I have been running into the term “brute-force attacks” quite a lot during my journey into cybersecurity. Brute-force attacks are used when you want to crack someone’s password to obtain unauthorized access. I understand what they do but I never invested a lot of time in getting a full grasp of how brute-force attacks work.
The basics of a brute-force attack
During a brute-force attack, you analyze every possible combination that can make up a password and test it to see if you have the correct password. When a password’s length increases and when someone’s password is less straightforward, the time you have to spend to find the correct password increases exponentially. Summarized you do the following during a brute-force attack:
- Guessing the Credentials by
- Trial and Error with
- A username list and a Password list
I guess with the previous paragraph behind, I don’t have to tell you how important it is to have a complex password to prevent any brute-force attacks. Time is money so if an attacker is confronted with a complex password that would take a lot of time and you are an average Joe (with all respect), it’s not worth the effort of wasting a lot of time in obtaining your password. Unfortunately, a lot of passwords are easy to guess and most people are not even aware of this.
Dictionary attacks
Passwords seem to be an annoying thing for quite a lot of people: it’s a hassle and not worth spending a lot of time on. Passwords can be forgotten so many people want to keep it easy.
In 2012, LinkedIn leaked 117 million (!) password hashes. Hashes are the translation of your readable password to a new (encrypted) mathematical algorithm. Based on this list it’s very easy to obtain the top 10 most common passwords. Not only all the passwords are helpful for an attacker, but also the frequency of passwords used is very useful for a quick brute-force attack. The top 10 password list that people had when LinkedIn was hacked:
- 123456 (753K times)
- linkedin (172K times)
- password (144K times)
- 123456789 (94K times)
- 12345678 (64K times)
- 111111 (57K times)
- 1234567 (50K times)
- sunshine (39K times)
- qwerty (38K times)
- 65432 (33K times)
A pretty nice list to start your journey of brute-forcing into a system I would say. You don’t have to be tremendously creative to make some additions to it when you want to get access to other sites. Number 2, “linkedin” can be changed into “#Sitename”. So if you want to try to get into a Facebook with another account you can try “facebook” and there is a chance you get access.
The example I used is a small example of a dictionary attack. A dictionary attack uses a preselected (huge) library of words and phrases to guess possible passwords. It operates from a huge list with common passwords like the passwords, previously mentioned. Additionally, these lists include predictable patterns that vary for every region and country. If you live in the Netherlands and live in the year 2021 a password like welkom2021! might be in a dictionary attack. But also when a password needs to be refreshed for instance every 3 months (happens a lot in corporations) you can puzzle with it. For instance “Welcome2021!3” might be a good try for a password in Q3 2021. Attackers use words related to sports teams, country-specific language, monuments, cities, addresses, and other regionally specific items when building their attack library dictionaries. Many of these attack libraries are shared with others so it’s fairly easy to acquire them.
Trying all these options manually is not practical. Because of this, attackers use additional technology to speed up the process. They use supporting programs like password dictionaries or other brute force attack tools.
Reversed brute force attacks
You can also reverse the process. This is called a reverse brute force attack. This is a variant of a brute force attack in which the attacker tries one password against multiple usernames. If you know a password but you don’t know the username, you can try this password and guess different usernames until you find a working combination. As I previously discussed, I might want to log into Facebook on a different account. So “facebook” and the “123456” passwords are pretty common. I only have to try login names to try to get in.
Brute force tools
Because of the increasing awareness of people about the importance of cybersecurity, passwords are becoming more complex in general and are harder to be acquired by a brute-force attack. Professional attackers don’t waste their time to guess login and password names with a “Hail Mary”. They use tools to make it easier to acquire login names and passwords.
So while passwords become more and more sophisticated, the tools are becoming more and more sophisticated as well and are continually improved. Below I will discuss the most common tools and methods.
John the Ripper
This is a great tool that is frequently used by attackers. It has been a brute force attack favorite for a long time. You can use John the Ripper to identify weak passwords or to crack passwords to acquire unauthorized access (breaking authentication). The tool combines various password-cracking features. It can automatically detect the type of hashing (as previously explained, the translation of your readable password to a new mathematical algorithm that is encrypted), used in a password. That is why you can also run it against encrypted password storage. Additionally, you can also use this with a dictionary of passwords to be able to do dictionary attacks.
