Thursday, September 1, 2011

The Art of Brute Forcing

Introduction
If you are new to brute forcing, then this article is great for you. Even if you have a pretty good understanding of brute forcing, this may still be new knowledge for you in some aspects. There have been a couple articles released on brute forcing. One was extremely huge, which would more then likely confuse the end user rather then help them benefit from it. You will notice on my site Global Brute Forcer and FTP Brute Forcer and may have no understand what they mean. You might know what they do, steal passwords, but don’t understand the whole theory and past of brute forcing, so lets get started.
Brute Forcings Past
Now, I am no expert on the past of brute forcing, but I know what it has been used for, even before computers. People were guessing other peoples information long ago. They could be trying various information over and over again until they are on the dot, which would be a brute force method in computer terms. Even a lot of governments agencies and such whose main goal are to decrypt and decipher various coded passwords use brute force methods for one of there approaches. The fact that they probably have super computers to do there dirty work or just really powerful ones in general, it would not take long to decrypt a password, depending on its level of encryption. Using brute force is so powerful, people always say things like “brute force is weak,” as if you are some computer god and can snap your finger and its done. Well, I hate to break it to you, but brute forcing is one of the first methods approached to getting passwords, whether its Windows or Unix/Linux accounts, or a type of service which requires authentication such as FTP, SMB, SMTP, etc. and the best approach would be a brute force attack.
Methods of Brute Force
There are various methods of brute forcing out there. It is not just limited to trying all possible character combinations. A lot of people think that dictionary attacks are not brute forcing. You are wrong, they do not categorize that as a separate attack. The whole idea came from brute force, there for it is held in that category. Think about it, you are loading a list of words, attempting each word as the password to the user account. You would be doing the same thing with all possible char combos. Just going at a faster approach by trying the easily known passwords before really going all out. The method is a time consuming process, depending on how strong the password is you are trying to steal. If you are really true to wanting a password, chances are you could be waiting years to get it. This account would obviously have changed some how over time, if you are ever successful in getting it, which I will not say you ever will be.
Attacking with brute force method over the internet really takes some skills. No, it does not take skill if the password was just something like 1234, it must go beyond this. You must analyze your target and do some research on them. Sometimes, you can end up with being able to guess there passwords or make up your own custom dictionary lists and run them which you created by learning more about the person. In some cases, the password has to do with there username, family, or even pieces from there web site. Other cases the passwords would need an approach of using all possible char combinations. Doing this type of attack online is not really a good idea, considering that it would take years to complete and you are trying so many requests the server would eventually kick you off.
Brute forcing can go beyond just password guessing. You can use brute force for many other goodies. For instance, you want some valid accounts on a server? Simple, use brute force methods to try various usernames over and over again, looking for the correct strings sent back the server to determine if the username is valid. I added this option to Global Brute Force, which if you know how to write a definition file writing additional information to be able to use Account Scanner should not be hard. Maybe you want to discover various folders on peoples web site? Such as Discover does. Use the brute force attack method. Load a dictionary list, start scanning the domains, all sorts of goodies could be popping up all over the place that you never knew about. So, brute forcing is a great method in the security world and is a must to understand.
I will now provide you with some examples of the brute force process, maybe it will help you understand better, maybe not. The format used is that of like using FTP to connect through the URL bar (ftp://username:password@server.com). So, it goes Username : Password.
These examples show the way it works against a server, whether its http, ftp, or even SMB. The same principle can be used against whatever you are using it for. Not just against servers.
Dictionary Attacks
The passwords are reading from the file C:\WordList.txt as shown in the brackets.
Connection to Server => Authentication Login => Sends Required Strings => Username:Sackface(C:\WordList.txt)
Connection to Server => Authentication Login => Sends Required Strings => Username:Sammy(C:\WordList.txt)
Connection to Server => Authentication Login => Sends Required Strings => Username:Susan(C:\WordList.txt)
Connection to Server => Authentication Login => Sends Required Strings => Username:Suicide(C:\WordList.txt)
Servers Response => If Invalid Password => Brute Force loops to next password
Servers Response => If Valid Password => Brute Force method stops, and logs found passwords.
All Possible Character Combinations
This method works about the same, just uses all possible character combos.
Connection to Server => Authentication Login => Sends Required Strings => Username:aaaa
Connection to Server => Authentication Login => Sends Required Strings => Username:aaab
Connection to Server => Authentication Login => Sends Required Strings => Username:aaac
Connection to Server => Authentication Login => Sends Required Strings => Username:aaad
Servers Response => If Invalid Password => Brute Force loops to next password
Servers Response => If Valid Password => Brute Force method stops, and logs found passwords.
It will continuously try all possible character combinations for the password, as seen, trying all possible character combos for aaaa, which would take quite a long time to generate all of them, considering every possible character, including ASCII chars.
How Can I protect myself or my servers from this?
There are a few methods that you could go about protection yourself and your servers. Use long passwords, in the twenties or teens, including no words, just numbers, letters and ASCII chars. This will be one of the hardest passwords to guess, considering it would take years to come to such a lengthy password and have to generate all of those characters. Also, never give your real e-mail address that you register accounts with on your site, this could prove to be useful for others to enumerate information about you. Now, if you are hosting a server and you are afraid of brute force attacks being used against your servers, there are some things you can do to stop it. I would recommend using an account block method. If someone is trying to guess over and over the password, simply have the account disable itself, so that no matter what IP address hits the accounts, it will be locked for your protection. If you are experiencing just brute force attacks from one certain IP address then create a banning system. If a user from a specific IP address is attempting hundreds of passwords to a certain account or even thousands, have it completely ban there IP address. You can either ban them for good, or just for a day or two. A good way to stop brute forcers is to use some type of encrypted login, such as HTTPS which would just show encrypted text back when a user tries to login and sniff the data to create a brute force attack with. Sometimes using a persons E-Mail address as the login can prove more affective since they are so much harder to “guess” then a simple username such as Administrator anything of that nature. I have seen logins that even once you have the password to the account, it will give you steps before actually entering, maybe asking for your secret questions or even a social security number. This proves to be very affective also. NEVER use passwords that relate to your phone number, CC, SSN, or anything of that type. That should help you prevent most brute forcers from being unsuccessful.
Conclusion
This may have been a smaller article, but it gets down to the point of brute forcing. You should have a solid understanding of how it works, what its used for and more. If anyone was to ask any suggestions for brute forcing, I would simply tell them to know there target. At least take time to enumerate information and do some social engineering that could possibly lead to his password. If you wish, you can jump right in and start attacking with brute force methods. Just remember, that could be time consuming, but then again, either way could end you up in the dumps! Just please, before you go dissing on brute force, realize how important it is for security assessment scanning. If you could of not figured this out for yourself of how important it is, I really hope you are a newbie or just learning.

No comments:

Post a Comment