Embed Size (px)
DESCRIPTION
Citation preview
BRUTE FORCE ATTACK BRUTE FORCE ATTACK
byby
----------------SAI CHAITANYASAI CHAITANYA
WHAT IS BRUTE WHAT IS BRUTE FORCE?FORCE?
Brute force (also known as brute force cracking) is Brute force (also known as brute force cracking) is a trial and error method used to decode encrypted a trial and error method used to decode encrypted
data such as passwords or Data Encryption data such as passwords or Data Encryption Standard (Standard (DES) keys, through exhaustive effort ) keys, through exhaustive effort
(using brute force) rather than employing (using brute force) rather than employing intellectual strategies. intellectual strategies.
Brute force cracking application proceeds through Brute force cracking application proceeds through all possible combinations of legal characters in all possible combinations of legal characters in sequence. Brute force is considered to be an sequence. Brute force is considered to be an
infallible, although time-consuming, approach. infallible, although time-consuming, approach.
Determining the Difficulty of a Brute Determining the Difficulty of a Brute Force AttackForce Attack
How long can the key be?How long can the key be? How many possible values can each How many possible values can each
component of the key have?component of the key have? How long will it take to attempt each key?How long will it take to attempt each key? Is there a mechanism which will lock the Is there a mechanism which will lock the
attacker out after a number of failed attempts?attacker out after a number of failed attempts?
Increasing Security Against a Brute Increasing Security Against a Brute Force AttackForce Attack
Increasing the length of the PINIncreasing the length of the PIN Allowing the PIN to contain characters other than Allowing the PIN to contain characters other than
numbers, such as * or #numbers, such as * or # Imposing a 30 second delay between failed Imposing a 30 second delay between failed
authentication attemptsauthentication attempts Locking the account after 5 failed authentication Locking the account after 5 failed authentication
attemptsattempts A brute force attack will always succeed, eventually. A brute force attack will always succeed, eventually.
However, brute force attacks against systems with However, brute force attacks against systems with sufficiently long key sizes may require billions of sufficiently long key sizes may require billions of years to complete. years to complete.
Brute Forcing Log-in CredentialsBrute Forcing Log-in Credentials
Most common type of attack in web-Most common type of attack in web-applications.applications.
Default password databases or dictionaries Default password databases or dictionaries
““Word list attack” or a "dictionary attack" Word list attack” or a "dictionary attack"
Reverse brute force attackReverse brute force attack ‘ ‘N’ usesN’ uses
An attacker may try to guess a password alone An attacker may try to guess a password alone or guess both the user name and the password. or guess both the user name and the password. In the later case the attacker might fix the user In the later case the attacker might fix the user name and iterate through a list of possible name and iterate through a list of possible passwords, or fix the password and iterate passwords, or fix the password and iterate through a list of possible user names. through a list of possible user names.
useful when the attacked system locks users useful when the attacked system locks users after a number of failed log-in attempts. after a number of failed log-in attempts.
Brute Forcing Session IdentifiersBrute Forcing Session Identifiers
Since HTTP is a stateless protocol, in order to maintain state Since HTTP is a stateless protocol, in order to maintain state web applications need to ensure that a session identifier is sent web applications need to ensure that a session identifier is sent by the browser with each request. The session identifier is most by the browser with each request. The session identifier is most commonly stored in an HTTP cookie or URL. Using a brute commonly stored in an HTTP cookie or URL. Using a brute force attack, an attacker can guess the session identifier of force attack, an attacker can guess the session identifier of another user. This can lead to the attacker impersonating the another user. This can lead to the attacker impersonating the user, retrieving personal information and performing actions on user, retrieving personal information and performing actions on behalf of the user.behalf of the user.
Session identifiers usually consist of a number or a sequence of Session identifiers usually consist of a number or a sequence of characters. In order for a brute force attack to succeed, the characters. In order for a brute force attack to succeed, the possible range of values for the session identifier must be possible range of values for the session identifier must be limited. If the predicted range of values for a session identifier limited. If the predicted range of values for a session identifier is very small based on existing information the attack is is very small based on existing information the attack is referred to as a session prediction attack .referred to as a session prediction attack .
