Why Internet + Brute force = Stupid, 99% of the time Options

[Siph0n]

I should be writing three papers which are due next Wednesday, but instead,
due to the recent abundance of ignorance that has made its way onto the board,
here I am. I'm going to try to write this to be as easy to understand as possible,
so please don't bitch that it oversimplifies things, isn't detailed, etc.

First, let's talk about brute force. Well, the term "brute force" isn't
very descriptive, is it? Given the context, you might be able to deduce the meaning,
however, I much prefer the term exhaustive search. An exhaustive search is
exactly what the name implies, as you exhaust all options.

Now that we have that little pet peeve out of the way, let's get right into the post.

1. Scales exponentially

   The work required to incrementally search a password grows
   exponentially with each letter. In other words, to search for a password with
   six letters, you do ninety five times as much work as searching for a password
   with five letters (assuming you're using the 95 printable ASCII characters only).
   To search for a password with ten letters, you do 7.7 billion times more work than
   searching for a password with five letters.
   
   Why do you care?
   This means your workload increases dramatically and rapidly depending on how many
   letters are in the password.
   

   
   
2. Latency

   In a nutshell, latency is the time it takes a message to go from your computer,
   over the internet, to another computer. Latency is usually measured in
   milliseconds (one thousandth of a second). For your local network, latency is
   usually less than one millisecond. Latency on the Internet, however, is a whole
   other story. For your typical wired connection, latency to a remote server
   (another computer on the internet) which is reasonably close to you, is usually
   bound to be under one hundred milliseconds. For a wireless connection, this jumps
   up to usually be one hundred milliseconds or more, varying wildly due to the
   nature of the medium.
   
   Why do you care?
   The longer it takes for a message (username and password) to get to another
   computer, and the longer it takes for their reply to get back to you (access
   granted, or denied) the longer you're going to have to wait before sending
   the next message.
   

   
   
3. Sysadmins are smarter than you

   Exhaustive search is one of the oldest tricks in the book.
   You aren't the first one to try this, and any experienced sysadmin is going to
   be prepared for this kind of attack. The fact that exhaustive search is anything
   but subtle doesn't help. Attempts at exhaustive search show up as a red, flaming
   flag in logs. Filters like xinetd allow them to set the maximum connections
   allowed to a certain port per second, and the delay between connections from the
   same IP address. Online web forms are more often written to lock out specific IP
   addresses after a number of incorrect passwords, etc. On top of all this, they're
   actually getting paid for it.
   
   Why do you care?
   There's likely precautions in place to prevent against the very attack you are
   scheming.
   

The bottom line is this: remote exhaustive search isn't a magic solution to all
your hacking problems. Chances are if the password isn't in a "common passwords"
list or an English dictionary, it's simply not going to be practical to continue
in this method of attack.

This post will likely change as I get bored and add to it.

[Nilkimas]

Thank you for this post, reikon.
I'd like to add one example:
Let's say you want to bruteforce an ftp account, and don't use a wordlist:

You'll get about 40 tries/second.
You try all lowercase characters (a-z) and all numbers (0-9).
That makes a total of 36 possible characters.
Which makes for a 5 character long password: 36^5 + 36^4 + 36^3 + 36^2 + 36 tries -> 62192448 tries -> 62192448 tries / 40(tries/second) -> 1554811 seconds needed ->
-> ~ 17 days and 12 hours.

So you see if everything goes right, which is unlikely, because the bruteforce will be easily detected, you still need about 17 days for a 5 characters long password (without uppercase characters and special characters).

A 6 characters long password with the same configuration as above would need 630 days, which is 2 years.

But in one case bruteforcing can be profitable, which is on a local network, and especially brute forcing those plastic routers (netgear, bla, etc.). but still only with a decent wordlist.

