The term “brute-force attack” means that an unauthorized user will attempt to gain entry to a server by attempting a seemingly unlimited number of known password combinations.
One or more credentials will fail the authentication and the attacker will gain unauthorized access. A brute-force attack on a weak authentication system is one of the most effective methods to hack into a server. A brute-force attack uses random combinations of numbers and letters to guess a username and password.
A brute-force attack involves repeated access attempts as the application uses random letters, numbers, and character combinations. Brute-force applications are designed for grinding away at a server or data file by simply guessing usernames and repeatedly accessing a server.
A brute-force attack requires the server to respond willingly to repeated attacks. Depending on the speed of the systems involved, thousands of attempts can be made per minute. A brute-force attack is a rather unsophisticated attempt to try everything, including a dictionary file, a sniffer, and repeated login attempts.
In most cases, a brute-force attack against a web server will not work. A web server has a lot of security in place to prevent unauthorized access, and brute-force attacks are more of a nuisance to web admins than a source of serious data loss. However, there are some exceptions to this rule. Some of the vulnerabilities are well-known and have been around for some time. Most of the security issues with web applications revolve around authentication and authorization, so knowing how they work will help you to assess risk.
Example of a brute-force attack
An example of a brute-force attack is a hacker’s attempt to break a code using a combination of computers and information. Suppose a hacker responds to a challenge to decrypt a single message that has been encrypted by the RC4 algorithm and an asymmetric key.
To defeat this algorithm, the hacker resorts to sophisticated and extensive measures. He uses 120 work-stations clustered together, two supercomputers, and information from three major research centres. Even with all this equipment, it takes him eight days to defeat the encryption algorithm. In fact, eight days is a rather short time for breaking the encryption.
Applications such as grinder and authforce are designed to conduct brute-force attacks against Windows 2000 systems and Apache Server, respectively. Many others exist. Brute-force attacks conducted against secure systems require a great deal of time and are often the result of desperation or great determination.
Many systems, however, are prone to exposure to such attacks, mainly because of inadequate security settings and policies. Brute-force attacks are often easy to detect because they involve repeated login attempts, and account lockout can be enabled as a strategy to defeat such attacks.
Brute-Force Attacks vs. Dictionary Attacks
The main difference between a brute-force attack and a dictionary attack is the number of attempts. A dictionary attack is a type of brute-force attack and works by attempting to look up or guess a word or a series of words in a list or dictionary to find the password. Most systems will block any attempt to guess the same password repeatedly. In a brute-force attack, the attacker attempts to enter the correct password as many times as possible to gain access.
While the number of attempts is a key difference between the two methods, many brute-force attacks use the same method as a dictionary attack. The brute-force attack typically works by simply testing every character in a series of passwords until the password is found or the limit of attempts is reached. Although the attacker may look at the list of passwords that failed the authentication, it does not matter if they are correct or incorrect. The hacker does not care if they know the password is wrong, they will just keep trying. This is also the only type of attack that should be tried against any type of server.
A large dictionary attack against a popular web application can be very successful because it is possible to guess many passwords with just a few words. This may cause a system to have too many failed login attempts or it may shut down the user’s access to that service.