Brute Forcing Directories and FilesBrute Forcing Directories and Files
When files reside in directories that are served by the web When files reside in directories that are served by the web server but are not linked anywhere, accessing those files server but are not linked anywhere, accessing those files requires knowing their file name. In some cases those files requires knowing their file name. In some cases those files have been left by mistake: for example a backup file have been left by mistake: for example a backup file automatically created when editing a file or leftovers from an automatically created when editing a file or leftovers from an older version of the web application. In other cases files are older version of the web application. In other cases files are intentionally left unlinked as a "security by obscurity" intentionally left unlinked as a "security by obscurity" mechanism allowing only people who know the file names to mechanism allowing only people who know the file names to access them.access them.
A brute force attack tries to locate the unlinked file by trying to A brute force attack tries to locate the unlinked file by trying to access a large number of files. The list of attempted file names access a large number of files. The list of attempted file names might be taken from a list of known potential files or based on might be taken from a list of known potential files or based on variants of the visible files on the web site. More information variants of the visible files on the web site. More information on brute forcing directories and files can be found in the on brute forcing directories and files can be found in the associated vulnerability, predictable resource location associated vulnerability, predictable resource location
Brute Forcing Credit Card Brute Forcing Credit Card InformationInformation
Shopping online with stolen credit cards usually requires Shopping online with stolen credit cards usually requires information in addition to the credit card number, most often the information in addition to the credit card number, most often the CVV/SCS [6] and/or expiration date. A fraudster may hold a CVV/SCS [6] and/or expiration date. A fraudster may hold a stolen credit card number without the additional information. For stolen credit card number without the additional information. For example the CVV/CSC is not imprinted on the card or stored on example the CVV/CSC is not imprinted on the card or stored on the magnetic stripe so it cannot be collected by mechanical or the magnetic stripe so it cannot be collected by mechanical or magnetic credit card swiping devices.magnetic credit card swiping devices.
In order to fill in the missing information the hacker can guess the In order to fill in the missing information the hacker can guess the missing information using a brute force technique, trying all missing information using a brute force technique, trying all possible values.possible values.
Guessing CVV/CSC requires only 1000 or 10000 attempts as the Guessing CVV/CSC requires only 1000 or 10000 attempts as the number is only 3 or 4 digits, depending on the card type.number is only 3 or 4 digits, depending on the card type.
Guessing an expiration date requires only several dozen attempts.Guessing an expiration date requires only several dozen attempts.
Password retrieval information Password retrieval information attackattack
Brute force attacks are by no means limited to the Brute force attacks are by no means limited to the scenarios described above. For example, a password scenarios described above. For example, a password reminder feature may enable a user to retrieve a reminder feature may enable a user to retrieve a forgotten password by providing a personal detail forgotten password by providing a personal detail known just to him. However, if the personal detail is known just to him. However, if the personal detail is "favorite color" then an attacker can use a brute force "favorite color" then an attacker can use a brute force attack to retrieve the password as the number of color attack to retrieve the password as the number of color choices is limited. In addition, studies have shown that choices is limited. In addition, studies have shown that approximately 40% of the population selects blue as approximately 40% of the population selects blue as their favorite color , so even if the attacker is locked out their favorite color , so even if the attacker is locked out after three attempts, that would still enable the attacker after three attempts, that would still enable the attacker to retrieve a fair amount of passwords. to retrieve a fair amount of passwords.
Target of an attack Target of an attack
By Examining the web service's catalogue By Examining the web service's catalogue structure .structure .
Target of an attack are data in forms Target of an attack are data in forms (GET/POST).(GET/POST).
Target of an attack are in the form of users' Target of an attack are in the form of users' Session-IDs.Session-IDs.
Example(Session ID)Example(Session ID)
Consider the URLConsider the URL
http://greetings.acme-hackme.com/view/9BA54003218827622http://greetings.acme-hackme.com/view/9BA54003218827622 Unique Session ID for each greeting cardUnique Session ID for each greeting card Using Brute Force applications, attackers may Using Brute Force applications, attackers may
try thousands of session IDs embedded in a try thousands of session IDs embedded in a legitimate URL in an attempt to view greeting legitimate URL in an attempt to view greeting cards that they are not authorized to view. cards that they are not authorized to view.
Example(Object ID)Example(Object ID)
Consider the URL:Consider the URL: http://www.acme-hackme.com/online/Displaymsg.asp?msgID=12345 http://www.acme-hackme.com/online/Displaymsg.asp?msgID=12345
In this example, the dynamic page requested by the In this example, the dynamic page requested by the browser is called Displaymsg.asp and the browser browser is called Displaymsg.asp and the browser sends the Web server the parameter msgID with a sends the Web server the parameter msgID with a value of 12345. An attacker may try brute force value of 12345. An attacker may try brute force values for msgID to try and read other users' values for msgID to try and read other users' messages. messages.
