Brute Force Attack: Definition, Examples, and Prevention
What Is a Brute Force Attack?
Brute force attacks are a means of determining a combination of username and password or hashed token in order to gain unauthorized access to an account, file, or other protected information. A brute force attack is a trial-and-error–based attack method that works by guessing credentials, file paths, or urls, either through logic or running all possible keyboard combinations.
Attackers often employ malware and other tools to automate the process of brute force attacks either by distributing the attack across a variety of source locations or leveraging malware to attack protected internal accounts. Common tools such as Hydra, Chaos, CrackMapExec, and PoshC2 all have brute force functions.
Once access is achieved, an attacker might gain access to financial information, spread malware, or hijack your system. There are a few entry points that are vulnerable to brute force attacks:
SMB/CIFS Brute Force Attack
Server message block (SMB) and common internet file system (CIFS) are network file sharing protocols most commonly used by Windows. Both can be vulnerable to brute force attacks. Once an attacker gains access to a user account they can access files, move laterally, or attempt to escalate privileges.
SSH Brute Force Attack
SSH or Secure Shell is a network protocol that allows encrypted communication across insecure networks. SSH is used for remote logins, command execution, file transfer, and more. SSH brute force attacks are often achieved by an attacker trying a common username and password across thousands of servers until they find a match.
DNS Brute Force Attack
Rather than guessing a password or username, brute force attacks on DNS can identify all subdomains on a site. Attackers use scripts and other tools to send legitimate-looking queries. The attacker can use this to map out available subdomains, host names, and DNS records—all with the goal of mapping out a network in search of vulnerabilities.
RDP Brute Force Attack
Brute force attacks on RDP are low cost and relatively easy to perform. Even though this type of brute force attack is noisy, it can be highly effective due to the commonality of weak and repurposed passwords. An attacker might perform a brute force attack on RDP accounts to find weak passwords or valid login credentials. Once an attacker has accessed passwords or valid login credentials, they can easily open multiple RDP sessions from a single device to control many devices on the network.
Brute force and other attacks on RDP became a rapidly increasing concern because of the massive expansion of work-from-home due to COVID-19.
Protection Against Brute Force Attacks
To make passwords more difficult to discover, IT administrations should enforce strict password policies with minimum length and complexity requirements. Multi-factor identification should also be enabled, where possible.
For user accounts, use lockout policies that limit the number of failed login attempts to prevent passwords from being guessed. Captchas can be used on web applications to prevent any automated brute-force attempts.
Detection of brute force attacks can be enhanced using decryption. Brute force attacks often occur over encrypted protocols in order to hide. For example brute force attempts are common against RDP, which does not log failed login attempts. Brute force is also common against some Active Directory and database protocols. For this reason, it's critical that security tools have decryption capabilities for all commonly encrypted industry protocols such as TLS and Microsoft protocols such as Kerberos, MS-RPC, SMBv3, and more.
Brute Force History
While brute-force techniques used in codebreaking predate the invention of modern computers, some of the earliest documented brute force attacks in the modern era were documented in a 1977 paper by cryptologists Whitfield Diffie and Martin Hellman.
While not a particularly efficient means of attack, brute force attacks are one of the oldest and most reliable attack methods. This attack method is still widely used today, with an uptick in reported cases in 2020.