Cyber Threats: Brute-force Cracking
Brute-force cracking basically amounts to continually guessing a password until one gets it right, allowing entry to a site. It can also mean similar trial-and-error means of finding hidden pages.
The most common method of brute-force attacks are dictionary attacks. A dictionary attack utilizes a password dictionary, containing millions of plausible passwords, so that the hacker can try each password one by one until gaining authentication.
There are other methods, such as the classic narrowing of letter and number combinations which can be unbelievably time consuming, but very effective. Reverse brute-force cracking which consists of the same methodology, but uses the password as the constant and username as the variable.
There are a number of essential tools in the hacker’s toolkit for brute-force cracking attacks. (I’ll mention three of the most popular ones with links, check out this InfoSec Institute article for more.) The first, of which, is wireless and available for free. Aircrack-ng performs dictionary attacks against a wireless network and is available for Windows and Linux platforms. It can also be ported to run on iOS and Android platforms. A very popular tool used for brute-force cracking, as well as identifying weak passwords, uses a variety of password-cracking features.
It works on Unix, Windows, DOS, BeOS, OpenVMS and more and can be run against encrypted password storage. It’s also free. This hacking wonder tool is none other than John the Ripper. Finally, there’s Rainbow Crack which generates rainbow tables for use during the attack.
Brute-force Cracking Case Study: Celebrity Nudes
Back in 2014, a few scandalous pictures were leaked onto 4chan of various female celebrities (Jennifer Lawrence, Kate Upton and Emma Watson to name a few). How were these photos found? Brute-force cracking. iCloud, a cloud storage service from Apple, had a flaw in its app FindMyiPhone’s security management. You could retry passwords as many times as you’d like without getting locked/timed out of your account. This means that hackers could easily use any tool or method of brute-force attack to hack into these victim’s accounts. Then they stole their vulnerable information and sold their nudes for bitcoins.
The app failed to take a multitude of possible preventative measures. First and foremost, a defined password retry limit is the easiest way to ensure this sort of attack doesn’t happen successfully. There are other means of prevention as well, such as randomizing the return code for an unsuccessful login; or taking the user to a secondary login page and asking them to re-enter the password. There are also CAPTCHAS, security questions, blocking IP’s related to multiple failed login attempts and account lock-outs.
You can learn more about the brute-force cracking, celebrity nudes case here, on Alien Vault.
Defenses against Brute-force Cracking
When it comes to Windows, authentication mode and lockout privacy settings are an easy and effective way to prevent brute-force cracking attempts as they make the attack even more time consuming. It’s important to never use a domain administrator account as an SQL database connection account because it could lead from a brute-force attack to a denial of service condition.
SQL server authentication brute-force attack vulnerability lacks features which detect systems under a brute-force attack, making it a whole new, messy beast. It is a very difficult task to secure an application which requires domain level administrative privileges and lacks the ability of running on an old version of SQL server. You can look at the encryption of database connection as well as how it connects and authenticates to the application. Each database system and application are a little different and require variations of precautionary measures.
Learn how to detect and mitigate cyber threats with our Cyber Threat Detection and Mitigation Certification Training Course!
Start your FREE trial today!