Father
Professional
- Messages
- 2,602
- Reaction score
- 850
- Points
- 113
Brute force
(derived from the English phrase: brute force) - a type of hacker attack - a method of hacking accounts in computer systems, payment / banking services and on websites through the automated selection of combinations of passwords and logins.
Brute force is based on the mathematical method of the same name (brute force), in which the correct solution - a finite number or a symbolic combination - is found by enumerating different options. In fact, each value from a given set of potential answers (solutions) is checked for correctness.
How brute force works
A hacker writes a special program to guess passwords or uses a ready-made solution of his colleagues. It can be targeted at a specific postal service, website, social network (i.e. designed to hack a specific resource). Next, preparations are made for hacking. It consists of the following steps:
Drawing up a proxy list
In order to hide the true IP address of the computer from which the attack will be carried out, and to prevent blocking by the site, where it is necessary to hack the account, the Internet connection is configured through a proxy server.
Search for proxy addresses / ports is carried out in a proxy grabber (Proxy Grabber). This utility independently extracts all data for connecting to intermediary servers from sites that provide proxies (they are specified in the list). In other words, the proxy is being collected.
The resulting base is saved to a separate text file. And then all the addresses of the servers in it are checked for operability in the proxy checker. Quite often, programs designed for the automated extraction of proxies combine the functions of both a grabber and a checker.
As a result, a ready-made proxy list is obtained in the form of a list of IP / port, saved in a txt file. (You will need it when configuring the brute force program).
Search for bases for brut
It is necessary to connect a dictionary to brute force - a certain set of combinations of passwords and logins - which it will substitute in the login form. It, like a proxy list, has the form of a list in a plain text file (.txt). Dictionaries, they are also databases, are distributed through hacker forums, sites and file hosting. More experienced "craftsmen" create them on their own and provide them to everyone for a fee. The larger the base (the number of combinations, logins, accounts), the better (for a hacker) - the greater the probability of a hacking success.
Configuring brute force
The proxy list is loaded; the brute-force program will automatically change the proxy so that the web server does not detect the attack and, accordingly, the source (host) of the attack.
A dictionary of password / login combinations is connected. The number of threads is set - how many combinations brute force will check at the same time. A powerful computer with high internet speed can confidently handle 120-200 threads (this is the optimal value). The speed of the brute directly depends on this setting. For example, if you set only 10 threads, the selection will be very slow.
Launching brute force
The program records successful hacking attempts: saves the credentials (password / login) to a file. The duration of the selection procedure ranges from several hours to several days. At the same time, it does not always turn out to be effective - due to the high crypto resistance of the data for entering or the implementation of other protective measures on the part of the attacked.
Types of brute force
Personal hacking
Hunting for a specific account - on social networks, on the postal service, etc. Through social engineering or in the process of virtual communication, the attacker elicits a username from the victim to access a website. Then he cracks the password using the brute-force method: brute-force the address of the web resource and the obtained login, connects the dictionary.
The chances of such a hack are small, for example, compared to the same XSS attack. It can be successful if the account owner used a 6-7 character password with an unpretentious symbolic combination. Otherwise, it will take years - tens and hundreds of years to "guess" more stable variants of 12, 15, 20 letters, numbers and special symbols, based on the calculations of the mathematical search formula.
Brut / check
Extraction of authorization data on a global scale - from many accounts, on 3-5 sites (it all depends on the goals of the hacker and the capabilities of the program).
A database with logins / passwords from mailboxes of the same mail service (for example, mail.ru) or different ones is connected to brute force. And a proxy list is used to mask the host (since web e-mail services quickly detect an attack on multiple requests from one IP address).
The brutus options contain a list of keywords (as a rule, the names of sites) - the landmarks by which it will look for login information on the hacked mailboxes in letters (for example: steampowered, worldoftanks, 4game, FB). Or a specific Internet resource.
The user, when registering in an online game, social network or forum, as expected, indicates his mail (mailbox). The web service sends a message to the specified address with login information and a link to confirm registration. It is these letters that brute-force is looking for to extract logins and passwords from them.
