BRUTE FORCE ATTACK

by

--------B.Vikas
 WHAT IS BRUTE
FORCE?
 Brute force (also known as brute force cracking) is a trial and
error method used to decode encrypted data such as passwords or
Data Encryption Standard (DES) keys, through exhaustive effort
(using brute force) rather than employing intellectual strategies.
 Brute force cracking application proceeds through all possible
combinations of legal characters in sequence. Brute force is
considered to be an infallible, although time-consuming,
approach.
Determining the Difficulty of a Brute
Force Attack

 How long can the key be?

 How many possible values can each
component of the key have?
 How long will it take to attempt each key?
 Is there a mechanism which will lock the
attacker out after a number of failed attempts?
Increasing Security Against a Brute
Force Attack
 Increasing the length of the PIN
 Allowing the PIN to contain characters other than
numbers, such as * or #
 Imposing a 30 second delay between failed
authentication attempts
 Locking the account after 5 failed authentication
attempts
 A brute force attack will always succeed, eventually.
However, brute force attacks against systems with
sufficiently long key sizes may require billions of
years to complete.
 Brute Forcing Log-in Credentials

 Most common type of attack in web-

applications.

 Default password databases or dictionaries

 “Word list attack” or a "dictionary attack"

Reverse brute force attack ‘N’ uses

 An attacker may try to guess a password alone

or guess both the user name and the password.
In the later case the attacker might fix the user
name and iterate through a list of possible
passwords, or fix the password and iterate
through a list of possible user names.
 useful when the attacked system locks users
after a number of failed log-in attempts.
 Brute Forcing Session Identifiers

 Since HTTP is a stateless protocol, in order to maintain state

web applications need to ensure that a session identifier is sent
by the browser with each request. The session identifier is most
commonly stored in an HTTP cookie or URL. Using a brute
force attack, an attacker can guess the session identifier of
another user. This can lead to the attacker impersonating the
user, retrieving personal information and performing actions on
behalf of the user.
 Session identifiers usually consist of a number or a sequence of
characters. In order for a brute force attack to succeed, the
possible range of values for the session identifier must be
limited. If the predicted range of values for a session identifier
is very small based on existing information the attack is
referred to as a session prediction attack .
 Brute Forcing Directories and Files

 When files reside in directories that are served by the web

server but are not linked anywhere, accessing those files
requires knowing their file name. In some cases those files
have been left by mistake: for example a backup file
automatically created when editing a file or leftovers from an
older version of the web application. In other cases files are
intentionally left unlinked as a "security by obscurity"
mechanism allowing only people who know the file names to
access them.
 A brute force attack tries to locate the unlinked file by trying to
access a large number of files. The list of attempted file names
might be taken from a list of known potential files or based on
variants of the visible files on the web site. More information
on brute forcing directories and files can be found in the
associated vulnerability, predictable resource location
 Brute Forcing Credit Card
Information
 Shopping online with stolen credit cards usually requires
information in addition to the credit card number, most often the
CVV/SCS [6] and/or expiration date. A fraudster may hold a
stolen credit card number without the additional information. For
example the CVV/CSC is not imprinted on the card or stored on
the magnetic stripe so it cannot be collected by mechanical or
magnetic credit card swiping devices.
 In order to fill in the missing information the hacker can guess the
missing information using a brute force technique, trying all
possible values.
 Guessing CVV/CSC requires only 1000 or 10000 attempts as the
number is only 3 or 4 digits, depending on the card type.
 Guessing an expiration date requires only several dozen attempts.
 
 Password retrieval information
attack
 Brute force attacks are by no means limited to the
scenarios described above. For example, a password
reminder feature may enable a user to retrieve a
forgotten password by providing a personal detail
known just to him. However, if the personal detail is
"favorite color" then an attacker can use a brute force
attack to retrieve the password as the number of color
choices is limited. In addition, studies have shown that
approximately 40% of the population selects blue as
their favorite color , so even if the attacker is locked out
after three attempts, that would still enable the attacker
to retrieve a fair amount of passwords.
 Target of an attack
 By Examining the web service's catalogue
structure .
 Target of an attack are data in forms
(GET/POST).
 Target of an attack are in the form of users'
Session-IDs.
 Example(Session ID)
 Consider the URL
http://greetings.acme-hackme.com/view/9BA54003218827622

 Unique Session ID for each greeting card

 Using Brute Force applications, attackers may
try thousands of session IDs embedded in a
legitimate URL in an attempt to view greeting
cards that they are not authorized to view.
 Example(Object ID)

 Consider the URL:

http://www.acme-hackme.com/online/Displaymsg.asp?msgID=12345

 In this example, the dynamic page requested by the

browser is called Displaymsg.asp and the browser
sends the Web server the parameter msgID with a
value of 12345. An attacker may try brute force
values for msgID to try and read other users'
messages.
 Advantages and Disadvantages
 Finding the password is quite high since the
attack uses so many possible answers .
 It is a fairly simplistic attack that doesn't require

a lot of work to setup or initiate.

Disadvantages
 Hardware intensive :curbs lots of processing

power
 Extends the amount of time needed to crack the

code by a huge margin.

 Tools
Brutus
 Brutus is one of the fastest, most flexible remote password crackers you can get
your hands on - it's also free. This Windows-only cracker bangs against network
services of remote systems trying to guess passwords by using a dictionary and
permutations thereof. It supports HTTP, POP3, FTP, SMB, TELNET, IMAP,
NTP, and more.
Platform: Windows

THC-Hydra
 This tool allows for rapid dictionary attacks against network login systems,
including FTP, POP3, IMAP, Netbios, Telnet, HTTP Auth, LDAP NNTP,
VNC, ICQ, Socks5, PCNFS, and more. It includes SSL support and is
apparently now part of Nessus.
Platform: UNIX
 TSGrinder
 TSGrinder is the first production Terminal Server brute
force tool. And having an encrypted channel to the TS
logon process sure helps to keep IDS from catching the
attempts. It is a "dictionary" based attack tool, but it does
have some interesting features like "l337" conversion, and
supports multiple attack windows from a single dictionary
file.  It supports multiple password attempts in the same
connection, and allows you to specify how many times to
try a username/password combination within a particular
connection. 
Platform: Windows
 Bibliography
 "Brute-Force Exploitation of Web Application Session ID's", David Endler - iDEFENSE
Labs
 [2] http://www.cgisecurity.com/lib/SessionIDs.pdf
 
 "Brute force attack incidents", the Web Hacking Incidents Database
 [3] http://whid.webappsec.org/whid-list/Brute%20Force
 
 Credential/Session Prediction
 [4] http://projects.webappsec.org/Credential-and-Session-Prediction
 
 Predictable Resource Location
 [5] http://projects.webappsec.org/Predictable-Resource-Location
 
 "Card Security Code", Wikipedia
 [6] http://en.wikipedia.org/wiki/Card_Verification_Value
 
 "Color Assignment, Favorite Color", Joe Hallock
 [7] http://www.joehallock.com/edu/COM498/preferences.html
THANK YOU