Brute-force attack

Spring Security Authentication Events

We will use the Spring security event publishing feature to build our brute force protection service. For each authentication that succeeds or fails, Spring security publish an AuthenticationSuccessEvent or AuthenticationFailureEvent. We will use this feature to build our spring security brute force protection. Here is a high level workflow for our strategy.

1. We will write a custom authentication failure event listener. This listener will work with the underlying services to keep trek of number of failed attempts and will lock the account if it exceeds.
2. A success authentication listener to reset any failed count (we will reset the failed counter to zero).

GPU Speeds Brute Force Attempts

Tons of computer brainpower is needed to run brute force password software. Unfortunately, hackers have worked out hardware solutions to make this part of the job a lot easier.

Combining the CPU and graphics processing unit (GPU) accelerates computing power. By adding the thousands of computing cores in the GPU for processing, this enables the system to handle multiple tasks at once. GPU processing is used for analytics, engineering, and other computing-intensive applications. Hackers using this method can crack passwords about 250 times faster than a CPU alone.

So, how long would it take to crack a password? To put it in perspective, a six-character password that includes numbers has approximately 2 billion possible combinations. Cracking it with a powerful CPU that tries 30 passwords per second takes more than two years. Adding a single, powerful GPU card lets the same computer test 7,100 passwords per second and crack the password in 3.5 days.

Types of Brute Force Attacks

• Simple brute force attack—uses a systematic approach to ‘guess’ that doesn’t rely on outside logic.
• Hybrid brute force attacks—starts from external logic to determine which password variation may be most likely to succeed, and then continues with the simple approach to try many possible variations.
• Dictionary attacks—guesses usernames or passwords using a dictionary of possible strings or phrases.
• Rainbow table attacks—a rainbow table is a precomputed table for reversing cryptographic hash functions. It can be used to guess a function up to a certain length consisting of a limited set of characters.
• Reverse brute force attack—uses a common password or collection of passwords against many possible usernames. Targets a network of users for which the attackers have previously obtained data.
• Credential stuffing—uses previously-known password-username pairs, trying them against multiple websites. Exploits the fact that many users have the same username and password across different systems.

Real-Life Examples of Brute Force Attacks

Over the years, there have been several brute force attacks against organizations. Users on these platforms lost personal information, and—in some cases—funds. In some cases, the organizations also suffered a lawsuit for their failure to prevent the attacks.

Let’s take a look at five real-life brute force attacks, and what their consequences were.

1. Dunkin’ Donuts (2015)

Coffee franchise Dunkin’ Donuts suffered a brute force attack that led to its users losing huge sums via the company’s mobile app and website. Cyberattackers used brute force to gain unauthorized access into the accounts of 19,715 users within five days, stealing their money.

The company was later slammed with a lawsuit for not informing its users about the compromise so they could take necessary measures to protect their accounts.

Although Dunkin’ Donuts initially denied playing a part in the attack, it later agreed to pay the sum of $650,000 in settlement of the lawsuit.

2. Alibaba (2016)

The popular eCommerce platform Alibaba was a victim of a brute force attack that compromised the accounts of around 21 million users in 2016. During the attack, which took place between October and November that year, the attackers gained unauthorized access to the usernames and passwords of 99 million users.

Leveraging the database at their disposal, they compromised 20.6 million user accounts.

Experts revealed that the primary cause of the attack was the overlapping of passwords by users. It was discovered that the majority of the users were using the same password for the platform for their other accounts. Another cause of the attack was weak passwords. Some of the users had weak passwords that were easy to figure out.

3. Magento (2018)

Magento is another popular eCommerce platform, and—like Alibaba—suffered a brute force attack that compromised its admin panels in 2018.

According to the researchers who discovered the attack, no fewer than 1,000 account credentials were found on the dark web. The attackers’ goal was to scrape the credit card numbers of account holders and infect their devices with malware for cryptocurrency mining.

Experts believed that the affected accounts were more than 1,000 reported. Found on the Magento open source, the company disclosed that the attackers leveraged the weak passwords of its users to initiate the brute force attack, and advised its users to create stronger passwords to avoid a recurrence.

4. Northern Irish Parliament (2018)

The Northern Irish Parliament was the target of a brute force attack that compromised the accounts of some of its members in 2018.

