The term “brute force attack” hides a cryptographic attack which, by systematically trying out all possible combinations of a given set, will in all probability have to guess the correct value for a password, a username, a hash or a web path at some point like a lottery drawing.
A classic brute force attack can be a very time-consuming process on its own, depending on the method used and the computing power to be provided on the part of the attacker. If the victim uses a long, complex and unique value and mechanisms are in use that hinder continuous trial and error, it becomes almost impossible to achieve success in an acceptable time.
Intentions behind a brute force attack
Brute force attacks appear in the early phases of a hacker attack and can be classified in the first phase of information gathering according to the “kill chain” model (a model to describe the stages of cyber attacks).
The aim of a brute force attack is not only the possible access to further information, the identity or rights of the target, but the value obtained in the form of a password, pin, hash or user name. This means that they can be used on other systems and also sold to third parties.
In the event of a brute force attack on a web server, for example, the attacker also focuses on finding hidden sub-pages in order to exploit any security gaps that may exist there.
In addition, the behavior of a target during a brute force attack can allow the attacker to draw conclusions about other possible attack vectors, such as the possibility of a buffer overflow or remote code execution.
Because of this, brute force attacks take place not only during hacker attacks, but also during stress tests of hardware and software in order to check the robustness and correctness.
Suitable protective measures:
Always use passwords with the following conditions:
- lowercase and uppercase letters
- Special characters
- Numbers
Remember that the more characters your password contains, the more difficult it is to crack.