Every day, people manage many accounts for different reasons, such as logging in to social media, banking sites, computer systems, etc. They unintentionally share too much personal information on public websites and the same password across personal and business accounts because it is easy to remember. This practice is common enough to enable an attacker to guess passwords or extract a company’s confidential information.
Also, setting weak passwords continues to be the leading cause of enterprise breaches. Attackers often rely on various types of password attack techniques (phishing, brute force, keyloggers, etc.) to crack credentials easily and break into a system.
This blog post focuses on the brute force password attack technique, how it works, and how to detect and prevent such password attacks.
What is a Brute Force Attack?
A brute force attack is a trial-and-error technique used to discover valid user credentials by guessing every possible combination of characters until the correct combination is found. Attackers’ strategies are based on their motives, including stealing sensitive information or conducting malicious operations on the targeted systems. Attackers rely on the brute force attack technique because there is a high chance of gaining access to user accounts. With the right credentials to match, they can compromise any endpoint on the network and move laterally to other systems.
Types of Brute Force Attacks
- Password Guessing – An attacker may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords.
- Password Cracking – This process can involve comparing a list of words to guess passwords or the use of an algorithm to repeatedly guess the password. An attacker uses a pre-computed dictionary of plaintext passwords and their corresponding hash values that can be used to find out what plaintext password produces a particular hash.
- Password Spraying – Also known as the low-and-slow method. In this type of technique, attackers use a single or small list of commonly used passwords, such as those found on the internet against a single user account.
- Credential Stuffing – These attacks do not guess passwords, instead attackers automate login requests against a web application. They use previously discovered credential pairs (usernames/email addresses and passwords) to gain unauthorized access. A survey by Secureauth also confirms 81% of users have reused a password across two or more sites and 25% use the same passwords across most of their accounts.
How Brute Force Attacks Work
Let’s see how brute force attack works now. Attackers have a handful of readily and freely available tools (such as Metasploit, John the Ripper, Hydra, etc.).
Most of the time, attackers use automated tools or scripts with a list of usernames and passwords. The tool automatically sends the combination of these usernames and passwords to the targeted system, such as a web application server, and checks whether the authentication is successful.
Here is a screenshot of the Hydra tool used to launch the brute force attack and the valid passwords found against the targets.
Here is another screenshot of the “DomainPasswordSpray” tool.
Another post-exploitation tool, CrackMapExec (CME), targets Active Directory user accounts to conduct lateral movement. The CME can also brute-force passwords for a specified user on a single target system or across an entire network. The following examples show how attackers use CME to brute-force credential authentication using a supplied list of usernames and a single password.
Examples:
crackmapexec 10.0.100.0/24 -u ‘admin’ -p ‘P@s$w0Rd’crackmapexec <target(s)> -u username1 username2 -p password1crackmapexec <target(s)> -u ~/file_usernames -p ~/file_passwords
The remote desktop protocol (RDP) brute force attack is one of the most common methods attackers use to Windows workstations or servers. This method is so successful that ransomware groups have used open RDP ports to deliver malware payloads.
How to Prevent a Brute Force Attack?
The first step in preventing brute force attacks is to ban the use of common passwords, such as 123456, qwerty, password, and 123123. There are complete lists of common passwords for reference to create a ban list. Security administrators can implement security standards for creating passwords. For example, the list should include, but is not limited to:
- Avoid the use of repetitive or sequential characters (example aaaaaa, 1234abcd).
- Always use the combination of alphanumeric characters and symbols.
- Never use personal identification information(date of birth, surname, etc.)
In addition to the above, following best practices can also make it difficult for attackers to guess or crack passwords through brute force attacks:
- Enforce the use of strong and complex passwords
- Make sure you use a unique password for each account
- Reset passwords every three months
- Configure the Account Lockout policy
- Use CAPTCHA
- Use Two Factor Authentication (2FA)
- Periodically conduct Active Directory assessments
Detection and Defensive Strategy
Attackers often discover password policies to create a list of common passwords and launch dictionary or brute force attacks that adhere to the policy. Singularity™ Identity Posture Management continuously assesses Active Directory and provides real-time detection of brute force or password spray attacks.
Singularity Identity for Identity Providers offers real-time threat detections that support new threat detections for multiple cloud IDP providers such as Microsoft Entra ID, Okta, and PingID. Singularity Identity also deploys deceptive credentials on production endpoints, detecting when attackers compromise deceptive credentials and redirecting them to decoy systems for engagement. Any brute force attempt using deceptive credentials generates an alert as a stolen credentials attack.
Conclusion
Organizations can’t prevent password attacks, but they can avoid them. Attackers can build credential matches after launching brute force attacks against their targets, exploiting weak passwords and opening RDP ports. Access to more AD accounts in the organization is much more vulnerable, leading to privilege escalation or lateral movements. Organizations can enforce strong password policies that can protect from brute force attacks.