The affected accounts were deleted, and parliament members were advised to change their passwords to stronger ones. Instead of using single words, they were advised to use passphrases.

5. Canadian Revenue Agency (2020)

The Canadian Revenue Agency (CRA) was a victim of a brute force attack that compromised around 11,000 accounts belonging to the CRA and other government-related services in August 2020.

Perpetrators of the attack targeted the Canada Revenue Agency (CRA) and Government of Canada Key service (GCKey), agencies that enable Canadians to access various government programs and services in the country.

Experts revealed that the attackers used previously stolen login credentials, such as usernames and passwords, to hack the affected. The attack reiterated that it’s not advisable to use the same password on multiple websites or accounts. You can prevent brute force attacks by creating strong passwords for yourself.

How Users Can Strengthen Passwords Against Brute Force Attacks

As a user, you can do a lot to support your protection in the digital world. The best defense against password attacks is ensuring that your passwords are as strong as they can be.

Brute force attacks rely on time to crack your password. So, your goal is to make sure your password slows down these attacks as much as possible, because if it takes too long for the breach to be worthwhile… most hackers will give up and move on.

Here are a few ways you can strength passwords against brute attacks:

Longer passwords with varied character types. When possible, users should choose 10-character passwords that include symbols or numerals. Doing so creates 171.3 quintillion (1.71 x 1020) possibilities. Using a GPU processor that tries 10.3 billion hashes per second, cracking the password would take approximately 526 years. Although, a supercomputer could crack it within a few weeks. By this logic, including more characters makes your password even harder to solve.

Elaborate passphrases. Not all sites accept such long passwords, which means you should choose complex passphrases rather than single words. Dictionary attacks are built specifically for single word phrases and make a breach nearly effortless. Passphrases — passwords composed of multiple words or segments — should be sprinkled with extra characters and special character types.

Create rules for building your passwords. The best passwords are those you can remember but won’t make sense to anyone else reading them. When taking the passphrase route, consider using truncated words, like replacing “wood” with “wd” to create a string that makes sense only to you. Other examples might include dropping vowels or using only the first two letters of each word.

Stay away from frequently used passwords. It’s important to avoid the most common passwords and to change them frequently.

Use unique passwords for every site you use. To avoid being a victim of credential stuffing, you should never reuse a password. If you want to take your security up a notch, use a different username for every site as well. You can keep other accounts from getting compromised if one of yours is breached.

Use a password manager. Installing a password manager automates creating and keeping track of your online login info. These allow you to access all your accounts by first logging into the password manager. You can then create extremely long and complex passwords for all the sites you visit, store them safely, and you only have to remember the one primary password.

If you’re wondering, “how long would my password take to crack,” you can test passphrase strength at https://password.kaspersky.com.

Related articles:

Brute Force Attack Prevention with Imperva

Imperva Bot Protection monitors traffic to your website, separating bot traffic from real users and blocking unwanted bots. Because almost all brute force attacks are carried out by bots, this goes a long way towards mitigating the phenomenon.

Bot Protection follows three stages to identify bad bots. It classifies traffic using a signature database with millions of known bot variants. When identifying a suspected bot, it performs several types of inspection to classify the bot as legitimate, malicious or suspicious. Finally, suspicious bots are challenged, to see if they can accept cookies and parse Javascript.

How to Defend Against Brute Force Attacks

Brute force attacks need time to run. Some attacks can take weeks or even months to provide anything usable. Most of the defenses against brute force attacks involve increasing the time required for success beyond what is technically possible, but that is not the only defense.

• Increase password length: More characters equal more time to brute force crack
• Increase password complexity: More options for each character also increase the time to brute force crack
• Limit login attempts: Brute force attacks increment a counter of failed login attempts on most directory services – a good defense against brute force attacks is to lock out users after a few failed attempts, thus nullifying a brute force attack in progress
• Implement Captcha: Captcha is a common system to verify a human is a human on websites and can stop brute force attacks in progress
• Use multi-factor authentication: Multi-factor authentication adds a second layer of security to each login attempt that requires human intervention which can stop a brute force attack from success

The proactive way to stop brute force attacks starts with monitoring. Varonis monitors Active Directory activity and VPN traffic to detect brute force attacks in progress. We’ve got threat models that monitor lockout behaviors (often a sign that there’s a brute force attack under way), threat models that detect potential credential stuffing, and more – all designed to detect and prevent brute force attacks before the attack escalates.

