Brute force

Carding

Carding

Professional
Messages
2,829
Reputation
17
Reaction score
2,087
Points
113
Brute force is a method of hacking accounts by guessing passwords for them. The term is derived from the English phrase, which means "brute force". The essence of the approach lies in sequential automated enumeration of all possible combinations of characters in order to find the correct one sooner or later. From this point of view, password search can be viewed as a mathematical problem, the solution of which is found with a sufficiently large number of attempts. The brute-force software generates password variations and checks each one. From the point of view of mathematics, it is always possible to solve a problem in this way, but the time spent on searches does not in all cases justify the goal, since the field of finding solutions is huge.

6166732063ee-14956.png


Brute force is one of the most popular methods to crack passwords for accounts of online banks, payment systems and other websites. However, as the password length grows, this method becomes inconvenient, since the time it takes to search through all possible options grows. It can also be used to check the cryptographic strength of the password.

Brute force is also called the exhaustion method, since the correct combination is identified by analyzing all possible options and discarding each inappropriate combination.

Classification and methods of performing a brute force attack

There are several types of brute force attacks:
  • Personal hacking. In this case, brute force is aimed at gaining access to the personal data of a specific user: social media accounts, mail, website. When communicating over the Internet, including using fraudulent schemes, the attacker tries to find out the login, personal information and other information that will be needed to guess the password. Next, the cracker writes in a special program the address of the resource to which access is needed, the account login, connects the dictionary and selects the password. If the user's password is based on personal information and consists of a small number of characters, then the attacker's attempt can be successful even in a short time.
  • "Brute-check". This kind of brute-force means hunting for large numbers of passwords. Accordingly, the goal is to take possession of the data of not one user, but of many different accounts on several web resources. A database of logins and passwords of some mail services is connected to the hacker program, as well as a proxy list to disguise the site, preventing web mail services from detecting the attack. When registering on the site, on a social network or in the game, the user fills in the field with his email address, which receives the data to log into the corresponding account. The brute force options prescribe a list of site names or other keywords by which the program will search in mailboxes for these letters with logins and passwords, extract and copy information into a separate file. This way a cybercriminal obtains hundreds of passwords and can use them for any purpose.
  • Remote hacking of the operating system of a computer device. Brute force in combination with other hacking tools is used to gain access to a remote PC. This kind of hacking begins with finding suitable networks for the attack. User addresses are obtained by special programs or taken from databases. Brute force dictionaries and lists of IP addresses are entered in the brute force settings. If the password is successfully brute-force, the victim's machine IP address and login data are saved, which are then used by the attacker - for example, in order to fully control the PC through the Radmin utility or another similar program.

Brute force targets

Brute force allows you to seize access to accounts on social networks or online games, which can lead to the loss of confidential information, digital currencies, achievements, and the falling of correspondence into the wrong hands. Accounts can send spam, extortion and other illegal actions. Having taken possession of a large number of accounts, a hacker can exchange or sell them.

Obtaining data to enter payment systems threatens users with the loss of money and even the acquisition of debts, since the attacker can freely dispose of finances, transfer money, and issue a loan.

Using brute force to brute-force passwords to websites opens access to customer databases, email addresses, the use of the site in order to spread malware, send spam, etc.

Having obtained an entry point to a remote computer system using brute-force passwords, an attacker can perform various criminal actions on behalf of the user, as well as use his personal data for the purpose of blackmail, extortion, and steal secret information and money.

The objects of influence of brute force are not only computers and accounts of ordinary Internet users, but also sites, servers, workstations of commercial and banking structures, and various organizations.

Source of threat

The brute-force method is used by cyber-bullies to hack the game, mail, social media account. Usually their goal is to cause trouble for other people, test their skills, read personal correspondence.

Cybercriminals write hacking programs themselves or use the work of their “colleagues”. For enumeration, powerful computer systems can be used, including previously hacked or rented ones. In the hands of attackers, brute-force is a means of extracting personal gain from gaining access to credentials.

Also, as already noted, brute-force can be used to check the cryptographic strength of passwords.

Risk analysis

The risks of using brute force depend on the number of objects targeted by attacks and the intentions of the attacker. Every year, new technologies appear that can be used for both good and criminal purposes. So, a few years ago at the DEF CON conference, the public was presented with WASP - a drone that can collect statistics on home Wi-Fi networks. A powerful computer on board the device, among other functions, had the ability to automatically crack passwords using brute force.

