29 Nov 2017
The Versatility of Brute Force Hacking: 3 Criminal Uses
Brute force hacking is one of the simplest methods of gaining access to a server network. Broadly stated, software is used to automatically guess inputs until access is achieved. Thanks to the speed of today's computer and server hardware, this crude method is highly effective at penetrating networks with lax cyber security.
Because poor security practices will not go away anytime soon, brute force hacking will continue to be effective for the foreseeable future. In addition to its infallibility when allowed to make unlimited guesses, the brute force method is also versatile. Here are three different ways cyber criminals are putting this technique to use:
Guessing Login Page Credentials
Brute forcing passwords amounts to using lists of common passwords as well as permutations of commonly used words and names in passwords. If this fails, then all possible permutations of characters are tried until a successful login is achieved.
Strong passwords would require years to crack via brute force and should render the method impractical. However, people aren't good at generating strong yet memorable passwords and will resort to choices that are based on words and names, which are easily guessed.
Limiting login attempts from a specific IP address could potentially reduce the effectiveness of a brute force attack. However, too many people lack the security awareness to even think of this. In addition, hackers can get around this by using multiple IP addresses and only sending a few requests per address.
Cracking Hashed Passwords
Passwords are typically stored in servers in hashed form. Password hashing is essentially one-way encryption. That is, encrypting the password is easy, while its decryption is practically impossible. When logging in, the password entry is hashed and then compared with the stored hashed password in the server. If the two agree, then access is allowed.
When hackers break into a server via a software weakness, they often use brute force technique to crack the hashed passwords stored there. The guessing is similar to that used on login pages (as discussed above) except that http requests to a server aren't necessary. They need only convert their guesses into hashed form and compare them against the list of stored hashed passwords until a match is found. The guess that produces a match is a password. To protect against this technique, salted hashes should be used.
Cracking Concealed Web Pages
This involves multiple guessing of a URL address until an actual web page appears. Hackers may study the URLs of pages meant for public viewing in order to discern patterns that might facilitate their guesses. In addition, they may brute force their way into online documents (by using the appropriate file extension) such as spreadsheet files in order to obtain valuable information.
Brute force hacking is just one of many cyber threats faced by business owners. For more cyber security information and insights, contact us.