It’s better to detect an attack in progress and actively stop the attack than it is to hope your passwords are un-crackable. Once you detect and stop the attack, you can even blacklist IP addresses and prevent further attacks from the same computer.

Брутфорс: как пользоваться

Далее рассмотрим, как пользоваться брутфорсом и для чего. Если говорить о легальных и благих намерениях, то он используется для проверки надёжности или восстановления паролей. Этим занимаются системные администраторы, используя при этом специализированные программы.

В ситуациях с иными намерениями существует три вида использования такого метода. Первый – это персональный взлом. Киберпреступник может как узнать номер электронного кошелька так и завладеть другими личными данными пользователей. Используя их в последствие, злоумышленник подбирает пароль получения доступа к его аккаунтам, электронной почте или сайту.

Второй вид брутфорса – брут-чек. В данном случае уже выступает цель завладения паролями именно в больших количествах, для последующей продажи аккаунтов и иных целей. И третьим видом является удалённый взлом компьютерной системы, с целью полного управления персональным компьютером жертвы. Зачастую, злоумышленники пишут программы для такого перебора самостоятельно, с использованием мощных компьютерных систем.

Если Вам была интересна данная статья, рекомендуем так же прочитать о разработке сайта-визитки под ключ и о том, как это происходит. Будьте внимательны и осторожны, распространяя свои личные данные, не подвергайте себя риску и не занимайтесь преступной деятельностью.

Hydra and Other Popular Brute Force Attack Tools

Security analysts use the THC-Hydra tool to identify vulnerabilities in client systems. Hydra quickly runs through a large number of password combinations, either simple brute force or dictionary-based. It can attack more than 50 protocols and multiple operating systems. Hydra is an open platform; the security community and attackers constantly develop new modules.

Hydra brute force attack

Other top brute force tools are:

• Aircrack-ng—can be used on Windows, Linux, iOS, and Android. It uses a dictionary of widely used passwords to breach wireless networks.
• John the Ripper—runs on 15 different platforms including Unix, Windows, and OpenVMS. Tries all possible combinations using a dictionary of possible passwords.
• L0phtCrack—a tool for cracking Windows passwords. It uses rainbow tables, dictionaries, and multiprocessor algorithms.
• Hashcat—works on Windows, Linux, and Mac OS. Can perform simple brute force, rule-based, and hybrid attacks.
• DaveGrohl—an open-source tool for cracking Mac OS. Can be distributed across multiple computers.
• Ncrack—a tool for cracking network authentication. It can be used on Windows, Linux, and BSD.

How UpGuard Can Prevent Brute Force Attacks

Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar, and NASA use UpGuard’s security ratings to protect their data, prevent data breaches and assess their security operations.

UpGuard BreachSight’s identity breaches module searches for third-party data breaches on the open, deep, and dark web and shows you where an employee’s credentials have been exposed. 

If we find a match, we will add the breach name, risk, data exposed, date of breach, publish date, notification status, and number of employees exposed to your UpGuard account.

The severity of a breach depends on the type and amount of data exposed. As an example, a data breach that includes passwords could result in attackers gaining unauthorized access to your organization using the exposed credentials. 

This example requires that employees reuse passwords across services, which is not uncommon. 

We can also help you assess your other security controls by monitoring your organization for 70+ security controls providing a simple, easy-to-understand cyber security rating and automatically data exposures in S3 buckets, Rsync servers, GitHub repos, and more.

UpGuard Vendor Risk can minimize the amount of time your organization spends assessing related and third-party information security controls by automating vendor questionnaires and providing vendor questionnaire templates.

We can also help you instantly benchmark your current and potential vendors against their industry, so you can see how they stack up.

The major difference between UpGuard and other security ratings vendors is that there is very public evidence of our expertise in preventing data breaches and data leaks. 

Our expertise has been featured in the likes of The New York Times, The Wall Street Journal, Bloomberg, The Washington Post, Forbes, Reuters, and TechCrunch.

You can read more about what our customers are saying on Gartner reviews.

If you’d like to see your organization’s security rating, click here to request your free Cyber Security Rating.