This post has been edited by Nilkimas: May 18 2009, 08:33 AM

[sanjid]

Thank you for this post, reikon.
I'd like to add one example:
Let's say you want to bruteforce an ftp account, and don't use a wordlist:

You'll get about 40 tries/second.
You try all lowercase characters (a-z) and all numbers (0-9).
That makes a total of 36 possible characters.
Which makes for a 5 character long password: 36^5 tries -> 60466176 tries -> 60466176 tries / 40(tries/second) -> 1511654.4 seconds needed ->
-> ~ 17 days and 12 hours.

So you see if everything goes right, which is unlikely, because the bruteforce will be easily detected, you still need about 17 days for a 5 characters long password (without uppercase characters and special characters).

A 6 characters long password with the same configuration as above would need 630 days, which is 2 years.

But aren't you assuming that the password is the last one that you try? It could be the first one, or the one in the middle.

[Jesse]

But aren't you assuming that the password is the last one that you try? It could be the first one, or the one in the middle.

Although I doubt anyone has AAAAA or AAAA1, etc. as their password. However, Nikimas' point was, even if it's in the middle, such as MMa8r, or n1ls0, it would be half of 630 days. Still roughly a year. FK8A0 or e5m1a would take 6 months. even simply putting the password as AZAAA would cause the thing to run through A(a-z(a-z)(a-z)(a-z), over and over, which would be 26 x 26 x 26 x 26. At 40 tries per second, 11424 seconds? So roughly 3 hours. But few people make that easy of a password, so... It depends on how lucky you are. They may have AzAa0... or you know, maybe
aksd8cn43emds0ah2
... Then you're boned.

EDIT
Forgot the numbers ;) Just assume an alphabet only password crack.

ONE MORE EDIT
But yes, technically you are correct.

This post has been edited by Jesse: Sep 30 2008, 09:38 PM

[Oktane]

One method I found very effective was having a list of default usernames and passwords that can be combined or used with a wordlist. (Usually for routers)

Here is the application I made that accomplishes this:
Router Brute Force Application

[andrewistheshit]

I just got a weird idea, could you crack it backwords? then one going the normal way? Cutting the time in half :P

[Siph0n]

But aren't you assuming that the password is the last one that you try? It could be the first one, or the one in the middle.

Yes. Because only then have you exhausted all other options (and therefore have definitely found the password).

Andrew, that's the same as going fully in one direction, although you may be able to parallelize it in that manner.

[andrewistheshit]

Hmm, i think that this should be looking into. Using an alghtroythm that does combos in an order, and reverse it and run it backwards and work to the middle from both sides... Idk enough but i Think this has potential .

[Siph0n]

Hmm, i think that this should be looking into. Using an alghtroythm that does combos in an order, and reverse it and run it backwards and work to the middle from both sides... Idk enough but i Think this has potential .

It'd still take the same amount of time on a single core.

[Spikelite]

We have hundreds of servers where I work. Just to give you an idea of how worthless this kind of attack is and how much of a waste of time it is for everyone. Here is what happens every second of every day on at least one of our servers.

Script Kiddy A begins brute force of server. Let us assume that they know the length of the password, the username and hell lets just throw in that they know it is all numbers (none of our accounts are this way). their script generates X number of random passwords of X characters in length, after it fails X times (this number is ridiculously low) their Ip gets blocked from all access to the server for X amount of time. Lets just pretend this is 30 min (this is not how long we use BTW). Now you have tried 3 of a shit ton of possible combinations, please try again in 30 min. So sometime when computers are no longer restricted to physical limits you may possibly be half done checking every combination. Now i would like to remind you that our passwords are not purely numbers and there are a lot of keys on your keyboard.

This is one very simple method for destroying any hopes of someone cracking into our systems. There are even more complex methods out there.

As a System Admin I ask you to not bother, all your doing is wasting bandwidth and if you do it too long I have to report you, then your ISP has to follow up. In the end, it isn't good and everyone's time is wasted.

This post has been edited by Spikelite: Oct 1 2008, 04:23 AM