Advantages and DisadvantagesAdvantages and Disadvantages
Finding the password is quite high since the Finding the password is quite high since the attack uses so many possible answers .attack uses so many possible answers .
It is a fairly simplistic attack that doesn't require It is a fairly simplistic attack that doesn't require a lot of work to setup or initiate.a lot of work to setup or initiate.
DisadvantagesDisadvantages Hardware intensive :curbs lots of processing Hardware intensive :curbs lots of processing
power power Extends the amount of time needed to crack the Extends the amount of time needed to crack the
code by a huge margin. code by a huge margin.
ToolsTools Brutus Brutus is one of the fastest, most flexible remote password crackers you can get Brutus is one of the fastest, most flexible remote password crackers you can get
your hands on - it's also free. This Windows-only cracker bangs against network your hands on - it's also free. This Windows-only cracker bangs against network services of remote systems trying to guess passwords by using a dictionary and services of remote systems trying to guess passwords by using a dictionary and permutations thereof. It supports HTTP, POP3, FTP, SMB, TELNET, IMAP, permutations thereof. It supports HTTP, POP3, FTP, SMB, TELNET, IMAP, NTP, and more.NTP, and more.
Platform: WindowsPlatform: Windows
THC-Hydra This tool allows for rapid dictionary attacks against network login systems, This tool allows for rapid dictionary attacks against network login systems,
including FTP, POP3, IMAP, Netbios, Telnet, HTTP Auth, LDAP NNTP, including FTP, POP3, IMAP, Netbios, Telnet, HTTP Auth, LDAP NNTP, VNC, ICQ, Socks5, PCNFS, and more. It includes SSL support and is VNC, ICQ, Socks5, PCNFS, and more. It includes SSL support and is apparently now part of apparently now part of NessusNessus..
Platform: UNIXPlatform: UNIX
TSGrinderTSGrinder TSGrinder is the first production Terminal Server brute TSGrinder is the first production Terminal Server brute
force tool. And having an encrypted channel to the TS force tool. And having an encrypted channel to the TS logon process sure helps to keep IDS from catching the logon process sure helps to keep IDS from catching the attempts. It is a "dictionary" based attack tool, but it does attempts. It is a "dictionary" based attack tool, but it does have some interesting features like "l337" conversion, and have some interesting features like "l337" conversion, and supports multiple attack windows from a single dictionary supports multiple attack windows from a single dictionary file. It supports multiple password attempts in the same file. It supports multiple password attempts in the same connection, and allows you to specify how many times to connection, and allows you to specify how many times to try a username/password combination within a particular try a username/password combination within a particular connection. connection. Platform: WindowsPlatform: Windows
BibliographyBibliography "Brute-Force Exploitation of Web Application Session ID's", David Endler - iDEFENSE "Brute-Force Exploitation of Web Application Session ID's", David Endler - iDEFENSE
LabsLabs [2] http://www.cgisecurity.com/lib/SessionIDs.pdf[2] http://www.cgisecurity.com/lib/SessionIDs.pdf "Brute force attack incidents", the Web Hacking Incidents Database"Brute force attack incidents", the Web Hacking Incidents Database [3] http://whid.webappsec.org/whid-list/Brute%20Force[3] http://whid.webappsec.org/whid-list/Brute%20Force Credential/Session PredictionCredential/Session Prediction [4] http://projects.webappsec.org/Credential-and-Session-Prediction[4] http://projects.webappsec.org/Credential-and-Session-Prediction Predictable Resource LocationPredictable Resource Location [5] http://projects.webappsec.org/Predictable-Resource-Location[5] http://projects.webappsec.org/Predictable-Resource-Location "Card Security Code", Wikipedia"Card Security Code", Wikipedia [6] http://en.wikipedia.org/wiki/Card_Verification_Value[6] http://en.wikipedia.org/wiki/Card_Verification_Value "Color Assignment, Favorite Color", Joe Hallock"Color Assignment, Favorite Color", Joe Hallock [7] http://www.joehallock.com/edu/COM498/preferences.html[7] http://www.joehallock.com/edu/COM498/preferences.html
THANK YOUTHANK YOU