Tools Aid Brute Force Attempts

Guessing a password for a particular user or site can take a long time, so hackers have developed tools to do the job faster.

Automated tools help with brute force attacks. These use rapid-fire guessing that is built to create every possible password and attempt to use them. Brute force hacking software can find a single dictionary word password within one second.

Tools like these have workarounds programmed in them to:

• Work against many computer protocols (like FTP, MySQL, SMPT, and Telnet)
• Allow hackers to crack wireless modems.
• Identify weak passwords
• Decrypt passwords in encrypted storage.
• Translate words into leetspeak — «don’thackme» becomes «d0n7H4cKm3,» for example.
• Run all possible combinations of characters.
• Operate dictionary attacks.

Some tools scan pre-compute rainbow tables for the inputs and outputs of known hash functions. These “hash functions” are the algorithm-based encryption methods used to translate passwords into long, fixed-length series of letters and numerals. In other words, rainbow tables remove the hardest part of brute force attacking to speed up the process.

Ликбез

Brute-force (атака полным перебором) – метод решения математических задач, сложность которого зависит от количества всех возможных решений. Сам же термин brute-force обычно используется в контексте хакерских атак, когда злоумышленник пытается подобрать логин/пароль к какой-либо учетной записи или сервису.

Рассмотрим инструменты, которые можно использовать для выполнения brute-force атак на SSH и WEB-сервисы, доступные в Kali Linux (Patator, Medusa, Hydra, Metasploit), а также BurpSuite и даже самый известный сетевой сканер nmap.

Brute-force SSH

Для примера возьмем тестовую машину 192.168.60.50 и попробуем подобрать пароль пользователя test по SSH.

Мы будем использовать популярные пароли из стандартного словаря rockyou.txt. Этот и другие словари доступны в свободном доступе на гитхабе.

Patator 

Для подбора пароля средствами Patator используем команду:

где:ssh_login — необходимый модульhost – наша цельuser – логин пользователя, к которому подбирается пароль или файл с логинами для множественного подбораpassword – словарь с паролями-x ignore:mesg=’Authentication failed’ — команда не выводить на экран строку, имеющую данное сообщение. Параметр фильтрации подбирается индивидуально.

Hydra 

Для подбора пароля используя Hydra выполним команду:

где:-V – показывать пару логин+пароль во время перебора-f – остановка как только будет найден пароль для указанного логина-P – путь до словаря с паролямиssh://192.168.60.50 – указание сервиса и IP-адрес жертвы

Medusa 

Для подбора пароля с использованием Medusa выполним команду:

где:-h – IP-адрес жертвы-u – логин-P – путь к словарю-M – выбор модуля-f – остановка после нахождения валидной пары логин/пароль-v – настройка отображения сообщений на экране во время процесса подбора

Metasploit 

Произведем поиск инструмента для проведения brute-force атаки по SSH:

search ssh_login и получили ответ:

Задействуем модуль:

Для просмотра необходимых параметров, воспользуемся командой show options. Для нас это:rhosts – IP-адрес жертвыrport – портusername – логин SSHuserpass_file – путь до словаряstop_on_success – остановка, как только найдется пара логин/парольthreads – количество потоков

Указание необходимых параметров производится через команду “set“.

Указав необходимые параметры набираем команду “run” и ждем.

Противодействие

Ограничить количество устанавливаемых соединений с использованием межсетевого экрана.

Пример настройки iptables:

Такое правило установит ограничение доступа к SSH для каждого IP-адреса до 1 соединения в секунду, значительно усложнив перебор. Также эффективным решением может быть использование двухфакторной аутентификации (например, используя eToken) или аутентификации с использованием ключевой пары, а также использование ACL на основе IP-адресов.

How Users Can Strengthen Passwords Against Brute Force Attacks

As a user, you can do a lot to support your protection in the digital world. The best defense against password attacks is ensuring that your passwords are as strong as they can be.

Brute force attacks rely on time to crack your password. So, your goal is to make sure your password slows down these attacks as much as possible, because if it takes too long for the breach to be worthwhile… most hackers will give up and move on.

