Brute Force Attacks

March 11, 2021

What is a Brute Force Attack?

In a brute force attack, a threat actor tries to gain access to sensitive data and systems by systematically trying as many combinations of usernames and guessed passwords as possible. If successful, the actor can enter the system masquerading as the legitimate user and remain inside until they are detected. They use this time to move laterally, install back doors, gain knowledge about the system to use in future attacks, and, of course, steal data.

Brute force attacks have been around as long as there have been passwords. They not only remain popular, but are on the rise due to the shift to remote work.

Prior to the global COVID-19 pandemic, most employees worked in offices with infrastructures that were monitored by security controls. Now that so many employees are using their own devices and networks to connect to their corporate networks, attackers are focusing on remote desktop protocol (RDP) and other remote access services as attack vectors. RDP is a particularly popular way to deliver ransomware, such as Maze.

Why Hackers Use Brute Force Attacks

Attackers can use brute force attacks to steal sensitive data, spread malware, hijack systems for malicious purposes, make websites unavailable, profit from ads, reroute website traffic to commissioned ad sites, and infect sites with spyware in order to collect data to sell to advertisers.

The level of technological skill required to launch a credential stuffing attack is extremely low, as is the cost. For as little as $550, anyone with a computer can launch a credential stuffing attack.

How Does a Brute Force Attack Work?

Adversaries use automated tools to execute brute force attacks, and those lacking the skill to build their own can purchase them on the dark web in the form of malware kits. They can also purchase data such as leaked credentials that can be used as part of a credential stuffing or hybrid brute force attack. These lists may be offered as part of a package, in which the seller includes the lists along with the automated tools, as well as other value-adds, such management consoles.

Once the attacker sets up their tools and seeds them with the lists, if relevant, the attack begins.

Brute force attacks can be conducted with botnets. Botnets are systems of hijacked computers that provide processing power without the consent or knowledge of the legitimate user. Like the malware kits mentioned above, bot kits can also be purchased on the dark web. Last year, a botnet was used to breach SSH servers belonging to banks, medical centers, educational institutions, and others.

Brute force attacks are resource-intensive, but effective. They may also be the first part of a multi-stage attack. An example of this is explained in detail on the CrowdStrike blog, examining a case where a brute force attack was part of a multi-step exploit that enabled unauthenticated privilege escalation to full domain privileges.

Types of brute force attacks

Simple brute force attack

A simple brute force attack uses automation and scripts to guess passwords. Typical brute force attacks make a few hundred guesses every second. Simple passwords, such as those lacking a mix of upper- and lowercase letters and those using common expressions like ‘123456’ or ‘password,’ can be cracked in minutes. However, the potential exists to increase that speed by orders of magnitude. All the way back in 2012, a researcher used a computer cluster to guess up to 350 billion passwords per second.

Dictionary Attack

A dictionary attack tries combinations of common words and phrases. Originally, dictionary attacks used words from a dictionary as well as numbers, but today dictionary attacks also use passwords that have been leaked by earlier data breaches. These leaked passwords are available for sale on the dark web and can even be found for free on the regular web.

Dictionary software is available that substitutes similar characters to create new guesses. For example, the software will replace a lowercase “l” with a capital “I” or a lowercase “a” with an “@” sign. The software only tries the combinations its logic says are most likely to succeed.

Credential Stuffing

Over the years, more than 8.5 billion usernames and passwords have been leaked. These stolen credentials are sold between bad actors on the dark web and used in everything from spam to account takeovers.

A credential stuffing attack uses these stolen login combinations across a multitude of sites. Credential stuffing works because people tend to re-use their login names and passwords repeatedly, so if a hacker gets access to a person’s account with an electric company, there is an excellent chance those same credentials will provide access to that person’s online bank account as well.

Gaming, media, and retail businesses tend to be favorite targets, but credential stuffing attacks are commonly launched against all industries.

