Don’t Be a Brute!

Well, hello again and welcome back. This afternoon’s adventure is about…you guessed it, brute-force attacks; what they are, and how one defends their network.

Brute-force Attack: (in my terms)

Joe Nasty Hacker runs a software package which performs trial and error methods of obtaining information such as password or personal identification number (pin) which can be used to get into your computer and steal your life savings or worse. Leaving you with enormous debt. These programs run large numbers of consecutive guesses which allow the discovery of the encrypted pass phrase.

Brute-force attacks are used two ways: ethically or unethically. (there’s a big surprise right)

Ethically by security engineers trying to protect a network from the unethical Joe N. Hacker. The programs can be run to ensure employee passwords or PINs are strong enough to avoid hacker discovery. Of course Joe N. Hacker is trying to get to these codes so he or she can spend your money in Las Vegas, or Hawaii if the bank account is big enough. Industrial espionage is also a practice which can be done with brute-force attacks. Joe gets into the company’s confidential files and “borrows” the files to the next prototype toy; for example, and perhaps puts Harry Toymaker Inc. out of business. Joe is not very nice.

On the other hand, Harry Toymaker has a minimum sixteen to twenty-five-character password requirement using upper and lower-case letters, numbers and special characters. Harry’s security engineer has been trying to crack these codes for weeks (exaggeration) and has been unsuccessful. So needless to say, the longer the stronger. Making employees change the password frequently can also deter Joe.

Here I go with another wonderful article which cites a book written by Mark Benett called Hacking the Code: ASP.NET Web Application Security, “a unique book that walks you through the many security threats facing ASP.NET Web developers”. I was checking out the “hows and whys” of brute-force and found solutions which were not so secure, and got to thinking why use them if they can be defeated. The one in particular said to set a lockout procedure. Then it talked about the effects of the hacker deliberately using the attack to lockout the real users. However (comma) then I read this section and settled on the ‘better’ solution:

One simple yet surprisingly effective solution is to design your Web site not to use predictable behavior for failed passwords. For example, most Web sites return an "HTTP 401 error" code with a password failure, although some Web sites instead return an "HTTP 200 SUCCESS" code but direct the user to a page explaining the failed password attempt. This fools some automated systems, but it is also easy to circumvent. A better solution might be to vary the behavior enough to eventually discourage all but the most dedicated hackers. You could, for example, use different error messages each time or sometimes let a user through to a page and then prompt him again for a password. Some automated brute-force tools allow the attacker to set certain trigger strings to look for that indicate a failed password attempt. For example, if the resulting page contains the phrase "Bad username or password," the tool would know the credentials failed and would try the next in the list. A simple way to fool these tools is to include also those phrases as comments in the HTML source of the page they get when they successfully authenticate. After one or two failed login attempts, you may want to prompt the user not only for the username and password but also to answer a secret question. This not only causes problems with automated attacks, it prevents an attacker from gaining access, even if they do get the username and password correct. You could also detect high numbers of attacks system-wide and under those conditions prompt all users for the answer to their secret questions.

The following software packages are used for Brute-Force attacks:

1. Brutus

2. RainbowCrack

3. Wfuzz

4. Cain and Abel

5. John the Ripper

6. THC Hydra

These packages and more can be ‘Investigated’ more in depth on the following site.

"10 Most Popular Password Cracking Tools - InfoSec Resources." InfoSec Resources 10 Most Popular Password Cracking Tools Comments. 2014. Web. 31 Mar. 2016.

As always I’m hoping this blog was helpful . It was fun researching this subject.

So in closing – Good Day and Good Researching.

Resources:

"What Is Brute Force Attack? - Definition from Techopedia." Techopedia.com. Web. 31 Mar. 2016.

"Blocking Brute Force Attacks." - System Administration Database. Web. 31 Mar. 2016.

Burnett, Mark M., and James C. Foster. Hacking the Code: ASP.NET Web Application Security. Rockland, MA: Syngress Publ., 2004. Print.