures. Regardless of what you use, you can use this before the first login and after each failed attempt to protect further.

Use an IP blacklist to block known attackers. Be sure that this list is constantly updated by those who manage it.

Active IT Support Protections for Passwords

Password education: user behavior is essential to password security. Educate users on safe practices and tools to help them keep track of their passwords. Services like Kaspersky Password Manager allow users to save their complex, hard-to-remember passwords in an encrypted “vault” instead of unsafely writing them down on sticky notes. Since users tend to compromise their safety for the sake of convenience, be sure to help them put convenient tools in their hands that will keep them safe.

Watch accounts in real-time for strange activity: Odd login locations, excessive login attempts etc. Work to find trends in unusual activity and take measures to block any potential attackers in real-time. Look out for IP address blocks, account lockdown, and contact users to determine if account activity is legitimate (if it looks suspicious).

How Users Can Strengthen Passwords Against Brute Force Attacks

As a user, you can do a lot to support your protection in the digital world. The best defense against password attacks is ensuring that your passwords are as strong as they can be.

Brute force attacks rely on time to crack your password. So, your goal is to make sure your password slows down these attacks as much as possible, because if it takes too long for the breach to be worthwhile… most hackers will give up and move on.

Here are a few ways you can strength passwords against brute attacks:

Longer passwords with varied character types. When possible, users should choose 10-character passwords that include symbols or numerals. Doing so creates 171.3 quintillion (1.71 x 1020) possibilities. Using a GPU processor that tries 10.3 billion hashes per second, cracking the password would take approximately 526 years. Although, a supercomputer could crack it within a few weeks. By this logic, including more characters makes your password even harder to solve.

Elaborate passphrases. Not all sites accept such long passwords, which means you should choose complex passphrases rather than single words. Dictionary attacks are built specifically for single word phrases and make a breach nearly effortless. Passphrases — passwords composed of multiple words or segments — should be sprinkled with extra characters and special character types.

Create rules for building your passwords. The best passwords are those you can remember but won’t make sense to anyone else reading them. When taking the passphrase route, consider using truncated words, like replacing “wood” with “wd” to create a string that makes sense only to you. Other examples might include dropping vowels or using only the first two letters of each word.

Stay away from frequently used passwords. It's important to avoid the most common passwords and to change them frequently.

Use unique passwords for every site you use. To avoid being a victim of credential stuffing, you should never reuse a password. If you want to take your security up a notch, use a different username for every site as well. You can keep other accounts from getting compromised if one of yours is breached.

Use a password manager. Installing a password manager automates creating and keeping track of your online login info. These allow you to access all your accounts by first logging into the password manager. You can then create extremely long and complex passwords for all the sites you visit, store them safely, and you only have to remember the one master password.

 DIRB

DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analyzing the response. DIRB main purpose is to help in professional web application auditing.

The tool “Dirb” is in built in kali Linux therefore Open the terminal and type following command to start brute force directory attack.

Dirb http://192.168.1.5/dvwa

DirBuster

 DirBuster is a multi-threaded java application designed to brute force directories and files names on web/application servers. DirBuster comes with total of 9 different lists; this makes DirBuster extremely effective at finding those hidden files and directories.

Similarly open the terminal and type Dirbuster, then enter the target URL as shown in below image and browse /usr/share/dirbuster/wordlis/ directory-list-2-3-medium.txtfor brute force attack.

Select option dir to start with /dvwa, once you have configured the tool for attack click onstart.

Wfuzz

 Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing,etc.

 wfuzz -c -W /usr/share/wfuzz/wordlist/dir/common.txt –hc 400,404,403http://192.168.1.5/dvwa/FUZZ

 Here option –c is use for output with color; -W for wordlist; –hc for hide responses with the specified code/lines/words/chars. It is also in-built in your kali Linux.

Metasploit

 HTTP Directory Scanner

This module identifies the existence of interesting directories in a given directory path.

use auxiliary/scanner/http/dir_scanner   

 msf auxiliary(dir_scanner) >set  /usr/share/wfuzz/wordlist/dirb/common.txt

msf auxiliary(dir_scanner) >set rhosts 192.168.1.5

msf auxiliary(dir_scanner) > set path /dvwa

msf auxiliary(dir_scanner) >exploit

Dirsearch

 Dirsearch is a simple command line tool designed to brute force directories and files in websites. This tool is available at github you can download it from here and after installation in your kali Linux type following to start dirsearch. 

./dirsearch.py –u http://192.18.1.5/dvwa -e php -f -x 400,403,404

 Here option –e is use for generating one entry for php extension; -x hide responses with the specified code/lines/words/chars.

12 password-cracking techniques used by hackers:

1. Phishing

Perhaps the most commonly-used hacking technique today, phishing is the practice of attempting to steal user information by disguising malicious content as a trustworthy communication. Although the term is generally associated with email, and there are terms to describe other mediums - such as ‘smishing’ (SMS phishing) - phishing can occur across any type of electronic communication.

The typical tactic is to trick a user into clicking on an embedded link or downloading an attachment. Instead of being directed to a helpful resource, a malicious file is downloaded and executed on the user’s machine. What happens next depends entirely on the malware being executed – some may encrypt files and prevent the user from accessing the machine, while others may attempt to stay hidden in order to act as a backdoor for other malware.

The best passwords are the ones you can't remember

If not passwords then what?

As computer literacy has improved over the years, and as users have grown accustomed to online threats, phishing techniques have had to become more sophisticated. Today’s phishing usually involves some form of social engineering, where the message will appear to have been sent from a legitimate, often well-known company, informing their customers that they need to take action of some kind. Netflix, Amazon, and Facebook are often used for this purpose, as it’s highly likely that the victim will have an account associated with these brands.