Reverse Brute Force Attack

In a regular brute force attack, the attacker starts with a known key, usually a username or account number. Then they use automation tools to figure out the matching password. In a reverse brute force attack, the attacker knows the password and needs to find the username or account number.

Hybrid Brute Force Attack

A hybrid brute force attack combines a dictionary attack and a brute force attack. People often tack a series of numbers – typically four – onto the end of their password. Those four numbers are usually a year that was significant to them, such as birth or graduation, and so the first number is normally a 1 or a 2.

In a reverse brute force attack, attackers use the dictionary attack to provide the words and then automate a brute force attack on the last part – the four numbers. This is a more efficient approach than using a dictionary attack alone or a brute force attack alone.

Password Spraying

Traditional brute force attacks try to guess the password for a single account. Password spraying takes the opposite approach and tries to apply one common password to many accounts. This approach avoids getting caught by lockout policies that limit the number of password attempts. Password spraying is typically used against targets with single sign-on (SSO) and cloud-based apps that use federated authentication.


A brute force attack is a numbers game, and it takes a lot of computing power to execute at scale. By deploying networks of hijacked computers to execute the attack algorithm, attackers can save themselves the cost and hassles of running their own systems. In addition, the use of botnets adds an extra layer of anonymity. Botnets can be used in any type of brute force attack.

Tools Used for Brute Force Attacks

Tools, many free, are available on the open internet that work against a wide variety of platforms and protocols. Here are just a few:

  • Aircrack-ng: Aircrack-ng is a brute force wifi password tool that is available for free. It comes with WEP/WPA/WPA2-PSK cracker and analysis tools to perform attacks on Wi-Fi 802.11 and can be used for any NIC that supports raw monitoring mode.
  • DaveGrohl: DaveGrohl is a brute forcing tool for Mac OS X that supports dictionary attacks. It has a distributed mode that enables an attacker to execute attacks from multiple computers on the same password hash.
  • Hashcat: Hashcat is a CPU-based password cracking tool available for free. It works on Windows, Mac OS, and Linux systems, and works in many types of attacks, including simple brute force, dictionary, and hybrid.
  • THC Hydra: THC Hydra cracks passwords of network authentications. It performs dictionary attacks against more than 30 protocols, including HTTPS, FTP, and Telnet.
  • John the Ripper: This is a free password-cracking tool that was developed for Unix systems. It is now available for 15 other platforms, including Windows, OpenVMS, and DOS. John the Ripper automatically detects the type of hashing used in a password, so it can be run against encrypted password storage.
  • L0phtCrack: L0phtCrack is used in simple brute force, dictionary, hybrid, and rainbow table attacks to crack Windows passwords.
  • NL Brute: An RDP brute-forcing tool that has been available on the dark web since at least 2016.
  • Ophcrack: Ophcrack is a free, open source Windows password cracking tool. It uses LM hashes through rainbow tables.
  • Rainbow Crack: Rainbow Crack generates rainbow tables to use while executing an attack. Rainbow tables are pre-computed and so reduce the time required to perform an attack.

How to Protect Against Brute force Attacks

Use multifactor authentication

When users are required to offer more than one form of authentication, such as both a password and a fingerprint or a password and a one-time security token, a brute force attack is less likely to succeed.

Implement IT hygiene

Gain visibility into the use of credentials across the environment  and require passwords to be changed regularly.

Set up policies that reject weak passwords

Longer passwords are not always better. What really helps is to require a mix of upper- and lowercase letters mixed with special characters. Educate users on best password practices, such as avoiding adding four numbers at the end and avoiding common numbers, such those beginning with 1 or 2. Provide a password management tool to prevent users from resorting to easily-remembered passwords and use a discovery tool that exposes default passwords on devices that haven’t been changed.

Implement proactive threat hunting

Threat hunting can expose the types of attacks that standard security measures can miss. If a brute force attack has been used to successfully enter the system, a threat hunter can detect the attack even though it’s operating under the guise of legitimate credentials.