Brute force (also known as brute force cracking) is a trial and error method used to decode encrypted data such as passwords or Data Encryption Standard ( DES ) keys, through exhaustive effort (using brute force) rather than employing intellectual strategies.
Brute force cracking application proceeds through all possible combinations of legal characters in sequence. Brute force is considered to be an infallible, although time-consuming, approach.
Determining the Difficulty of a Brute Force Attack
How long can the key be?
How many possible values can each component of the key have?
How long will it take to attempt each key?
Is there a mechanism which will lock the attacker out after a number of failed attempts?
Increasing Security Against a Brute Force Attack
Increasing the length of the PIN
Allowing the PIN to contain characters other than numbers, such as * or #
Imposing a 30 second delay between failed authentication attempts
Locking the account after 5 failed authentication attempts
A brute force attack will always succeed, eventually. However, brute force attacks against systems with sufficiently long key sizes may require billions of years to complete.
An attacker may try to guess a password alone or guess both the user name and the password. In the later case the attacker might fix the user name and iterate through a list of possible passwords, or fix the password and iterate through a list of possible user names.
useful when the attacked system locks users after a number of failed log-in attempts.
Since HTTP is a stateless protocol, in order to maintain state web applications need to ensure that a session identifier is sent by the browser with each request. The session identifier is most commonly stored in an HTTP cookie or URL. Using a brute force attack, an attacker can guess the session identifier of another user. This can lead to the attacker impersonating the user, retrieving personal information and performing actions on behalf of the user.
Session identifiers usually consist of a number or a sequence of characters. In order for a brute force attack to succeed, the possible range of values for the session identifier must be limited. If the predicted range of values for a session identifier is very small based on existing information the attack is referred to as a session prediction attack .
When files reside in directories that are served by the web server but are not linked anywhere, accessing those files requires knowing their file name. In some cases those files have been left by mistake: for example a backup file automatically created when editing a file or leftovers from an older version of the web application. In other cases files are intentionally left unlinked as a "security by obscurity" mechanism allowing only people who know the file names to access them.
A brute force attack tries to locate the unlinked file by trying to access a large number of files. The list of attempted file names might be taken from a list of known potential files or based on variants of the visible files on the web site. More information on brute forcing directories and files can be found in the associated vulnerability, predictable resource location
Shopping online with stolen credit cards usually requires information in addition to the credit card number, most often the CVV/SCS  and/or expiration date. A fraudster may hold a stolen credit card number without the additional information. For example the CVV/CSC is not imprinted on the card or stored on the magnetic stripe so it cannot be collected by mechanical or magnetic credit card swiping devices.
In order to fill in the missing information the hacker can guess the missing information using a brute force technique, trying all possible values.
Guessing CVV/CSC requires only 1000 or 10000 attempts as the number is only 3 or 4 digits, depending on the card type.
Guessing an expiration date requires only several dozen attempts.
Brute force attacks are by no means limited to the scenarios described above. For example, a password reminder feature may enable a user to retrieve a forgotten password by providing a personal detail known just to him. However, if the personal detail is "favorite color" then an attacker can use a brute force attack to retrieve the password as the number of color choices is limited. In addition, studies have shown that approximately 40% of the population selects blue as their favorite color , so even if the attacker is locked out after three attempts, that would still enable the attacker to retrieve a fair amount of passwords.
In this example, the dynamic page requested by the browser is called Displaymsg.asp and the browser sends the Web server the parameter msgID with a value of 12345. An attacker may try brute force values for msgID to try and read other users' messages.
Brutus is one of the fastest, most flexible remote password crackers you can get your hands on - it's also free. This Windows-only cracker bangs against network services of remote systems trying to guess passwords by using a dictionary and permutations thereof. It supports HTTP, POP3, FTP, SMB, TELNET, IMAP, NTP, and more.
This tool allows for rapid dictionary attacks against network login systems, including FTP, POP3, IMAP, Netbios, Telnet, HTTP Auth, LDAP NNTP, VNC, ICQ, Socks5, PCNFS, and more. It includes SSL support and is apparently now part of Nessus .
TSGrinder is the first production Terminal Server brute force tool. And having an encrypted channel to the TS logon process sure helps to keep IDS from catching the attempts. It is a "dictionary" based attack tool, but it does have some interesting features like "l337" conversion, and supports multiple attack windows from a single dictionary file. It supports multiple password attempts in the same connection, and allows you to specify how many times to try a username/password combination within a particular connection. Platform: Windows