2. Social engineering

Speaking of social engineering, this typically refers to the process of tricking users into believing the hacker is a legitimate agent. A common tactic is for hackers to call a victim and pose as technical support, asking for things like network access passwords in order to provide assistance. This can be just as effective if done in person, using a fake uniform and credentials, although that’s far less common these days.

Successful social engineering attacks can be incredibly convincing and highly lucrative, as was the case when the CEO of a UK-based energy company lost £201,000 to hackers after they tricked him with an AI tool that mimicked his assistant’s voice.

3. Malware

malware

Keyloggers, screen scrapers, and a host of other malicious tools all fall under the umbrella of malware, malicious software designed to steal personal data. Alongside highly disruptive malicious software like ransomware, which attempts to block access to an entire system, there are also highly specialised malware families that target passwords specifically.

Keyloggers, and their ilk, record a user’s activity, whether that’s through keystrokes or screenshots, which is all then shared with a hacker. Some malware will even proactively hunt through a user’s system for password dictionaries or data associated with web browsers.

5. Dictionary attack

Sticky notes on a monitor displaying assorted passwords

The dictionary attack is a slightly more sophisticated example of a brute force attack.

This uses an automated process of feeding a list of commonly-used passwords and phrases into a computer system until something fits. Most dictionaries will be made up of credentials gained from previous hacks, although they will also contain the most common passwords and word combinations.

This technique takes advantage of the fact that many people will use memorable phrases as passwords, which are usually whole words stuck together. This is largely the reason why systems will urge the use of multiple character types when creating a password.

6. Mask attack

Abstract image of glowing binary in red and blue

Where dictionary attacks use lists of all possible phrase and word combinations, mask attacks are far more specific in their scope, often refining guesses based on characters or numbers – usually founded in existing knowledge.

For example, if a hacker is aware that a password begins with a number, they will be able to tailor the mask to only try those types of passwords. Password length, the arrangement of characters, whether special characters are included, or how many times a single character is repeated are just some of the criteria that can be used to configure the mask.

The goal here is to drastically reduce the time it takes to crack a password, and remove any unnecessary processing.

7. Rainbow table attack

Image of a rainbow arching across a blue sky

Whenever a password is stored on a system, it’s typically encrypted using a ‘hash’, or a cryptographic alias, making it impossible to determine the original password without the corresponding hash. In order to bypass this, hackers maintain and share directories that record passwords and their corresponding hashes, often built from previous hacks, reducing the time it takes to break into a system (used in brute force attacks).

8. Network analysers

Abstract image of a network of interconnected points on a black background

Network analysers are tools that allow hackers to monitor and intercept data packets sent over a network and lift the plain text passwords contained within.

Such an attack requires the use of malware or physical access to a network switch, but it can prove highly effective. It doesn’t rely on exploiting a system vulnerability or network bug, and as such is applicable to most internal networks. It’s also common to use network analysers as part of the first phase of an attack, followed up with brute force attacks.

Of course, businesses can use these same tools to scan their own networks, which can be especially useful for running diagnostics or for troubleshooting. Using a network analyser, admins can spot what information is being transmitted in plain text, and put policies in place to prevent this from happening.

The only way to prevent this attack is to secure the traffic by routing it through a VPN or something similar.

9. Spidering

Spidering deploys very similar techniques to those used in social engineering and phishing attacks. Generally, it requires far more leg work on the part of the hacker, but also significantly increases the likelihood that an attack will be successful.

Advertisement

Spidering describes the process of a hacker getting to know their target, to the extent that they’re able to get credentials based on their activity. For example, many organisations run internal services with passwords that relate to their business in some way, mainly because this makes it easier to remember for employees.

If a hacker knows their target works for a particular company, they may take steps to try and access internal Wi-Fi networks or employee handbooks to further their understanding. They may also study the products that business creates in order to build a list of possible word combinations, which can be used later in a brute force attack.

Like many entries on this list, this process is usually underpinned by automation.

10. Offline cracking

Ethernet cable disconnected from the back of a router

It’s important to remember that not all hacking takes place over an internet connection. In fact, most of the work takes place offline, particularly as most systems place limits on the number of guesses allowed before an account is locked.

Offline hacking usually involves the process of decrypting passwords by using a list of hashes likely taken from a recent data breach. Without the threat of detection or password form restrictions, hackers are able to take their time.

Of course, this can only be done once an initial attack has been successfully launched, whether that's a hacker gaining elevated privileges and accessing a database, by using a SQL injection attack, or by stumbling upon an unprotected server.

11. Shoulder surfing

You might think the idea of someone looking over your shoulder to see your password is a product of Hollywood, but this is a genuine threat, even in 2020.

Brazen examples of this include hackers disguising themselves in order to gain access to company sites and, quite literally, look over the shoulders of employees to grab sensitive documents and passwords. Smaller businesses are perhaps most at risk of this, given that they’re unable to police their sites as effectively as a larger organisation.

Security experts recently warned of a vulnerability in the authentication process used by WhatsApp. Users trying to use WhatsApp on a new device must first enter a unique code that's sent via a text message, which can be used to restore a user's account and chat history from a backup. It was found that if a hacker was able to obtain a user's phone number, they are able to download the app to a clean device and issue a prompt for a new code, which, if they are in spying distance, they could copy as it arrives on the user's own device.

12. Guess

Image of a man thinking in front of a board filled with abstract ideas

If all else fails, a hacker can always try and guess your password. While there are many password managers available that create strings that are impossible to guess, many users still rely on memorable phrases. These are often based on hobbies, pets, or family, much of which is often contained in the very profile pages that the password is trying to protect.

The best way to remove this as a potential avenue for criminals is to maintain password hygiene and make use of password managers, many of which are free.