Rainbow Crack
Rainbow Crack is a brute-forcing tool that is used for password cracking. It generates rainbow tables while performing the attack. A rainbow table is a database that is used to gain authentication by cracking the password hash. It’s a pre-computed dictionary of plaintext passwords and their corresponding hash values that can be used to identify what plaintext password produces a particular hash. More than one text can produce the same hash so it’s not important to know what the original password is: as long as it produces the same hash. Rainbow tables are pre-computed which helps to reduce the time to perform the attack.
Ophcrack
Ophcrack is a brute-forcing tool, engineered to crack Windows passwords. It cracks Windows passwords by using LM hashes through rainbow tables. It is completely free and open-source which means that the source code is available to anyone that wants to upgrade/optimize the tool. Ophcrack comes with rainbow tables to crack passwords of less than 14 characters that contain only alphanumeric (the letters of the alphabet, including capital letters and numbers 0 – 9 so 62 in characters in total). This sounds limited because there are no symbols and more characters available in these rainbow tables. However, additional rainbow tables can be downloaded to extend the reach of Ophcrack.
L0phtCrack
This tool is well-known for its ability to crack Windows passwords (like Ophcrack). It uses dictionary attacks, brute force attacks, hybrid attacks, and rainbow tables.
Crackstation
This is another helpful tool to crack passwords. It uses rainbow tables to crack password hashes. If the hash is present in the database, the password can be recovered in just a few seconds. A nice to know fact is that the rainbow tables used were created by extracting every word from the Wikipedia databases and adding with every password, a list.
Hashcat
This tool claims to be the fastest CPU-based password cracking tool. It is a free tool for Windows, Linux, and Mac OS. Hashcat supports brute force attacks, combinator attacks, fingerprint attacks, dictionary attacks, and many more. It’s a very extensive tool and this shows the rapid advancement of technology: not only for defenders but for attackers as well.
DaveGrohl
This tool is specifically developed as a brute-forcing tool for Mac OS X. It supports all available versions of Mac OS X. Attackers can also attack multiple computers on the same password hash with this tool. It’s open-source which means attackers can download the source code as well.
Aircrack-ng
This tool is a very popular tool to crack WiFi passwords. The tool is completely free and it’s very easy to obtain. The tool comes with a WAP/WPA/WPA2-PSK cracker and analysis tools to perform attacks on WiFi 802.11. The tool can be used for any Network Interface Controller (NIC) that supports raw monitoring mode. Aircrack-ng performs dictionary attacks against a wireless network to guess the password. The success of the attack depends on the dictionary of passwords that you have. The better and more extensive the password dictionary is, the more likely that you can crack the password. It is available for Windows and Linux platforms and it has also been ported to run on iOS and Android platforms.
This is another good reason to switch to WPA3 when on WiFi. WPA3 stands for WiFi Protected Access and the third version provides the best protection against brute-force attacks.
Honorable mentions to
Next to the described passwords, there are lots of other useful brute force tools available as well. Below is a list:
- Password Cracker
- Brutus Password Cracker
- THC Hydra
- Cain and Abel
Final thoughts
I had no idea that there are so many tools available to support cracking passwords by brute force. Especially the fact that it seems that Windows passwords are not too hard to crack confirms my conviction that your computer should always be protected by Bitlocker as an extra safety measure.
This exercise/research also confirms the importance of MFA (Multi-factor authentication). I think MFA is great to fight brute force attacks. MFA stands for Multifactor Authentication and quickly wins in popularity (however not standardized by the big tech firms).
Additionally, a good password manager is a must to protect yourself against these kinds of attacks. My favorite password manager is KeePass. Check this post if you are interested in how to set up a KeePass database yourself. I also made a post about storing password entries in the KeePass database and working with KeePass. You can find that post over here. Feel free to ask me any questions or give me additional tips/advice on how to do this by contacting me and if you want to keep in the loop when I upload a new post, don’t forget to subscribe to receive a notification by e-mail.
