What is a Brute Force Attack?

I have had a messege saying somone is trying to do this to one of my sites but with no luck.

What is it?

http://en.wikipedia.org/wiki/Brute_force_attack

They may mean the Brutus password cracker, which someone in Portugal attacked our paysite with the other day but didn't get anywhere.

Brute force is basically a computer proggy that will try every possible combination of characters to get a password. It's mathematical and can take days, or weeks to run.

There was a brute force thing for Vista announced yesterday, and a full crack for getting it authorised released today according to digg.com

You can protect yourself from them relatively easy - either by using random usernames/passwords, or having security software such as Proxypass or Strongbox installed.

You can protect yourself from them relatively easy - either by using random usernames/passwords, or having security software such as Proxypass or Strongbox installed.

Do you know how proxypass or strongbox can guard against brute force?

Just curious as to how it works...

Do you know how proxypass or strongbox can guard against brute force?

Just curious as to how it works...

Never used them but I would hope they would do something like lockout a username based on multiple unsuccessful login attemtps.

I havent used strongbox - but first off...it makes the login manual (no popup) and adds a random security word, which would but off most bruteforce attempts in itself. Furthermore it has some sort of multiple IP/Proxy detection.

Proxypass works with a popup still...but protects by putting temporary bans on IPs/proxies/usernames, that are trying to break in.

Here is what Proxypass says themselves:
Brute-Force Password Cracking

Cracking attacks often target common usernames (i.e. dictionary attacks) along with sheer brute-force combinations (i.e. aaa, aab, aac, etc.) But the real problem is not "who" is being cracked so much as "where" the crack is coming from. Modern, automated cracking programs tunnel their username/password guesses through open proxy servers, cracked drone machines at their disposal, or 'friendly,' collaborative cracker rings, all the while appearing as a different, new, IP address. Not only are these attacks especially damaging because of their automated, unrelenting nature, but also because the cracker's chance of a successful password breach increases proportionally with the number of unqiue IPs at their disposal. Simply put, more open proxies, larger cracking peer-to-peer networks, and more drone machines all mean better chance of success for the password cracker.


Password Sharing & Bursted Content "Scraping"

Legitimate account usage and bandwidth consumption management pose additional problems for the secure-content webmaster beyond that of the actual cracking attack. Consider that a password has been broken in the past, an unscrupulous member has posted to a warez site, or a network sniffer has snooped the user/pass combo for an unsuspecting account holder (i.e. basic HTTP credentials are passed "in-the-clear"). In all such cases, the $$ lost to stolen content and increased bandwidth consumption can add up quickly. In addition, fly-by-night members who sign up for a secure account, rapidly download all content, and then cancel or charge-back their membership cause further bandwidth spikes and management headaches.

I see, thank you!

Should have just gone to their websites myself really!

Cheers

D

I seen proggie that can easily brute force strongbox sites, almost like regular pop-up sites. Damn crackers :(

Easy way to defend your password file against brute force is to create a double entry: Users add their user/pass and you only load a blank php/html page - Then they are asked to add their user combo again for images to load -

A brute force programme will move on to its next combo when asked to re-add the user/pass weather it was right or wrong -

I use this system - Nothing better.

Most script kiddies use off the shelf BF tools to crack for passwords, 97% of them target finger box protected members areas.

Using form fill user/pass html pages for members access such as the ones on strongbox and so on knocks out 97% of the yoyo's & just leaves the 3% that use exploits to try and crack in.

-N

Easy way to defend your password file against brute force is to create a double entry: Users add their user/pass and you only load a blank php/html page - Then they are asked to add their user combo again for images to load -

A brute force programme will move on to its next combo when asked to re-add the user/pass weather it was right or wrong -

I use this system - Nothing better.

thats clever!

I seen proggie that can easily brute force strongbox sites, almost like regular pop-up sites. Damn crackers :(

No one on any of the popular cracker sites seems to have figured anything out yet, at
least not that I've seen monitoring the cracker boards. One well known cracker got close
to getting past part of the Strongbox system with some software he wrote specifically for
Strongbox before we got him on our side, so I'd be VERY interested in hearing more about
what you've seen if you've ever actually seen a Strongbox site cracked. Even a $5,000
reward offer on the big cracker forums didn't bring any takers, so this is very interesting if
you've actually seen anything like this. Please shoot me an email at support@bettercgi.com
or call me at 1-979-530-1300 and tell me more. Thanks so much.

defo go for strongbox or proxypass both are good.

Cracking member pages which use form fill user/pass logins:

There are now off-the-shelf brute force programs like
Http-Bugger and CForce, etc specifically designed to
handle straight form login formats. Others are in beta-testing
to handle random security code logins as well. So, given a
tested proxy list and good wordlist, those sites may present
much less of a challenge now.


How to protection against brute force attacks:

Phantom Frog does have brute force attack protection.
If too many 401 errors on an IP address, will get the IP address
blocked if the IP address has been associated with brute force,
we remember/block the IP address.

The key to stopping the brute force attack is this: if they do
get a password Phantom Frog catches the abused password almost
immediately using High Resolution GeoGraphic tracking .... pretty
soon the hackers get frustrated and go somewhere else.