Recently, a new botnet was spotted infiltrating computer systems by brute-force SSH passwords. The defenses commonly used against brute-force attacks do not work. How, in this case, to increase the level of security, you can learn from our article.

Problems with hacking through brute force can be avoided if:
  • create a long password from letters, numbers and special characters,
  • do not use personal information or any login elements in the password,
  • create unique passwords for all accounts,
  • regularly, about once a month, change passwords,
  • on websites to protect the login from multiple data entry attempts.
 
Carder

Carder

Professional
Messages
2,619
Reputation
9
Reaction score
1,719
Points
113
Brute-forcing is an easy way of discovering weak login credentials and is often one of the first steps when a hacker finds network services running on a network they gain access to. For beginners and experienced hackers alike, it's useful to have access to the right tools to discover, classify, and then launch customized brute-force attacks against a target. BruteDum does it all from a single framework.

Weak Passwords Are Easy Prey

When a hacker gains access to a system with services running on it, one of the first things they'll typically do is see if they can log in to any of those services using default or common credentials. Internet of Things (IoT) hardware and devices like routers are often left with default passwords enabled, making them easy to attack.
To test the services they discover for weak passwords, the hacker needs to select the right tool for the job, and it can be confusing to know which tool is the best to use against a particular service.

BruteDum is a Python tool that allows a hacker to acquire a target first and run a scan inside the framework to determine the best tool based on what is discovered. It's easy to run a brute-force or dictionary attack against nearly any standard protocol that's vulnerable to it.
The advantage of running BruteDum over specific tools is the ability to run a scan from within to identify what other processes may be running on the same device, as well as organizing powerful tools for breaking into user accounts on services like SSH.

Online or Connected Attacks

Unlike attacks launched against WPA networks where we can grab a hash and attempt cracking later, we need to be connected to our target directly over the network to try a brute-forcing or dictionary attack. While there are ways of hiding our identity with a VPN or Tor, brute-force and dictionary attacks can be limited in effectiveness through a variety of different means.
One way of limiting brute-force and dictionary attacks is through rate-limiting, in which a lockout is triggered after a set amount of incorrect login attempts. That, combined with flagging suspicious login attempts, can make brute-force and dictionary assaults more likely to alert a target that they are under attack.

To execute an online dictionary attack, we'll be using THC Hydra, Medusa, or Ncrack against the services we discover, using BruteDum to scan and organize our attacks between these tools. We'll also need a password list, which will be critical to the success or failure of our dictionary attack. If the password list is too large, it will take too long to attack the network, and if it isn't reasonably long enough to contain the password, we run the risk of it not being in the list, causing the attack to fail.

What You'll Need

To follow this guide, you'll need Python3 installed on your system. Also, I recommend using Kali Linux, as it should have most of the required programs installed by default. If you're doing this on another system, you'll need to make sure that you have all the prerequisite programs installed.
If you're not using Kali Linux, you can use Ubuntu or Debian, but you'll need to make sure you have Hydra, Medusa, and Ncrack installed. You'll also need Nmap for scanning.
We'll also need a password list to test, and in this case, we'll be downloading it to a folder we create later. If you have a favorite password list, you'll need to copy it to the folder we'll be making.

Step 1
Download & Set Up BruteDum

To get started, we'll need to download the repository from GitHub. In a new terminal window, you can type in the following command to clone the repo.

~$ git clone https://github.com/GitHackTools/BruteDum Cloning into 'BruteDum'... remote: Enumerating objects: 15, done. remote: Counting objects: 100% (15/15), done. remote: Compressing objects: 100% (14/14), done. remote: Total 15 (delta 2), reused 0 (delta 0), pack-reused 0 Unpacking objects: 100% (15/15), done.

