Dmac Blog

Performing a brute force attack is highly dependent on time and resources. Your main goal in developing brute force prevention is to protect your users by increasing the amount of time and resources it takes to brute force one of your user’s passwords. With this being said, one of the largest mistakes is allowing your users to choose weak passwords.

The easiest way to shed light on this topic is for us to step into the shoes of the attacker. We will choose a weak password and perform a brute force attack ourselves. I will be using the following tools:

• John The Ripper (Windows Binaries)
  
• FSCrack
• Large Dictionary Word List
• .htpasswd Generator

I will be using a .htpasswd file which uses Traditional DES for a very basic example. The first step is to use the above generator to create the file that we will try too brute force. I chose the below credentials:

Username: John

Password: campus

As you can see, “campus” is a dictionary word and would be considered a weak password. After entering in the above credentials into our .htpasswd generator we will get the following line.

John:CR4qxXM2sfM.Y

We will now open up notepad, paste in the above line, and save it as “credentials.txt”. Keep in mind that you may get a different result due to the nature of Traditional Des. Before we can continue we need to make sure that the John The Ripper Windows Binaries have been extracted and that we know the directory of the executable (john-386.exe). We will also need to extract the Large Dictionary word list (dic-0294.txt) above and make sure that we know its location . Once we have this completed we are ready to install FSCrack and point it to the location of the files. See below:

We are now ready to start the brute force attack. We do not need to check any of the available options so we simply click “Crack” to receive the below results.

The above results show that we were able to brute force the password in less than 1 second. If this was a remote password crack we would expect for this attack to take a little longer, however it would still be extremely quick. This is proof that allowing weak passwords is a mistake.

Solution: Implement a password policy that forces your users to choose strong passwords. A strong password will include the following:

• Alphanumeric Characters (containing letters and numbers)
• more than 6 digits, the more the better
• special characters and punctuation
• lowercase and uppercase letters

By implementing a password policy that enforces the above password characteristics, you will increase the amount of time and resources that it takes to brute force one of your user’s password. It will turn the brute force time of 1 second into days, months, years, or even thousands of years depending on the password complexity and length. You will then implement brute force prevention to make sure that the attacker doesn’t get the amount of time needed to perform the attack.