Brute Forcing


Published on

Brute Forcing by Chaitanya Reddy @ null Hyderabad Meet in September, 2010

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Brute Forcing

  2. 2. WHAT IS BRUTE FORCE? <ul><li>Brute force (also known as brute force cracking) is a trial and error method used to decode encrypted data such as passwords or Data Encryption Standard ( DES ) keys, through exhaustive effort (using brute force) rather than employing intellectual strategies. </li></ul><ul><li>Brute force cracking application proceeds through all possible combinations of legal characters in sequence. Brute force is considered to be an infallible, although time-consuming, approach. </li></ul>
  3. 3. Determining the Difficulty of a Brute Force Attack <ul><li>How long can the key be? </li></ul><ul><li>How many possible values can each component of the key have? </li></ul><ul><li>How long will it take to attempt each key? </li></ul><ul><li>Is there a mechanism which will lock the attacker out after a number of failed attempts? </li></ul>
  4. 4. Increasing Security Against a Brute Force Attack <ul><li>Increasing the length of the PIN </li></ul><ul><li>Allowing the PIN to contain characters other than numbers, such as * or # </li></ul><ul><li>Imposing a 30 second delay between failed authentication attempts </li></ul><ul><li>Locking the account after 5 failed authentication attempts </li></ul><ul><li>A brute force attack will always succeed, eventually. However, brute force attacks against systems with sufficiently long key sizes may require billions of years to complete. </li></ul>
  5. 5. Brute Forcing Log-in Credentials <ul><li>Most common type of attack in web-applications. </li></ul><ul><li>Default password databases or dictionaries </li></ul><ul><li>“ Word list attack” or a &quot;dictionary attack&quot; </li></ul>
  6. 6. Reverse brute force attack ‘ N’ uses <ul><li>An attacker may try to guess a password alone or guess both the user name and the password. In the later case the attacker might fix the user name and iterate through a list of possible passwords, or fix the password and iterate through a list of possible user names. </li></ul><ul><li>useful when the attacked system locks users after a number of failed log-in attempts. </li></ul>
  7. 7. Brute Forcing Session Identifiers <ul><li>Since HTTP is a stateless protocol, in order to maintain state web applications need to ensure that a session identifier is sent by the browser with each request. The session identifier is most commonly stored in an HTTP cookie or URL. Using a brute force attack, an attacker can guess the session identifier of another user. This can lead to the attacker impersonating the user, retrieving personal information and performing actions on behalf of the user. </li></ul><ul><li>Session identifiers usually consist of a number or a sequence of characters. In order for a brute force attack to succeed, the possible range of values for the session identifier must be limited. If the predicted range of values for a session identifier is very small based on existing information the attack is referred to as a session prediction attack . </li></ul>
  8. 8. Brute Forcing Directories and Files <ul><li>When files reside in directories that are served by the web server but are not linked anywhere, accessing those files requires knowing their file name. In some cases those files have been left by mistake: for example a backup file automatically created when editing a file or leftovers from an older version of the web application. In other cases files are intentionally left unlinked as a &quot;security by obscurity&quot; mechanism allowing only people who know the file names to access them. </li></ul><ul><li>A brute force attack tries to locate the unlinked file by trying to access a large number of files. The list of attempted file names might be taken from a list of known potential files or based on variants of the visible files on the web site. More information on brute forcing directories and files can be found in the associated vulnerability, predictable resource location </li></ul>
  9. 9. Brute Forcing Credit Card Information <ul><li>Shopping online with stolen credit cards usually requires information in addition to the credit card number, most often the CVV/SCS [6] and/or expiration date. A fraudster may hold a stolen credit card number without the additional information. For example the CVV/CSC is not imprinted on the card or stored on the magnetic stripe so it cannot be collected by mechanical or magnetic credit card swiping devices. </li></ul><ul><li>In order to fill in the missing information the hacker can guess the missing information using a brute force technique, trying all possible values. </li></ul><ul><li>Guessing CVV/CSC requires only 1000 or 10000 attempts as the number is only 3 or 4 digits, depending on the card type. </li></ul><ul><li>Guessing an expiration date requires only several dozen attempts. </li></ul><ul><li>  </li></ul>
