Popular Tools for Brute-force Attack

Skillset

The brute-force attack is still one of the most popular password cracking methods. Nevertheless, it is not just for password cracking. Brute-force attacks can also be used to discover hidden pages and content in a web application. This attack is basically “a hit and try” until you succeed. This attack sometimes takes longer, but its success rate is higher. In this article, I will try to explain brute-force attacks and popular tools used in different scenarios for performing brute-force attack to get desired results.

What is a Brute-force attack?

Brute-force attack when an attacker uses a set of predefined values to attack a target and analyze the response until he succeeds. Success depends on the set of predefined values. If it is larger, it will take more time, but there is better probability of success. The most common and easiest to understand example of the brute-force attack is the dictionary attack to crack the password. In this, attacker uses a password dictionary that contains millions of words that can be used as a password. Then the attacker tries these passwords one by one for authentication. If this dictionary contains the correct password, attacker will succeed.

In traditional brute-force attack, attacker just tries the combination of letters and numbers to generate password sequentially. However, this traditional technique will take longer when the password is long enough. These attacks can take several minutes to several hours or several years depending on the system used and length of password.

To prevent password cracking by using a brute-force attack, one should always use long and complex passwords. This makes it hard for attacker to guess the password, and brute-force attacks will take too much time. Most of the time, WordPress users face brute-force attacks against their websites. Account lock out is another way to prevent the attacker from performing brute-force attacks on web applications. However, for offline software, things are not as easy to secure.

Similarly, for discovering hidden pages, the attacker tries to guess the name of the page, sends requests, and sees the response. If the page does not exist, it will show response 404 and on success, the response will be 200. In this way, it can find hidden pages on any website.

Brute-force is also used to crack the hash and guess a password from a given hash. In this, the hash is generated from random passwords and then this hash is matched with a target hash until the attacker finds the correct one. Therefore, the higher the type of encryption (64-bit, 128-bit or 256-bit encryption) used to encrypt the password, the longer it can take to break.

Reverse brute-force attack

A reverse brute-force attack is another term that is associated with password cracking. It takes a reverse approach in password cracking. In this, attacker tries one password against multiple usernames. Think if you know a password but do not have any idea of the usernames. In this case, you can try the same password and guess the different user names until you find the working combination.

Now, you know that Brute-forcing attack is mainly used for password cracking. You can use it in any software, any website or any protocol, which do not block requests after few invalid trials. In this post, I am going to add few brute-force password-cracking tools for different protocols.

Popular tools for brute-force attacks

Aircrack-ng

I am sure you already know about Aircrack-ng tool. This is a popular wireless password-cracking tool available for free. I also mentioned this tool in our older post on most popular password cracking tools. This tool comes with WEP/WPA/WPA2-PSK cracker and analysis tools to perform attack on WIFi 802.11. Aircrack NG can be used for any NIC, which supports raw monitoring mode.

It basically performs dictionary attacks against a wireless network to guess the password. As you already know, success of the attack depends on the dictionary of passwords. The better and effective the password dictionary is the more likely it is that it will crack the password.

It is available for Windows and Linux platforms. It has also been ported to run on iOS and Android platforms. You can try on given platforms to see how this tool works.

Download Aircrack-ng from this link: http://www.aircrack-ng.org/

John the Ripper

John the Ripper is another awesome tool that does not need any introduction. It has been a favorite choice for performing brute-force attack for long time. This free password-cracking software was initially developed for Unix systems. Later, developers released it for various other platforms. Now, it supports fifteen different platforms including Unix, Windows, DOS, BeOS, and OpenVMS. You can use this either to identify weak passwords or to crack passwords for breaking authentication.

This tool is very popular and combines various password-cracking features. It can automatically detect the type of hashing used in a password. Therefore, you can also run it against encrypted password storage.

Basically, it can perform brute-force attack with all possible passwords by combining text and numbers. However, you can also use it with a dictionary of passwords to perform dictionary attacks.

Download John the Ripper from this link: http://www.openwall.com/john/

Rainbow Crack

Rainbow Crack is also a popular brute-forcing tool used for password cracking. It generates rainbow tables for using while performing the attack. In this way, it is different from other conventional brute-forcing tools. Rainbow tables are pre-computed. It helps in reducing the time in performing the attack.

The good thing is that there are various organizations, which already published the pre-computer rainbow tables for all Internet users. To save time, you can download those rainbow tables and use in your attacks.

This tool is still in active development. It is available for both Windows and Linux and supports all latest versions of these platforms.

Download Rainbow Crack and read more about this tool from this link: http://project-rainbowcrack.com/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

StormSecurity

IT Security Research and Services

govolution

About assembler and stuff

Astr0baby's not so random thoughts _____ rand() % 100;

ψυχῆς ἰατρεῖον "Hospital of the soul"

Penetration Testing Academy

Education and Advice for Rookies

P.M.C.S.P. Blog

Articles about Physics, Math, Computer Security & Programming and more

Chimera | Security

#YorkshireAnalyst #SIEMJunkie #ALLOPIONIONSAREMYOWN

%d bloggers like this: