Understanding Brute-Force Attacks: How Hackers Crack Passwords 🔓

Module 5 – System hacking, Section 5.8 – Brute-force attack • Brute-force attack is a cryptanalytic attack trying many passwords or passphrases to guess the right one. The attacker checks all possible passwords and passphrases until the correct one is found. • Attacker resorts to brute-force when it is not possible to take advantage of other weaknesses in an encryption system that would make the task easier. Brute-force attack tools Software that performs brute-force attacks Aircrack-ng Cain and Abel Crack DaveGrohl Hashcat John the Ripper L0phtCrack Ophcrack RainbowCrack etc. Attack preference • Password guessing - for short and weak passwords • Dictionary attack - for longer and complex passwords • Brute-force comes in the last for complex, longer passwords/passphrases/keys which have more possible values, making them exponentially more difficult to crack than shorter ones. Brute-force attacks work by calculating every possible combination that could make up a password and testing it to see if it is the correct password. • AES permits the use of 256-bit keys. Breaking a symmetric 256-bit key by brute force requires 2128 times than a 128-bit key. In theory it requires about 3×1051 years to exhaust the 256-bit key space. Countermeasures • Brute-force attacks can be defeated by complicating the data to be encoded making it more difficult for an attacker. • Brute-force attacks are an application of brute-force search also known as exhaustive search, the general problem-solving technique of enumerating all candidates and checking each one. Online attacks: Database , web and directory admins can take countermeasures: – Limiting the number of attempts – Introduce time delays between successive attempts – Add CAPTCHA answering requirement – Add MFA by sending verification code to a mobile phone – Locking accounts out after unsuccessful logon attempts – Prevent a particular IP address from trying number of password attempts Reverse brute-force attack • In a reverse brute-force attack, a single password is tested against multiple usernames or encrypted files. • The process is repeated for a select few passwords. • Mitigation: Reverse brute-force attacks can be mitigated by establishing a password policy that disallows common passwords.