And this one to navigate into the directory

command to clone the repo.
~$ git clone https://github.com/GitHackTools/BruteDum Cloning into 'BruteDum'...remote: Enumerating objects: 15, done. remote: Counting objects: 100% (15/15), done. remote: Compressing objects: 100% (14/14), done. remote: Total 15 (delta 2), reused 0 (delta 0), pack-reused 0 Unpacking objects: 100% (15/15), done.
And this one to navigate into the directory:

~$ cd BruteDum

From inside this folder, you'll be able to run BruteDum. Before we do, we should take care of one small quirk. I found that BruteDum couldn't find password lists saved outside the BruteDum folder, so the solution seems to be adding our password list directly there. To do this, I'll simply take one off GitHub, and I'll download it to the folder I'm in using the wget command.

~/BruteDum$ wget https://raw.githubusercontent.com/b.../master/Real-Passwords/Top207-probable-v2.txt --2020-01-10 17:19:59-- https://raw.githubusercontent.com/b.../master/Real-Passwords/Top207-probable-v2.txt Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.0.133, 151.101.64.133, 151.101.128.133, ... Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.0.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 1620 (1.6K) [text/plain] Saving to: ‘Top207-probable-v2.txt’ Top207-probable-v2. 100%[===================>] 1.58K --.-KB/s in 0s 2020-01-10 17:19:59 (53.3 MB/s) - ‘Top207-probable-v2.txt’ saved [1620/1620]
Once it's done, we can run BruteDum by typing the following command.
~/BruteDum$ python3 brutedum.py 888888 888888 BRUTE 8 8 eeeee e e eeeee eeee 8 8 e e eeeeeee FORCE 8eeee8ee 8 8 8 8 8 8 8e 8 8 8 8 8 8 JUST 88 8 8eee8e 8e 8 8e 8eee 88 8 8e 8 8e 8 8 FOR 88 8 88 8 88 8 88 88 88 8 88 8 88 8 8 THE 88eeeee8 88 8 88ee8 88 88ee 88eee8 88ee8 88 8 8 DUMMIES BruteDum - Brute Force attacks SSH, FTP, Telnet, PostgreSQL, RDP, VNC with Hydra, Medusa and Ncrack Author:

https://GitHackTools.blogspot.com [?] Enter the victim address:

Step 2
Enter the Target Address

After the loading screen finishes, we'll need to enter the IP address of the victim. Once you've done so, press Enter, and you'll be presented with the option to run an Nmap scan. It's a handy feature that can help you discover other services open on the same device. Type Y and hit Enter to run the Nmap scan.
[?] Enter the victim address: 192.168.43.1 [?] Do you want to scan victim's ports with Nmap? [Y/n]: Y
When the results return, you should be able to identify any ports that come back as "open." Next, you'll need to select a service to crack. The menu for doing so is quite easy to understand, and you can choose one that matches the service that our Nmap scan discovered.

[+] Scanning ports with Nmap... Starting Nmap 7.70 ( https://nmap.org ) at 2020-01-10 02:57 PDT Nmap scan report for 192.168.43.1 Host is up (0.0087s latency). Not shown: 997 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http MAC Address: ███.███.███.███.███.███ Nmap done: 1 IP address (1 host up) scanned in 0.95 seconds [1] FTP [2] Telnet (Default port is 21) (Default port is 23) [3] PostgreSQL [4] SSH (Default port is 5432) (Default port is 22) [5] RDP [6] VNC (Default port is 3389) (Default port is 5900) [?] Which protocol do you want to crack? [1-6]: 4

In our example, we'll select option 4 and hit Enter to indicate we want to do SSH cracking.

Step 3
Select the Tool

Now, we'll need to determine the tool we'll be using to try cracking the password. Depending on what service we selected, BruteDum will recommend one to use.

888888 888888 BRUTE 8 8 eeeee e e eeeee eeee 8 8 e e eeeeeee FORCE 8eeee8ee 8 8 8 8 8 8 8e 8 8 8 8 8 8 JUST 88 8 8eee8e 8e 8 8e 8eee 88 8 8e 8 8e 8 8 FOR 88 8 88 8 88 8 88 88 88 8 88 8 88 8 8 THE 88eeeee8 88 8 88ee8 88 88ee 88eee8 88ee8 88 8 8 DUMMIES BruteDum - Brute Force attacks SSH, FTP, Telnet, PostgreSQL, RDP, VNC with Hydra, Medusa and Ncrack Author: https://GitHackTools.blogspot.com Target: 192.168.43.1 Protocol: ssh [1] Ncrack [2] Hydra (Recommended) [3] Medusa [?] Which tool do you want to use? [1-3]: 2

We'll select Hydra, as it's the one recommended for cracking SSH. Type 2 to indicate Hydra (or the number of the tool you wish to use) and press Enter to begin configuring it.

