Detecting Brute Force Attacks - Nico's Knowledge Base

# Brute Force Attacks A trial and error method to find valuable information like usernames, passwords, webpage directories, or encryption keys The duration of the attack varies depending on length of sensitive data sought ## Online Brute Force Attacks Occur when attacker and victim are online at the same time. ### Passive Online The attacker and victim are on the same network, but do not have direct contact with each other. **Man in the middle** when the traffic is listened to and sensitive information is attempted to be captured. **Sniffing** attacks are effective if there is a connection and a network tool is used in the system which broadcasts a package to all ports. Hubs are common example of this weakness. Switches filter what is sent to target system, so sniffing is not effective with them. ### Active Online Attacker communicates directly with victim machine and makes necessary trials to relevant service on victim machine. Advantageous for simple passwords, but doesn't work with strong passwords and systems with automatic account lockouts. ## Offline Brute Force Attacks Used for previously captured encrypted/hashed data. This way, no active connection needs to be established/maintained with victim machine. - packet capture on wireless network - package capture with mitm - hash dump from database with SQLi weakness - SAM or NTDS.dit databases on Windows systems ### Dictionary Attacks Common passwords can be sniped by dictionary attacks. Prepared dictionaries are available on the internet, or custom ones can be generated. Tested against target systems ### Rainbow Table Attacks Attacker compares pre-calculated hash files with password summary he/she wants to crack and obtains password if there is a match. Problem with this is obtaining pre-calculated hashes. High processing power and a lot of disk space is needed to create Rtable with all possibilities up to 8 digits alone # Vulnerable Protocols/Services - webapp login pages - rdp services - ssh services - mail server login pages - ldap services - database services - web application home directories - dns servers # Tools Used in Brute Force Attacks Aircrack-ng - wifi cracking 802.11a/b/g wep/wpa - 40,104,256,512 bit keys can be cracked once enough packets have been captured - wpa1/2 can be cracked with advanced methods or brute force John The Ripper - helps find weak passowrds - can be configured to automatically mail users to alert weak configurations L0phtCrack - cracks windows passwords - rainbow tables, dictionaries, multiprocessor algorithms Hashcat - 5 unique modes of attack - 300 highly optimized hashing algorithms - supports cpus, gpus, other hardware accelerators - linux only - can distribute the password cracking Ncrack - network auth cracker - used on windows, linux, bsd - helps test all hosts and networking devices for poor passwords Hydra - parallelized login cracker - fast and flexible - easy to add new modules # How to Avoid Brute Force Attacks Password Protection - never use information that can be found online - have as many characters as possible to create entropy - combine alphanumeric characters and symbols - 8 characters is the absolute minimum - different password for each account - avoid patterns ## Policies Lock Policy - after certain number of failed attempts, lock the account so that only the admin can unlock it Progressive delays - lock accounts for limited time after certain number of failed logins - recaptcha Strong Password Policies - define long and complex passwords - force users to change password periodically (obsolete) 2FA - sms - mail - token - push notification # Detection Typically rules are defined on SIEM systems to detect brute force attacks. Consider how many unsuccessful login attempts are made by the user within period of time. ## SSH Detection Simple passwords can be cracked with SSH brute forcing View Log - /var/log/auth.log.1 - cat auth.log.1 | grep "Failed password" | cut -d " " -f10 | sort | uniq -c | sort - this shows the accounts that were attempted - cat auth.log.1 | grep "Failed password" | cut -d " " -f12 | sort | uniq -c | sort - this shows the IP addresses that made the attempts - cat auth.log.1 | grep "Accepted password" - check attacked accounts for successful attempts ## HTTP Login Detection Typically dictionary attacks on login page. Open with Sublime or similar text editor that can handle massive log files. Difference between package sizes in response to login attempts (failed/successful) as well as requests made in a defined period of time ## Windows Login Detection Find EventID 4624 - An account was successfully logged on Using ID values makes it easier to analyze Go to Event viewer - windows logs - security logs - filter 4624 (or intended value) - logon type (field) - value: 10 indicates logged in with RDP ## RDP Brute Force Detection Unsuccessful logins - Event ID 4625 Check Account Name that corresponds with the 4625 - filter for 4624 to check for same account name