Concerning Another Solution:

Phantom Frog is the only system which uses Geo-IP Tracking which
pinpoints the exact geographic location (down to the city) of all
visits to your protected member's area. Geo-Ip tracking detects
password abuse by location and time, anywhere in the world, and
faster than any product on the market. We detect that the same
password was used in L.A. and NYC. We nail it instantly, allowing
for the possibility of legitimate travel.

Bottom Line: Phantom Frog will not even allow low-profile UNAUTHORIZED
password sharing by even 2 people.

Phantom Frog offers an Automated Member Support (AMS) optional service.
In addition to blocking an abused password, Phantom Frog automatically issues a new password. Your valid member can instantly retrieve his password while all others are denied access. This provides 24/7 access to the legitimate users and NONE to the hackers and leechers.

Phantom Frog has stellar webmaster references and we
offer a FREE Trial which installs in under 5 minutes!

Please realize, DVtimes (originator of this thread) is a client of
PhantomFrog which is precisely how he's being properly notified about
brute force attacks.

No one on any of the popular cracker sites seems to have figured anything out yet, at
least not that I've seen monitoring the cracker boards. One well known cracker got close
to getting past part of the Strongbox system with some software he wrote specifically for
Strongbox before we got him on our side, so I'd be VERY interested in hearing more about
what you've seen if you've ever actually seen a Strongbox site cracked. Even a $5,000
reward offer on the big cracker forums didn't bring any takers, so this is very interesting if
you've actually seen anything like this. Please shoot me an email at support@bettercgi.com
or call me at 1-979-530-1300 and tell me more. Thanks so much.
I seen proggie called "OCR", you can find that available in web, only small group of trusted people (trusted by author of that proggie) have chance to get copy, ant that is only after you prove you skill in cracking/exploiting :) I seen that progie in work, it is slow but can crack strongbox sites. It is not mayor treat, coz there is small number of skilled people that can use properly that proggie, and small amount of people have access to that proggie

easiest way to protect your membership area is to use generated passes, it is hard to guess, so 95% so call crackers have chance close to zero to brake your site, and to reduce treat even more, you need to use latest versions of script for your site/server

easiest way to protect your membership area is to use generated passes, it is hard to guess, so 95% so call crackers have chance close to zero to brake your site, and to reduce treat even more, you need to use latest versions of script for your site/server

This is very true - letting user choose their own passwords greatly increases the risk of a
sucessful dictionary attack. This also includes you, the webmaster. On about 10% of sites
I can get in by guessing the webmaster's user name and password. That's why we made
this script to generate user names and passwords that aren't found in the dictionary, yet are
fairly easy to remember:
http://bettercgi.com/strongbox/passgen/

I have had a messege saying somone is trying to do this to one of my sites but with no luck.


LOL, what sort of person tries to brute force a site and when they cant emails the owner complaining :takethat:

Is anyone using a Turing Test - you know the script generated graphic of letters and/or numbers that users transcribe into a form field as an additional road-block? Or are they considered just too dammed annoying?

Is anyone using a Turing Test - you know the script generated graphic of letters and/or numbers that users transcribe into a form field as an additional road-block? Or are they considered just too dammed annoying?

Strongbox uses a Turing image that is pretty clear, and always an English word, so it's
easy to see what it is, as opposed to the very difficult to read random characters like Yahoo's,
which IS annoying.

Interesting - it obviously works but the underlying issue with using a real word is that a dictionary attack is simplified. Whereas something random - whilst potentially annoying - may be more robust.

Interesting - it obviously works but the underlying issue with using a real word is that a dictionary attack is simplified. Whereas something random - whilst potentially annoying - may be more robust.

There is certainly some truth to that idea, mainly if the Turing was the only mechanism being
used to prevent dictionary attack, but in regards to Strongbox at least I think the words are
very effective. If it chooses from a couple thousand words it would at first seem that it
makes a dictionary attack only a couple thousand times harder than without the Turing.
That, however, fails to take into account the fact that Strongbox isn't going to just sit there
and let them guess. Instead, Strongbox will block their IP after the first several attempts
if the user name, password, and Turing don't all match. The odds of getting all three right
before the IP is blocked are extremely low.

Assume for a moment a site with tens of thousands of users, so there are lots of valid
user/pass combinations. Let's say there is a 1/1,000 chance of guessing a correct user name.
Let's say that if the user name is correct there is a 1/5,000 chance of guessing the matching
password because users are allowed to choose their own passwords.
Further, assume that few Turing words are possible, so there is a 1/350 chance of getting
the word right. To get the odds of getting into the site, you have to MULTIPLY all of the odds.
The odds of getting all three right would be 1 in 1,750,000,000. That's one chance in
nearly 2 BILLION.
Even if the attacker had millions of proxies to use so he didn't have to worry about them
getting blocked by Strongbox, the fact that Strongbox limits the total guesses on a site to
about 2 per second means it would take him about 275 YEARS to guess a correct combination
of user name, password, and Turing.

it is the most ph33red attack techniques on the interweb and you need to pay a lot of money for script to protect or be 0wned!