☑️Brute Force Attacks

Brute Force Attacks

To truly grasp the challenge of brute forcing, it's essential to understand the underlying mathematics. The following formula determines the total number of possible combinations for a password:

Possible Combinations = Character Set Size^Password Length

Let's consider a few scenarios to illustrate the impact of password length and character set on the search space:

The more powerful the attacker's hardware (e.g., the number of GPUs, CPUs, or cloud-based computing resources they can utilize), the more password guesses they can make per second. While a complex password can take years to brute-force with a single machine, a sophisticated attacker using a distributed network of high-performance computing resources could reduce that time drastically.

Dictionary Attacks

Wordlists can be obtained from various sources, including:

• Publicly Available Lists: The internet hosts a plethora of freely accessible wordlists, encompassing collections of commonly used passwords, leaked credentials from data breaches, and other potentially valuable data. Repositories like SecLists offer various wordlists catering to various attack scenarios.

• Custom-Built Lists: Penetration testers can craft their wordlists by leveraging information gleaned during the reconnaissance phase. This might include details about the target's interests, hobbies, personal information, or any other data for password creation.

• Specialized Lists: Wordlists can be further refined to target specific industries, applications, or even individual companies. These specialized lists increase the likelihood of success by focusing on passwords that are more likely to be used within a particular context.

• Pre-existing Lists: Certain tools and frameworks come pre-packaged with commonly used wordlists. For instance, penetration testing distributions like ParrotSec often include wordlists like rockyou.txt, a massive collection of leaked passwords, readily available for use.

Here is a table of some of the more useful wordlists for login brute-forcing:

Interesting Python Script For Dictionary Attacks

Hybrid Attacks

Many organizations implement policies requiring users to change their passwords periodically to enhance security. However, these policies can inadvertently breed predictable password patterns if users are not adequately educated on proper password hygiene.

The attacker begins by launching a dictionary attack, using a wordlist curated with common passwords, industry-specific terms, and potentially personal information related to the organization or its employees. This phase attempts to quickly identify any low-hanging fruit - accounts protected by weak or easily guessable passwords.

However, if the dictionary attack proves unsuccessful, the hybrid attack seamlessly transitions into a brute-force mode. Instead of randomly generating password combinations, it strategically modifies the words from the original wordlist, appending numbers, special characters, or even incrementing years, as in our "Summer2023" example.

This targeted brute-force approach drastically reduces the search space compared to a traditional brute-force attack while covering many potential password variations that users might employ to comply with the password change policy.

The Power Of Hybrid Attacks

Let's consider a scenario where you have access to a common passwords wordlist, and you're targeting an organization with the following password policy:

• Minimum length: 8 characters

• Must include:

  • At least one uppercase letter

  • At least one lowercase letter

  • At least one number

To extract only the passwords that adhere to this policy, we can leverage the powerful command-line tools available on most Linux/Unix-based systems by default, specifically grep paired with regex. We are going to use the darkweb2017-top10000.txt password list for this. First, download the wordlist

Next, we need to start matching that wordlist to the password policy.

This initial grep command targets the core policy requirement of a minimum password length of 8 characters. The regular expression ^.{8,}$ acts as a filter, ensuring that only passwords containing at least 8 characters are passed through and saved in a temporary file named darkweb2017-minlength.txt.

Building upon the previous filter, this grep command enforces the policy's demand for at least one uppercase letter. The regular expression [A-Z] ensures that any password lacking an uppercase letter is discarded, further refining the list saved in darkweb2017-uppercase.txt.

Maintaining the filtering chain, this grep command ensures compliance with the policy's requirement for at least one lowercase letter. The regular expression [a-z] serves as the filter, keeping only passwords that include at least one lowercase letter and storing them in darkweb2017-lowercase.txt.

This last grep command tackles the policy's numerical requirement. The regular expression [0-9] acts as a filter, ensuring that passwords containing at least one numerical digit are preserved in darkweb2017-number.txt.

Meticulously filtering the extensive 10,000-password list against the password policy has dramatically narrowed down our potential passwords to 89.

Credential Stuffing

Credential stuffing attacks exploit the unfortunate reality that many users reuse passwords across multiple online accounts. This pervasive practice, often driven by the desire for convenience and the challenge of managing numerous unique credentials, creates a fertile ground for attackers to exploit.

It's a multi-stage process that begins with attackers acquiring lists of compromised usernames and passwords. These lists can stem from large-scale data breaches or be compiled through phishing scams and malware. Notably, publicly available wordlists like rockyou or those found in seclists can also serve as a starting point, offering attackers a trove of commonly used passwords.