Step 4
Set Username & Password Lists

To launch our attack, we'll need to make a time versus probability tradeoff. Our first option will be to select a username list. That means we'll be trying every password in our password list with every username in our username list. It can become a lot of attempts very quickly.
In our example, we can select N to decline using a username list. Instead, we'll use a common username, or one we might know exists by default on the type of device.

Target: 192.168.43.1 Protocol: ssh [?] Do you want to use username list? [Y/n]: N
Because we declined to supply a username list, we'll have to enter one manually instead. Here, I'll enter toor, as I know that's the username for our test device.
[?] Enter the username: toor
Next, we'll need to set the password list. It won't work if we select a password list outside of the directory we're in, so we can now add the password list we downloaded earlier. If you followed along before, we should be able to just paste in the Top207-probable-v2.txt wordlist here.
[?] Enter the path of wordlist: Top207-probable-v2.txt

Brute-Force Attacks Find Weak Passwords

A key thing to remember about brute-force and dictionary attacks is that they are powerful in the right place, but not a silver bullet for breaking into accounts. Weak passwords are especially easy to find with BruteDum, but more complicated passwords require longer password lists. That issue necessitates prolonged contact with the victim to burn through those longer lists, making the attack less practical and more evident to anyone watching for this kind of attack.
An ideal target for these attacks is primarily IoT devices, which generally have poor security and a plethora of services running with default credentials.
 
Father

Father

Professional
Messages
2,601
Reputation
4
Reaction score
633
Points
113
? Brute Force Attack ?
Hi today we talking about Brute Force Attack deeply or briefly so lets start.....

?? What is Brute Force Attack?
A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data.

?? How long do brute force attacks take?
As per this link, with speed of 1,000,000,000 Passwords/sec, cracking a 8 character password composed using 96 characters takes 83.5 days. But a recent research presented at Password^12 in Norway, shows that 8 character passwords are no more safe. They can be cracked in 6 hours.

?? What is the brute force method?
In computer science, brute-force search or exhaustive search, also known as generate and test, is a very general problem-solving technique that consists of systematically enumerating all possible candidates for the solution and checking whether each candidate satisfies the problem's statement.

?? How long does it take to brute force a 10 character password?
Nine-character passwords take five days to break, 10-character words take four months, and 11-character passwords take 10 years. Make it up to 12 characters, and you're looking at 200 years' worth of security – not bad for one little letter.

?? How many passwords can you check per second?
A password-cracking expert has unveiled a computer cluster that can cycle through as many as 350 billion guesses per second. It's an almost unprecedented speed that can try every possible Windows passcode in the typical enterprise in less than six hours.

?? Difference between brute force attack and dictionary attack?
A dictionary attack means that you probe only passwords/keys from a dictionary (which does not contain the complete keyspace). A brute force attack is primarily used against the encryption algorithm itself (you can also use this against passwords but there you use dictionary attacks most time).

I Think Handsome or beauty you understand what is Brut Force Attack and how its working and difference between Hydra, Brut Force Attack or Dictionary Attack tonight we complete All 3 Articles about password cracking or attack.
 
You must log in or register to reply here.

Similar threads

Father
Brute force passwords (bruteforce - brute - force hacking) - what is it and how relevant is it?
Replies
0
Views
34
Father
Father
I
JSHOP-BIZ.CC, NON VBV CC SHOP, NEW BENUMB, ACCOUNTS, MANDARINC.PW, GENESIS.MARKET, FLOWCC.SHOP, TRIPPLE DOLLARS, MAGBO.CC INVITE CODES, BRUTE FORCE
Replies
0
Views
405
Invitationcodess
I
Carding
KmsdBot: a new DDoS malware that can mine Monero and brute force SSH
Replies
0
Views
152
Carding
Carding
Lord777
The banking system was attacked 3.5 million times in 3 months using brute force
Replies
0
Views
211
Lord777
Lord777
CUK77
Microsoft: hackers don't even try to brute-force long passwords
Replies
0
Views
215
CUK77
CUK77
Top