Here are a few ways you can strength passwords against brute attacks:

Longer passwords with varied character types. When possible, users should choose 10-character passwords that include symbols or numerals. Doing so creates 171.3 quintillion (1.71 x 1020) possibilities. Using a GPU processor that tries 10.3 billion hashes per second, cracking the password would take approximately 526 years. Although, a supercomputer could crack it within a few weeks. By this logic, including more characters makes your password even harder to solve.

Elaborate passphrases. Not all sites accept such long passwords, which means you should choose complex passphrases rather than single words. Dictionary attacks are built specifically for single word phrases and make a breach nearly effortless. Passphrases — passwords composed of multiple words or segments — should be sprinkled with extra characters and special character types.

Create rules for building your passwords. The best passwords are those you can remember but won’t make sense to anyone else reading them. When taking the passphrase route, consider using truncated words, like replacing “wood” with “wd” to create a string that makes sense only to you. Other examples might include dropping vowels or using only the first two letters of each word.

Stay away from frequently used passwords. It’s important to avoid the most common passwords and to change them frequently.

Use unique passwords for every site you use. To avoid being a victim of credential stuffing, you should never reuse a password. If you want to take your security up a notch, use a different username for every site as well. You can keep other accounts from getting compromised if one of yours is breached.

Use a password manager. Installing a password manager automates creating and keeping track of your online login info. These allow you to access all your accounts by first logging into the password manager. You can then create extremely long and complex passwords for all the sites you visit, store them safely, and you only have to remember the one primary password.

If you’re wondering, “how long would my password take to crack,” you can test passphrase strength at https://password.kaspersky.com.

Related articles:

Is a Brute Force Attack Illegal?

What determines whether the attack is illegal or not is authorized or unauthorized access. If you use brute force to gain access to someone’s network without their permission, it’s illegal.

There are a few cases where a brute force attack can be legal, and that’s mostly during a penetration test. For instance, an organization could hire an offensive security expert to test the strength of its network security by hacking it. In this case, there are clear instructions on what the hacker should do.

Network security providers also use a penetration test to ascertain the network security of their clients. Such clients are fully aware of the penetration test and consent to it.

Дедик, dedik, dedicated — зачем нужен выделенный сервер

Если вы далеки от администрирования, то могли подумать, что Дедик и Брут — это два друга (или недруга?) с экзотическими именами. Но нет — слово «дедик» образовалось от английского dedicated, а точнее Dedicated server. Сленговое название «дедик» означает, как нетрудно догадаться, выделенный сервер. Опытные пользователи уже знают обо всех преимуществах физических серверов, но на всякий случай мы напомним.

Dedicated server — это, по сути, полноценный компьютер, расположенный в дата-центре провайдера в отдельной стойке и работающий 24 часа в сутки 7 дней в неделю. В отличие от виртуального хостинга, на нём не будут размещены сайты других клиентов, что, несомненно, даёт ощутимые преимущества:

— Все ресурсы принадлежат вам, что делает работу сервера более стабильной.

— Можно выбрать любую версию любой операционной системы и настроить её на своё усмотрение, а также установить необходимое ПО. 

— Вы будете осуществлять полноценное администрирование своего сервера с root-правами.

— Всё оборудование полностью изолировано и находится в отдельной стойке, что повышает безопасность и сохранность данных.

И, конечно же, на выделенном сервере нет ограничений на количество сайтов, баз данных и почтовых ящиков. Обычно «дедики» используются для крупных ресурсов или проектов, которым необходимо обеспечить бесперебойную работу даже при большом наплыве посетителей.

Но довольно теории, перейдём к практике. Представим, что ваш сайт вырос, просмотры растут, вы перенесли его на отдельный сервер — теперь можно радоваться новым возможностям и высокой пропускной способности. Так ли всё радужно на самом деле?