Press "START" and the cracker starts to brute force. It operates according to the following algorithm:
Remote computer hacking
Brute-force, in conjunction with other hacker utilities, is used to gain remote access to the victim's password-protected PC via an Internet channel.
This type of attack consists of the following stages:
The hacker launches the Radmin utility designed to control remote PCs. Sets the victim's network coordinates (IP, login and password) and gains full control over the system - the desktop (displayed visually on the intruder's computer display), file directories, settings.
See this article for a guide to configuring and scanning with Lamescan.
Brutus programs
Brutus AET2
Classic brute force, one of the very first. Nevertheless, it does not lose its relevance and competes with new solutions. It has a smart brute force algorithm and supports all major Internet protocols - TCP / IP, POP3, HTTP, etc. It knows how to fake cookies. Brutalizes the dictionary and generates passwords on its own.
All-in-One Checker
Powerful brute-checker. Equipped with an extended arsenal of functions for working with databases (checking, sorting by domains). Supports various types of proxies, checks their performance. Scans messages in mailboxes according to settings such as date, keyword, address, unread messages. It can download letters from Mail.ru and Yandex.
Appnimi Password Unlocker
A program for brute-force brute-force attack on a file on a local computer. A sort of workhorse. The free version of the program allows you to guess passwords of no more than 5 characters
Tips for protecting accounts from brute force
That's all. There is never too much security. Stay with us!
(derived from the English phrase: brute force) - a type of hacker attack - a method of hacking accounts in computer systems, payment / banking services and on websites through the automated selection of combinations of passwords and logins.
Brute force is based on the mathematical method of the same name (brute force), in which the correct solution - a finite number or a symbolic combination - is found by enumerating different options. In fact, each value from a given set of potential answers (solutions) is checked for correctness.
How brute force works
A hacker writes a special program to guess passwords or uses a ready-made solution of his colleagues. It can be targeted at a specific postal service, website, social network (i.e. designed to hack a specific resource). Next, preparations are made for hacking. It consists of the following steps:
Drawing up a proxy list
In order to hide the true IP address of the computer from which the attack will be carried out, and to prevent blocking by the site, where it is necessary to hack the account, the Internet connection is configured through a proxy server.
Search for proxy addresses / ports is carried out in a proxy grabber (Proxy Grabber). This utility independently extracts all data for connecting to intermediary servers from sites that provide proxies (they are specified in the list). In other words, the proxy is being collected.
The resulting base is saved to a separate text file. And then all the addresses of the servers in it are checked for operability in the proxy checker. Quite often, programs designed for the automated extraction of proxies combine the functions of both a grabber and a checker.
As a result, a ready-made proxy list is obtained in the form of a list of IP / port, saved in a txt file. (You will need it when configuring the brute force program).
Search for bases for brut
It is necessary to connect a dictionary to brute force - a certain set of combinations of passwords and logins - which it will substitute in the login form. It, like a proxy list, has the form of a list in a plain text file (.txt). Dictionaries, they are also databases, are distributed through hacker forums, sites and file hosting. More experienced "craftsmen" create them on their own and provide them to everyone for a fee. The larger the base (the number of combinations, logins, accounts), the better (for a hacker) - the greater the probability of a hacking success.
Configuring brute force
The proxy list is loaded; the brute-force program will automatically change the proxy so that the web server does not detect the attack and, accordingly, the source (host) of the attack.
A dictionary of password / login combinations is connected. The number of threads is set - how many combinations brute force will check at the same time. A powerful computer with high internet speed can confidently handle 120-200 threads (this is the optimal value). The speed of the brute directly depends on this setting. For example, if you set only 10 threads, the selection will be very slow.
Launching brute force
The program records successful hacking attempts: saves the credentials (password / login) to a file. The duration of the selection procedure ranges from several hours to several days. At the same time, it does not always turn out to be effective - due to the high crypto resistance of the data for entering or the implementation of other protective measures on the part of the attacked.
Types of brute force
Personal hacking
Hunting for a specific account - on social networks, on the postal service, etc. Through social engineering or in the process of virtual communication, the attacker elicits a username from the victim to access a website. Then he cracks the password using the brute-force method: brute-force the address of the web resource and the obtained login, connects the dictionary.
