What is a Brute Force Attack?

A brute force attack is a method in IT security where all possible combinations are systematically tried to crack login credentials such as passwords or encryptions. The name "brute force" refers to the simple but effective approach of repeatedly trying all possibilities.

How does a brute force attack work?

In a brute force attack, all conceivable combinations of characters are automatically tried until the correct combination is found. This is usually done with special software and powerful hardware. The longer and more complex the password, the more time and computing power is needed. Large server farms or even GPU clusters are often used to accelerate the calculations. The latter is primarily the case when trying to crack the encryption of a file or password.

Sequence of a typical brute force attack

1. Identify target:
   The attacker selects a target, e.g., a login area or an encrypted file.
2. Deploy attack software:
   Special tools like Hydra or John the Ripper are started.
3. Generate combinations:
   The tool systematically generates all possible character combinations.
4. Automated testing:
   Each combination is tried on the target system until a hit is achieved.

What types of brute force attacks exist?

There are different variants of brute force attacks that differ in their approach and efficiency. The choice of method often depends on the target and available information.

Common variants

1. Simple brute force attack:
   All possible combinations are tried without prior knowledge.
2. Dictionary attack:
   Uses a list of common passwords instead of random combinations.
3. Hybrid attack:
   Combines dictionary attack with random characters.
4. Rainbow table attack:
   Uses pre-calculated tables of password hashes.

Specifically in the context of web and API security, we want to add another type that is rarely mentioned. These can be well automated and carried out on a large scale. The Argos Security Platform offers this possibility as part of monitoring the external attack surface, for example.

1. Credential Stuffing:
   Uses a list of usernames and passwords from other data leaks to gain access to accounts.
2. Dynamic attacks:
   Uses a list of passwords generated per target and known usernames to gain access to accounts. Background knowledge about the target is needed here.

Can you protect against brute force attacks?

You can't prevent them completely, but you can make it difficult for attackers by taking certain measures.

Protection measures for users

1. Complex passwords:
   Use long passwords with upper/lowercase letters, numbers, and special characters.
2. Unique passwords:
   Use a different password for each service.
3. Two-factor authentication:
   Activate additional security level through second factor.
4. Multi-factor authentication:
   Or even better - switch directly to MFA instead of 2FA!
5. Password manager:
   Secure management of complex passwords with special software.

Measures for system operators

1. Access restrictions:
   Limiting login attempts and temporary blocking after failed attempts.
2. CAPTCHA:
   Use of CAPTCHAs to distinguish between human and machine.
3. Delays:
   Artificial slowing down of login processes after failed attempts.
4. Secure hashing methods:
   Use of modern algorithms for password storage.

Brute force attacks continue to pose a serious threat. However, with the right protective measures, the risk can be significantly reduced. Regular training and updates of security systems are essential.

What are typical targets for brute force attacks?

It's common to see Black Hat Hackers and APT trying to bruteforce login credentials for portals and logins. Websites, APIs, and remote desktops are particularly popular targets. Server administrators are also very familiar with the problem - Port 22 (SSH) or Port 21 (FTP) are popular targets for brute force attacks as they provide direct system access when successful. Remote desktops on Port 3389 are also popular targets. For websites, Port 80 or 443 (HTTP/HTTPS) are interesting when the HTTP status code 401 (Unauthorized) is returned. Here, attempts are often made to steal the access data of the htaccess file. The interesting thing here is that there are often no protection mechanisms at this point, which is why hackers can try many combinations.