There are many extremely technical and sophisticated hacks out there. As you might be able to guess from the name, a brute-force attack, isn’t really all that. That isn’t to say that you should ignore them. As unsophisticated as they are, they can be very effective. Given enough time and processing power, a brute-force attack should always have a 100% success rate.
Sub-classes
There are two main sub-classes: online and offline attacks. An online brute-force attack doesn’t necessarily involve the Internet. Instead, it is a class of attack that directly targets the running system. An offline attack can be performed without needing to interact with the system that’s under attack.
But how can you attack a system without attacking the system? Well, data breaches often contain lists of leaked usernames and passwords. Security advice though, recommends that passwords are stored in a hashed format. These hashes can only be cracked by guessing the right password. Unfortunately, now that the list of hashes is publicly available, an attacker can just download the list and try to crack them on their own computer. With enough time and processing power, this lets them know a list of valid usernames and passwords with 100% certainty before ever connecting to the affected site.
An online attack in comparison would try logging into the website directly. Not only is this a lot slower, but it’s also noticeable by pretty much any system owner that cares to look. As such, offline brute-force attacks are typically preferred by attackers. Sometimes, however, they may not be possible.
Brute-forcing credentials
The easiest class to understand and the most common threat is brute-forcing login details. In this scenario, an attacker literally tries as many combinations of usernames and passwords as possible to see what works. As covered above, in an online brute-force attack, the attacker may simply try entering as many combinations of username and password into the login form. This sort of attack generates a lot of traffic and failed login attempt errors which may be noticed by a system administrator who then may take action to block the attacker.
An offline brute-force attack revolves around cracking password hashes. This process literally takes the form of guessing every possible combination of characters. Given enough time and processing power, it would successfully crack any password using any hashing scheme. Modern hashing schemes designed for password hashing, however, have been designed to be “slow” and are typically tuned to take tens of milliseconds. This means that even with a huge amount of processing power, it will take many billions of years to crack a decently long password.
To try to increase the odds of cracking most passwords, hackers tend to use dictionary attacks instead. This involves trying a list of commonly used or previously cracked passwords to see if any in the current set have already been seen. Despite security advice to use unique, long, and complex passwords for everything, this strategy of a dictionary attack is typically very successful cracking roughly 75-95% of passwords. This strategy still takes lots of processing power and is still a type of brute-force attack, it’s just slightly more targeted than a standard brute-force attack.
Other types of brute-force attack
There are many other ways to use brute-force. Some attacks involve trying to gain physical access to a device or system. Typically an attacker will try to be stealthy about it. For example, they may try to stealthily pick-pocket a phone, they may try to pick a lock, or they may tailgate through an access-controlled door. Brute-force alternatives to these tend to be very literal, using actual physical force.
In some cases, some of a secret may be known. A brute-force attack can be used to guess the rest of it. For example, a few digits of your credit card number are often printed on receipts. An attacker could try all possible combinations of other numbers to work out your full card number. This is why most numbers are blanked out. The last four digits, for example, are enough to identify your card, but not enough for an attacker to have a decent chance of guessing the rest of the card number.
DDOS attacks are a type of brute-force attack. They aim to overwhelm the targeted system’s resources. It doesn’t really matter which resource. it could be CPU power, network bandwidth, or reaching a cloud processing price cap. DDOS attacks literally just involve sending enough network traffic to overwhelm the victim. It doesn’t actually “hack” anything.
Conclusion
A brute-force attack is a type of attack that involves relying on sheer luck, time, and effort. There are plenty of different types of brute-force attack. While some of them can involve somewhat sophisticated tools to carry out such as password-cracking software, the attack itself is not sophisticated. This does not mean that brute-force attacks are paper tigers though, as the concept can be very effective.