  10. 10. Password retrieval information attack <ul><li>Brute force attacks are by no means limited to the scenarios described above. For example, a password reminder feature may enable a user to retrieve a forgotten password by providing a personal detail known just to him. However, if the personal detail is &quot;favorite color&quot; then an attacker can use a brute force attack to retrieve the password as the number of color choices is limited. In addition, studies have shown that approximately 40% of the population selects blue as their favorite color , so even if the attacker is locked out after three attempts, that would still enable the attacker to retrieve a fair amount of passwords. </li></ul>
  11. 11. Target of an attack <ul><li>By Examining the web service's catalogue structure . </li></ul><ul><li>Target of an attack are data in forms (GET/POST). </li></ul><ul><li>Target of an attack are in the form of users' Session-IDs. </li></ul>
  12. 12. Example(Session ID) <ul><li>Consider the URL </li></ul><ul><li> </li></ul><ul><li>Unique Session ID for each greeting card </li></ul><ul><li>Using Brute Force applications, attackers may try thousands of session IDs embedded in a legitimate URL in an attempt to view greeting cards that they are not authorized to view. </li></ul>
  13. 13. Example(Object ID) <ul><li>Consider the URL: </li></ul><ul><li> </li></ul><ul><li>In this example, the dynamic page requested by the browser is called Displaymsg.asp and the browser sends the Web server the parameter msgID with a value of 12345. An attacker may try brute force values for msgID to try and read other users' messages. </li></ul>
  14. 14. Advantages and Disadvantages <ul><li>Finding the password is quite high since the attack uses so many possible answers . </li></ul><ul><li>It is a fairly simplistic attack that doesn't require a lot of work to setup or initiate. </li></ul><ul><li>Disadvantages </li></ul><ul><li>Hardware intensive :curbs lots of processing power </li></ul><ul><li>Extends the amount of time needed to crack the code by a huge margin. </li></ul>
  15. 15. Tools <ul><li>Brutus </li></ul><ul><li>Brutus is one of the fastest, most flexible remote password crackers you can get your hands on - it's also free. This Windows-only cracker bangs against network services of remote systems trying to guess passwords by using a dictionary and permutations thereof. It supports HTTP, POP3, FTP, SMB, TELNET, IMAP, NTP, and more. </li></ul><ul><li>Platform: Windows </li></ul><ul><li>THC-Hydra </li></ul><ul><li>This tool allows for rapid dictionary attacks against network login systems, including FTP, POP3, IMAP, Netbios, Telnet, HTTP Auth, LDAP NNTP, VNC, ICQ, Socks5, PCNFS, and more. It includes SSL support and is apparently now part of  Nessus . </li></ul><ul><li>Platform: UNIX </li></ul>
  16. 16. <ul><li>TSGrinder </li></ul><ul><li>TSGrinder is the first production Terminal Server brute force tool. And having an encrypted channel to the TS logon process sure helps to keep IDS from catching the attempts. It is a &quot;dictionary&quot; based attack tool, but it does have some interesting features like &quot;l337&quot; conversion, and supports multiple attack windows from a single dictionary file.  It supports multiple password attempts in the same connection, and allows you to specify how many times to try a username/password combination within a particular connection.  Platform: Windows </li></ul>
  17. 17. Bibliography <ul><li>&quot;Brute-Force Exploitation of Web Application Session ID's&quot;, David Endler - iDEFENSE Labs </li></ul><ul><li>[2] </li></ul><ul><li>  </li></ul><ul><li>&quot;Brute force attack incidents&quot;, the Web Hacking Incidents Database </li></ul><ul><li>[3] </li></ul><ul><li>  </li></ul><ul><li>Credential/Session Prediction </li></ul><ul><li>[4] </li></ul><ul><li>  </li></ul><ul><li>Predictable Resource Location </li></ul><ul><li>[5] </li></ul><ul><li>  </li></ul><ul><li>&quot;Card Security Code&quot;, Wikipedia </li></ul><ul><li>[6] </li></ul><ul><li>  </li></ul><ul><li>&quot;Color Assignment, Favorite Color&quot;, Joe Hallock </li></ul><ul><li>[7] </li></ul>
  18. 18. THANK YOU