Different types of BruteForce attacks
What is a Brute Force Attack?
In a brute force attack, a threat actor tries to gain access to sensitive data and systems by systematically trying as many combinations of usernames and guessed passwords as possible. If successful, the actor can enter the system masquerading as the legitimate user and remain inside until they are detected. They use this time to move laterally, install back doors, gain knowledge about the system to use in future attacks, and, of course, steal data.
Brute force attacks have been around as long as there have been passwords. They not only remain popular but are on the rise due to the shift to remote work
Types of brute force attacks
- Simple brute force attack
- Dictionary Attack
- Credential Stuffing
- Reverse Brute Force Attack
- Hybrid Brute Force Attack
- Password Spraying
- Botnets
Simple brute force attack
A simple brute force attack uses automation and scripts to guess passwords. Typical brute force attacks make a few hundred guesses every second. Simple passwords, such as those lacking a mix of upper- and lowercase letters and those using common expressions like ‘123456’ or ‘password,’ can be cracked in minutes. However, the potential exists to increase that speed by orders of magnitude. All the way back in 2012, a researcher used a computer cluster to guess up to 350 billion passwords per second.
Dictionary Attack
A dictionary attack tries combinations of common words and phrases. Originally, dictionary attacks used words from a dictionary as well as numbers, but today dictionary attacks also use passwords that have been leaked by earlier data breaches. These leaked passwords are available for sale on the dark web and can even be found for free on the regular web.
Credential Stuffing
A credential stuffing attack uses these stolen login combinations across a multitude of sites. Credential stuffing works because people tend to re-use their login names and passwords repeatedly, so if a hacker gets access to a person’s account with an electric company, there is an excellent chance those same credentials will provide access to that person’s online bank account as well.
Reverse Brute Force Attack
A reverse brute-force attack is a type of brute-force attack in which an attacker uses a common password against multiple usernames in an attempt to gain access to a network. … Brute-force and reverse brute-force attacks are used to obtain access to a website, shut the site down, steal data or execute additional attacks.
Hybrid Brute Force Attack
A hybrid brute force attack combines a dictionary attack and a brute force attack. People often tack a series of numbers — typically four — onto the end of their password. Those four numbers are usually a year that was significant to them, such as birth or graduation, and so the first number is normally a 1 or a 2.
Password Spraying
Traditional brute force attacks try to guess the password for a single account. Password spraying takes the opposite approach and tries to apply one common password to many accounts. This approach avoids getting caught by lockout policies that limit the number of password attempts. Password spraying is typically used against targets with single sign-on (SSO) and cloud-based apps that use federated authentication
Botnets
A brute force attack is a numbers game, and it takes a lot of computing power to execute at scale. By deploying networks of hijacked computers to execute the attack algorithm, attackers can save themselves the cost and hassles of running their own systems. In addition, the use of botnets adds an extra layer of anonymity. Botnets can be used in any type of brute force attack
Protect Against Brute force Attacks
Longer passwords are not always better. What really helps is to require a mix of upper- and lowercase letters mixed with special characters. Educate users on best password practices, such as avoiding adding four numbers at the end and avoiding common numbers, such those beginning with 1 or 2. Provide a password management tool to prevent users from resorting to easily-remembered passwords and use a discovery tool that exposes default passwords on devices that haven’t been changed.Threat hunting can expose the types of attacks that standard security measures can miss. If a brute force attack has been used to successfully enter the system, a threat hunter can detect the attack even though it’s operating under the guise of legitimate credentials.
I hope you liked the topic about brute forcing
Thank you for reading
