What is a Brute Force Attack?
What is a Brute Force Attack?
A brute force attack is a trial-and-error method used by attackers to gain unauthorized access to accounts, systems, or encrypted data by systematically trying every possible combination of credentials or keys until the correct one is found. It is one of the oldest and most persistent attack techniques in cybersecurity.
How the Brute Force Attack Works
Target Identification
The attacker selects a target, typically a login portal (SSH, RDP, VPN, web application, Active Directory) or an encrypted file. Public-facing services exposed to the internet are the most common entry points.
Credential List Preparation
The attacker prepares a wordlist or uses a tool to generate credential combinations. Common sources include leaked password dumps (e.g., RockYou), custom wordlists built with tools like CeWL, or pure character permutations for password cracking scenarios.
Automated Attack Execution
Tools such as Hydra, Medusa, Burp Suite Intruder, or Hashcat are configured to fire login attempts at high speed. In online attacks, requests are sent directly to the live service. In offline attacks, a captured hash is cracked locally without network interaction.
Evasion and Throttling
To avoid detection, sophisticated attackers slow down their request rate, rotate source IP addresses through proxies or botnets, distribute attempts across multiple user agents, or use credential stuffing to blend in with normal failed login noise.
Successful Authentication
Once a valid credential pair is found, the attacker authenticates to the service and establishes a foothold. From here, the attack pivots into lateral movement, privilege escalation, data exfiltration, or persistence mechanisms.
Brute Force Techniques Used by Attackers
Simple / Pure Brute Force
Tries every possible character combination sequentially. Effective against short passwords but computationally expensive for longer ones. Modern GPUs can test billions of hashes per second.
Dictionary Attack
Uses a pre-built wordlist of common passwords, phrases, and leaked credentials. Far faster than pure brute force and effective against the majority of real-world passwords
Credential Stuffing
Leverages username/password pairs obtained from prior data breaches. Effective because many users reuse credentials across multiple services. Difficult to distinguish from legitimate logins.
Password Spraying
Tries one or a few common passwords (e.g., 'Winter2024!') against a large number of accounts. Designed to stay under account lockout thresholds and avoid triggering per-account alerts.
Reverse Brute Force
Fixes a known or commonly used password and iterates across many usernames. Often used against default credentials on enterprise devices, routers, and IoT systems.
Hybrid Attack
Combines a dictionary base with rule-based mutations (appending numbers, capitalizing, substituting characters). Tools like Hashcat and John the Ripper excel at hybrid attacks.
Indicators of Compromise (IOCs)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Detection Methods for SOC Analysts
Threshold-Based Alerting
Configure SIEM rules to trigger on N failed logins (e.g., >10) within a defined time window per source IP or account. Tune thresholds per environment to reduce false positives from legitimate locked-out users.
Behavioral Baselining
Establish a baseline of normal login times, source IPs, and failure rates for each account. Deviations, such as logins at 3 AM from a foreign ASN, should trigger anomaly alerts regardless of success or failure count.
Success-After-Failure Correlation
The most reliable brute force indicator is a successful authentication (Event 4624) immediately following a burst of failures. This correlation rule should be a high-fidelity, high-priority alert in any SIEM.
Honeypot Accounts
Create accounts that should never be used (e.g., 'admin', 'test', 'backup'). Any authentication attempt, successful or not, against these accounts is an immediate indicator of enumeration or brute force activity.
Geolocation & ASN Analysis
Flag logins from unexpected countries, Tor exit nodes, VPN providers, or datacenter ASNs that don't match the organization's user base. Combine with time-of-day analysis for higher-confidence alerts.
EDR & Endpoint
Telemetry On endpoints, look for tools like Hydra, Medusa, or Mimikatz in process creation logs. Watch for high-frequency network connections from a single host to port 445 or 3389, indicators of internal lateral brute forcing.
Prevention & Mitigation
Multi-Factor Authentication (MFA)
MFA is the single most effective control against brute force attacks. Even if an attacker correctly guesses a password, they cannot authenticate without the second factor. Enforce MFA on all externally-facing services without exception.
Strong Password Policies
Enforce minimum 12-character passwords with complexity requirements. Leverage breach password screening (e.g., Have I Been Pwned API integration) to block known-compromised passwords at the point of creation.
Account Lockout & Rate Limiting
Configure account lockout policies (e.g., lock after 5 failed attempts for 15 minutes). For web applications, implement rate limiting and CAPTCHA on login endpoints. Note: aggressive lockout can create denial-of-service conditions; balance carefully.
Reduce Attack Surface
Never expose RDP, SSH, or SMB directly to the internet. Use VPN or Zero Trust Network Access (ZTNA) as a gateway. Regularly audit firewall rules and disable unused services. Change all default credentials immediately on new systems.
IP Reputation & Geo-Blocking
Integrate threat intelligence feeds to auto-block known malicious IPs and Tor exit nodes. Consider geo-blocking countries from which you have no legitimate user base accessing sensitive services.
Privileged Account Hardening
Rename or disable the built-in Administrator account. Use Privileged Access Workstations (PAWs) for admin tasks. Implement Just-In-Time (JIT) access so privileged accounts only exist for the duration of a legitimate session.
Frequently Asked Questions
What is the difference between a brute force attack and credential stuffing?
A brute force attack generates or guesses credentials without prior knowledge; it may try every combination of characters or every word in a dictionary. Credential stuffing, by contrast, uses real username/password pairs that have been stolen from previous data breaches. Credential stuffing is more efficient and harder to detect because it uses legitimately formed credentials.
Can a brute force attack succeed even with account lockout enabled?
Yes, in several scenarios. Password spraying deliberately stays under lockout thresholds by spreading attempts across many accounts. Offline attacks against captured hashes (e.g., from an NTDS.dit dump) are not subject to online lockout policies at all. Additionally, some applications and legacy systems do not enforce lockout consistently across all endpoints.
Which services are most commonly targeted by brute force attacks?
SSH (port 22) and RDP (port 3389) are the most frequently targeted services due to their widespread use and direct system access. Web application login pages, Microsoft 365 and Azure AD authentication endpoints, VPN portals, and database services (MySQL, MSSQL) are also high-value targets. Any credential-protected, publicly-accessible service is at risk
Related Attack Techniques
Credential Stuffing: Uses breached credential pairs to attempt logins at scale.
Dictionary Attack: Credential guessing using pre-built wordlists or leaked dumps. And include also:
- Password Spraying: Tries common passwords against many accounts to avoid lockout.
- Kerberoasting: Extracts Kerberos service tickets and cracks them offline.
- Pass-the-Hash (PtH): Authenticates using captured NTLM hashes without cracking.