Brute Force Attack Introduction
While it may sound crude and unsophisticated, brute force hacking is among the most common types of cybersecurity breaches, with cybercriminals employing this simple attack on a regular basis. At its core, a brute force attack involves “guessing” the username and password of a user to access sensitive accounts and networks. However, its high success rate is attributed less to human guesswork and more to automated bots that can perform many processes to find the right combination successfully.
But how do brute force attacks work, and how can you and your organization recognize and prevent them? Here, we explore those questions and more.
Brute Force Attack Definition
As one of the earliest hacking methods, brute force cyberattacks have always targeted individuals with weak user and password combinations. In the earliest examples, this was achieved with simple human guesswork and deduction, often leveraging personal information already known to gain access to accounts and networks.
For example, cybercriminals often prey upon weak passwords (1234, password, etc.) and common usernames that may be readily associated with publicly available information on the user (pet name, mother’s name, birthdays, etc.). Once accessed, cybercriminals also focus on lazy security habits of using the same passwords across multiple sites or accounts.
Today, however, increasingly sophisticated bots and readily available lists of commonly used credentials, or even real user credentials gathered in previous breaches, are available to cybercriminals using brute force techniques. These brute force attack tools and resources allow cybercriminals to test various combinations until the correct login information is found or enable instant access to accounts where passwords and usernames have not been changed after a security breach.
In all of the above cases, cybercriminals will attempt to steal more information, infect sites and networks with malware, and/or disrupt business. In some cases, this can mean a brute force attack is almost instant, while in others, the attacks may be extended over many days as a bot tries to crack the code. Either way, a successful attack means the same, unauthorized access to sensitive data and networks.
Different Types of Brute Force Attacks
A wide range of extant brute force attacks are well-known to cybersecurity professionals. Since this attack is relatively less labor-intensive than other types, new methods are constantly evolving. Some of the most common brute force attack examples include:
Simple Brute Force Attack
The simplest type of brute force attack is where cybercriminals attempt to guess a user’s login credentials manually. While this may sound next to impossible, the fact many users still rely on weak passwords and common usernames means cybercriminals can still find success, with minimal research required to gain access to personal accounts and organizational networks.
Dictionary Attack
Another simple approach to brute force methods is the dictionary attack. Cybercriminals run through dictionaries and amend words to find the correct password tied to a targeted username. These techniques are not strictly unique to brute force attacks but form part of the toolset cybercriminals use to crack weak passwords.
Credential Stuffing
Sticking with the theme of weak username and password combinations, credential stuffing aims to prey upon users who repeatedly use the same credentials across multiple sites or apps. Having already stolen credentials from other areas, cybercriminals will test the same combinations on various accounts. It is successful when users rely on identical or similar passwords for many or all their logins.
Hybrid Brute Force Attack
Combining simple brute force attacks with the dictionary attack, hybrid brute force hacks usually begin with cybercriminals already knowing a specific username. They then use both guesswork and dictionary techniques to discover a password that may be a combination of known words plus characters, letters, and numbers.
Reverse Brute Force Attack
Beginning with a known or common password this time, reverse brute force attacks see cybercriminals attempt to tie those credentials to specific usernames by searching large databases. For example, a weak password may easily be tied to many known usernames giving the attacker plenty of options to work with.
Different Types of Brute Force Attack Tools
Known brute force attack tools include:
- THC-Hyrda – As an open-source tool, THC-Hyrda runs through numerous password combinations using either simple brute force or dictionary techniques. In constant development, it can attack multiple operating systems and more than 50 protocols.
- Aircrack-ng – This suite of tools attempts to assess the network security of Wi-Fi networks and export data which can then be used to create fake access points where credentials can be gathered.
- John the Ripper – Another open-source brute force tool, John the Ripper is a password recovery tool that supports hundreds of user password cracks. This attack typically applies to user passwords for macOS, Unix, and Windows, as well as generic support for encrypted private keys and document files, database servers, web applications, and network traffic.
Brute Force Attack Examples
Many high-profile brute force examples have made the news, and many more that large organizations have likely covered up. Some of the most well-known attacks include:
- 2009 — Cybercriminals used automated password-cracking scripts on Yahoo accounts.
- 2015 — Brute force attackers breached almost 20,000 Dunkin Donuts accounts.
- 2017 — Cybercriminals used brute force to access the internal networks of the UK and Scottish Parliaments.
- 2018 — A Firefox bug exposed master passwords to brute force attacks.
- 2021 — Cybercriminals gained access to T-Mobile testing networks and used brute force techniques to access other IT servers.
How to Prevent Brute Force Attacks
Preventing brute force attacks within an organization generally comes down to the responsibility of individual users. However, there are also best practices defined by cybersecurity teams that can help. From both perspectives, these tips can help prevent or slow down brute force attacks so cybersecurity teams can identify and remedy any issues.
For Users:
- Never derive passwords or usernames from information that is publicly available online.
- Use as many different characters as possible when setting passwords.
- Use a combination of letters (caps and lower case), numbers, and symbols for passwords.
- Use different credentials for each account login.
- Don’t use common patterns or popular combinations.
For Admins:
- Ensure users on the network follow the above advice to create strong passwords.
- Implement lockout policies that lock accounts after several failed login attempts.
- Implement progressive delays on logins that lock accounts for short periods after each failed login. This will help slow down mass brute force attacks.
- Use Captcha tools to prevent bots from mass brute force attacks.
- Implement two-factor authentication on accounts that are particularly vulnerable to cybercriminals.
Additionally, cybersecurity teams may wish to implement encryption measures on the most sensitive data, making it significantly more difficult for cybercriminals to access, even if they manage to breach the network.
Conclusion: Brute Force Attack
Prevention is always the best defense, so take steps now to secure your systems against brute force attack techniques.
Learn more about Mimecast’s solutions for brute force attack detection and prevention.