Классификация и способы выполнения брутфорс-атаки

Существует несколько видов атаки методом «грубой силы»:

• Персональный взлом. В этом случае брутфорс направлен на получение доступа к личным данным конкретного пользователя: аккаунтам социальных сетей, почте, сайту. Во время общения через интернет, в том числе используя мошеннические схемы, злоумышленник старается узнать логин, персональные сведения и другую информацию, которая понадобится для подбора пароля. Далее взломщик прописывает в специальную программу адрес ресурса, к которому нужен доступ, логин учетной записи, подключает словарь и подбирает пароль. Если пароль пользователя основан на личной информации и состоит из малого количества символов, то попытка злоумышленника может принести успех даже за короткое время.
• «Брут-чек». Этот вид брутфорса означает охоту на пароли в больших количествах. Соответственно, цель — завладеть данными не одного пользователя, а множества разных аккаунтов на нескольких веб-ресурсах. К хакерской программе подключается база логинов и паролей каких-либо почтовых сервисов, а также прокси-лист, чтобы замаскировать узел, не дав веб-сервисам почты обнаружить атаку. При регистрации на сайте, в социальной сети или в игре пользователь заполняет поле с адресом своей почты, на который приходят данные для входа в соответствующий аккаунт. В опциях брутфорса прописывается список названий сайтов или других ключевых слов, по которым программа будет искать в почтовых ящиках именно эти письма с логинами и паролями, вынимать и копировать информацию в отдельный файл. Так киберпреступник получает сотни паролей и может использовать их в любых целях.
• Удаленный взлом операционной системы компьютерного устройства. Брутфорс в комбинации с другими взламывающими утилитами применяется для получения доступа к удаленному ПК. Взлом такого вида начинается с поиска сетей, подходящих для атаки. Адреса пользователей добываются особыми программами или берутся из баз. Словари перебора и списки IP-адресов вводятся в настройках brute force. В случае успешного подбора пароля сохраняются IP-адрес машины жертвы и данные для входа, которые далее используются злоумышленником — например, с целью полного управления ПК через утилиту Radmin или другую подобную программу.

Frequently Asked Questions

What is a brute force attack example?

If you have a password that’s only one character long, using numbers and letters (upper and lowercase), there would be 62 different possibilities for that character. A brute force attack would try every possible character in an instant to attempt to learn your one-character password. With normal passwords being around 8 characters, the possibilities are then multiplied into trillions of possibilities, which may take a bot only seconds to attempt.

How does a brute force attack work?

Essentially, a bot tries every combination of numbers and letters to learn your password. A reverse brute force attack guesses a popular password against a list of usernames.

What is the best protection against a brute force attack?

The best protection against a brute force attack is ensuring your passwords are as strong as possible, slowing the time it takes for a hacker to breach and increasing the likelihood they give up and move on.

What can attackers gain?

• Access to personal data
• Access to your system for malicious activity
• Ability to edit your website and ruin your reputation
• Ability to spread malware
• Profit from ads or activity data

How successful are brute force attacks?

According to Verizon’s 2020 Data Breach Investigation Report: Over 80% of breaches within Hacking involve Brute force or the Use of lost or stolen credentials.

Ready to get ahead of brute force attacks? Get a 1:1 demo to learn how Varonis detects attacks so you can stop attackers proactively.

Ограничение доступа по IP-адресам

Если ваш интернет провайдер предоставляет статический IP-адрес, или он редко изменяется, или же есть ограниченный список адресов, с которых может производиться доступ в админ-панель WordPress, то рекомендуется ограничить доступ этим самым списком адресов. Если управлением занимается несколько человек и адреса часто меняются, то данный способ защиты не будет удобным.

Настройка ограничения доступа по IP-адресам для Apache

Настроить ограничение по IP-адресу можно при помощи файла .htaccess, который нужно поместить в папку wp-admin/:

<IfModule mod_authz_core.c>
<RequireAny>
Require all denied #запретить всем
Require ip 127.0.0.1 #разрешить локальные подключения
Require ip 23.45.67.89 #один адрес
Require ip 10.20.30.40 #еще один адрес
Require ip 123.123.123.0/24 #блок адресов
</RequireAny>
</IfModule>

Указанная настройка актуальна для веб-сервера Apache 2.4+.

Настройка ограничения доступа по IP-адресам для Nginx

Если на вашем сервере используется Nginx + php-fpm, то добавлять ограничения нужно в файл конфигурации Nginx для соответствующего сайта (в блоке server):

location ~* ^/(wp-admin|wp-login.php)
{
allow 23.45.67.89; #один адрес
allow 123.123.123.0/24; #блок адресов
deny all; #запрет всем остальным
}

Обратите внимание на обязательные точки с запятой в конце каждой строки и на то, что все разрешения (allow) должны быть выше запретов (deny)