Skip to content
Site logo Site logo ucch45

Brute Force Attack

Objective:

  • Learn about brute force attacks, common tools and how to protect yourself

What is a brute force attack?

Type 1: Brute force attack

Try all combinations using a trial and error method in attempt to compromise an account to gain unauthorized access. Usually automated executions.

Type 2: Dictionary Attack

A brute force attack that uses wordlists containing common words, phrases and/or passwords that are found in credential dumps (leaked in data breaches). This type has a higher chance of success to compromise an account as humas are prone to reuse passwords.

Type 3: Credential stuffing

Attackers grabs credential dumps and try every single combinations of the usernames and passwords to attempt to gain unauthorized access.

How to protect yourself form brute force attacks?

Long passwords/passphrases

The longer the password, the longer it’ll take for the adversary to compromise the account (use of 15+ characters, UPPERCASE, numb3rs and speci@l characters). We can also use password managers to help us generate random strong passwords. To avoid forgetting passwords, we can use passphrases that are easy to remember.

Multifactor Authentication (MFA)

An additional authentical method before having access to the account. Via an SMS text, email or an authenticator. Using an authenticator is highly recommended.

Stay vigilant

Always be cautious. To know if an account is vulnerable use haveibeenpwned. Always check your attack surface.

  • What assets are publicly available to the internet?
  • Should they be available to the internet?
  • Do I need to evaluate services? Should SSH/RDP be exposed to the internet? If not, turn them off or at least put them behind a firewall as this reduces the risk of compromise.

Common tools

  1. Hydra
  2. Hashcat
  3. John the Ripper


© 2020-2025 Ucchas Muhury