Cyber Threats: Brute-force Cracking

Cyber Threats: Brute-force Cracking

brute-force cracking

Brute-force cracking basically amounts to continually guessing a password until one gets it right, allowing entry to a site. It can also mean similar trial-and-error means of finding hidden pages.

The most common method of brute-force attacks are dictionary attacks. A dictionary attack utilizes a password dictionary, containing millions of plausible passwords, so that the hacker can try each password one by one until gaining authentication.

There are other methods, such as the classic narrowing of letter and number combinations which can be unbelievably time consuming, but very effective. Reverse brute-force cracking which consists of the same methodology, but uses the password as the constant and username as the variable.

There are a number of essential tools in the hacker’s toolkit for brute-force cracking attacks. (I’ll mention three of the most popular ones with links, check out this InfoSec Institute article for more.) The first, of which, is wireless and available for free. Aircrack-ng performs dictionary attacks against a wireless network and is available for Windows and Linux platforms. It can also be ported to run on iOS and Android platforms. A very popular tool used for brute-force cracking, as well as identifying weak passwords, uses a variety of password-cracking features.

It works on Unix, Windows, DOS, BeOS, OpenVMS and more and can be run against encrypted password storage. It’s also free. This hacking wonder tool is none other than John the Ripper. Finally, there’s Rainbow Crack which generates rainbow tables for use during the attack.

To learn about Network Probes, check out last week’s post from our Cyber Threats series! 

brute-force cracking

Brute-force Cracking Case Study: Celebrity Nudes

Back in 2014, a few scandalous pictures were leaked onto 4chan of various female celebrities (Jennifer Lawrence, Kate Upton and Emma Watson to name a few). How were these photos found? Brute-force cracking. iCloud, a cloud storage service from Apple, had a flaw in its app FindMyiPhone’s security management. You could retry passwords as many times as you’d like without getting locked/timed out of your account. This means that hackers could easily use any tool or method of brute-force attack to hack into these victim’s accounts. Then they stole their vulnerable information and sold their nudes for bitcoins.

The app failed to take a multitude of possible preventative measures. First and foremost, a defined password retry limit is the easiest way to ensure this sort of attack doesn’t happen successfully. There are other means of prevention as well, such as randomizing the return code for an unsuccessful login; or taking the user to a secondary login page and asking them to re-enter the password. There are also CAPTCHAS, security questions, blocking IP’s related to multiple failed login attempts and account lock-outs.

You can learn more about the brute-force cracking, celebrity nudes case here, on Alien Vault.

Defenses against Brute-force Cracking

When it comes to Windows, authentication mode and lockout privacy settings are an easy and effective way to prevent brute-force cracking attempts as they make the attack even more time consuming. It’s important to never use a domain administrator account as an SQL database connection account because it could lead from a brute-force attack to a denial of service condition.

SQL server authentication brute-force attack vulnerability lacks features which detect systems under a brute-force attack, making it a whole new, messy beast. It is a very difficult task to secure an application which requires domain level administrative privileges and lacks the ability of running on an old version of SQL server. You can look at the encryption of database connection as well as how it connects and authenticates to the application. Each database system and application are a little different and require variations of precautionary measures.

Learn how to detect and mitigate cyber threats with our Cyber Threat Detection and Mitigation Certification Training Course!

Start your FREE trial today!

Cyber Threat Detection and Mitigation

CyberTraining 365 is an online academy that offers nearly 1,000 hours of relevant and cutting edge cyber security training. Our training provides the most in demand industry certification prep courses including EC-Council, CompTIA, (ISC)2 and Cisco; all taught by leading cyber security experts. All of our offerings are aligned with the national initiative for cyber security education (NICE) and ensure the most up-to-date information for this constantly shifting field. With engaging content in a scenario-based format, CyberTraining 365 uses bite-sized micro-learning methodology ensures learners are not overwhelmed with information. On Demand LMS platform has white-label capabilities ideal for internal training purposes.

9 thoughts on “Cyber Threats: Brute-force Cracking

  1. travel

    You actually make it appear really easy with your presentation however I to find this matter to be
    actually one thing that I think I might by no means understand.
    It seems too complex and extremely extensive for me.
    I am having a look forward on your subsequent submit, I’ll try to get the
    hold of it!

  2. Travel

    Hey there just wanted to give you a quick heads
    up. The words in your article seem to be running off the screen in Chrome.
    I’m not sure if this is a formatting issue or something to do with browser compatibility but I figured I’d
    post to let you know. The design look great though! Hope you get the problem
    solved soon. Cheers

  3. travel

    Hey! Quick question that’s totally off topic. Do you know how to make your site mobile friendly?

    My weblog looks weird when browsing from my iphone.
    I’m trying to find a theme or plugin that might be able to fix this issue.
    If you have any suggestions, please share. Thanks!

  4. travel

    Hey would you mind letting me know which hosting company you’re using?

    I’ve loaded your blog in 3 completely different browsers and I must say this blog loads a lot quicker then most.
    Can you recommend a good web hosting provider at a reasonable price?
    Thanks a lot, I appreciate it!

  5. travel

    First of all I would like to say fantastic blog! I had a quick question that I’d like to
    ask if you don’t mind. I was interested to know how you
    center yourself and clear your head before writing. I have
    had a tough time clearing my thoughts in getting
    my ideas out there. I do take pleasure in writing however
    it just seems like the first 10 to 15 minutes are usually lost simply just trying
    to figure out how to begin. Any suggestions
    or hints? Cheers!

    1. admin

      Thank you so much! My best advice is to remember that writing is 60% editing. No writer puts out a perfect first draft, so don’t judge while you write, that’s what editing is for. Also, even for narrative pieces, do research! Do a bunch of research, then give yourself time to collect your thoughts before writing. You can also do some outlining, freewriting or journaling before starting to organize the information and form a clear thesis. After this, write with abandon! Then: edit, edit, edit and edit some more. Godspeed!

  6. Tilly

    This blog is really interesting. I have bookmarked it.
    Do you allow guest post on your website ? I can write high quality posts for you.
    Let me know.


Leave a Reply

Your email address will not be published. Required fields are marked *