The chances of such a hack are small, for example, compared to the same XSS attack. It can be successful if the account owner used a 6-7 character password with an unpretentious symbolic combination. Otherwise, it will take years - tens and hundreds of years to "guess" more stable variants of 12, 15, 20 letters, numbers and special symbols, based on the calculations of the mathematical search formula.
Brut / check
Extraction of authorization data on a global scale - from many accounts, on 3-5 sites (it all depends on the goals of the hacker and the capabilities of the program).
A database with logins / passwords from mailboxes of the same mail service (for example, mail.ru) or different ones is connected to brute force. And a proxy list is used to mask the host (since web e-mail services quickly detect an attack on multiple requests from one IP address).
The brutus options contain a list of keywords (as a rule, the names of sites) - the landmarks by which it will look for login information on the hacked mailboxes in letters (for example: steampowered, worldoftanks, 4game, FB). Or a specific Internet resource.
The user, when registering in an online game, social network or forum, as expected, indicates his mail (mailbox). The web service sends a message to the specified address with login information and a link to confirm registration. It is these letters that brute-force is looking for to extract logins and passwords from them.
Press "START" and the cracker starts to brute force. It operates according to the following algorithm:
- Loads the login / password to the mail from the database.
- Checks access, or "checks", (automatically logs in): if you manage to log into your account, add one in the good column (it means that another working email has been found) and starts viewing it (see the following paragraphs); if there is no access, it puts it in bad (bad).
- In all "buzzes" (open mails), brute-force scans letters at the request given by the hacker - that is, it searches for logins / passwords for the specified sites and payment systems.
- When the required data is found, it copies it and stores it in a separate file.
Remote computer hacking
Brute-force, in conjunction with other hacker utilities, is used to gain remote access to the victim's password-protected PC via an Internet channel.
This type of attack consists of the following stages:
- It searches for IP networks where attacks on users' computers will be carried out. Ranges of addresses are taken from special databases or by means of special programs, for example, such as IP Geo. In it, you can select IP networks for a specific county, region and even city.
- The selected IP ranges and selection dictionaries are set in the Lamescan brute-force settings (or its analogue), intended for remote brute-force login / password logging into the system. Once launched, Lamescan does the following:
- Performs a connection to each IP from the specified range;
- After establishing a connection, it tries to connect to the host (PC) through port 4899 (but there may be other options);
- If the port is open: tries to access the system, brute force when prompted for a password; if successful, saves the host (computer) IP address and login information in its database.
The hacker launches the Radmin utility designed to control remote PCs. Sets the victim's network coordinates (IP, login and password) and gains full control over the system - the desktop (displayed visually on the intruder's computer display), file directories, settings.
See this article for a guide to configuring and scanning with Lamescan.
Brutus programs
Brutus AET2
Classic brute force, one of the very first. Nevertheless, it does not lose its relevance and competes with new solutions. It has a smart brute force algorithm and supports all major Internet protocols - TCP / IP, POP3, HTTP, etc. It knows how to fake cookies. Brutalizes the dictionary and generates passwords on its own.
All-in-One Checker
Powerful brute-checker. Equipped with an extended arsenal of functions for working with databases (checking, sorting by domains). Supports various types of proxies, checks their performance. Scans messages in mailboxes according to settings such as date, keyword, address, unread messages. It can download letters from Mail.ru and Yandex.
Appnimi Password Unlocker
A program for brute-force brute-force attack on a file on a local computer. A sort of workhorse. The free version of the program allows you to guess passwords of no more than 5 characters
Tips for protecting accounts from brute force
- Create crypto-strong passwords; they must be at least 10-12 characters long (but better than 15-20 characters) and consist of letters, numbers and special characters. Our password generator will help you.
- Do not use login as a password (login and password are the same combination).
- Do not use the same password in different accounts.
- Protect the entrance to the admin panel (on websites) from multiple login attempts: blocking by IP, setting time intervals between attempts, limiting the number of possible login attempts.
- Changing the standard names of functional files responsible for accessing the system to alternative ones (for example: wp-login.php to IOUdssjw29389.php). (Masking the entry point for the brute.)
- Periodically change passwords in accounts.
That's all. There is never too much security. Stay with us!
