2

This question concerns dictionary attacks conducted:

  • Over the Internet, using programs like THC Hydra
  • Via protocols such as HTTP, FTP and SMTP

I believe I'm right in thinking that: a) due to the sophisticated layers of security they tend to employ, such an attack cannot be run successfully on the bigger sites (Facebook, Twitter, Gmail, Outlook and so on) without needing to mask your IP, channel the attack through the Tor network and distribute it among an army of botnets; b) that the efficacy of these attacks on smaller self-hosted sites is limited only by the competency of the person(s) running their servers.

However, what about the gap that occupies the (arguably) larger space in between the two - the medium-to-small web hosting providers that the rest of the web relies on for uptime.

On average, is the security of these organisations generally advanced enough to detect a guessing attack from a single IP address and permanently ban the address over those protocols? Is anonymising yourself during an attack on such a target just as much of a necessity as it would be when targeting the big sites?

Or to put what I'm asking another way: has the security of the smaller web hosting organisations now become sufficiently advanced enough so as to make guessing attacks from a single machine, without anonymisation, entirely obsolete?

I ask this because none of the write-ups I've seen on the topic (guides to the use of THC Hydra and similar programs for both dictionary and brute-force attack) so much as mention either anonymisation or the distribution of attacks with bots, and it's left me wondering just how necessary or unnecessary such steps are when doing so.

Are there hackers that are actually getting anywhere without taking those measures?

Hashim Aziz
  • 979
  • 1
  • 8
  • 21
  • Even then, many services will lock an account if they're are multiple failed logins, regardless of the source IP address. – multithr3at3d Jan 02 '18 at 02:26

2 Answers2

1

I answered this on your previous question before you deleted it. The answer should still be relevant.

You are assuming that large companies use sophisticated password management, where smaller self-hosted sites are limited by a few, potentially incompetent people. The reality is that there isn't such a big space between the two, and very often large, important sites have little or no security in their password implementation, and smaller sites many have rather sophisticated (or at least sufficient) security. While companies like Google may use 2FA, defeating simple brute force attacks, many other companies do not. I would not say that brute force attacks are "effective as ever", but as services like PlainTextOffenders show, there is still a lot of work to do in educating even large, popular, highly-staffed websites how to properly do password authentication.

The fact is, web-based password attacks are still ubiquitous, and there are massive botnets constantly attacking a myriad of websites with the most popular passwords. This isn't unique to websites with password logins. SSH is still actively brute forced despite fail2ban and public key authentication drastically limiting or eliminating the risk of SSH brute force. Go after random sites with the top 100 (or even top 10) most popular passwords, and you'll find you've popped a dozen shells in no time, even on moderately high-profile sites.

The reason tutorials don't talk extensively about anonymity techniques is that they are often out-of-scope. The idea is that, if someone needs anonymity, they will use it. As for distributing the attack with a botnet, that is usually more useful for attacking many sites at once than for attacking a single site very rapidly. See also this question on brute force attacks explaining how this looks in the wild.

Brute force and dictionary attacks are still fairly successful on websites that do not do sufficient rate limiting or use 2FA, regardless of the website size.

forest
  • 65,613
  • 20
  • 208
  • 262
1

The security of a web site is not related to the size of the company. Large companies like Sony were hacked and they used poor security practices (clear text passwords). On the other hand, an individual site that would have a security specialist as admin would probably use up to date security protection. The only rule is that the security of a web site is limited by the capacity of its security admin. It includes both raw competences but also financial resources, because physical security only comes at a cost.

Now the remaining part of your question is mainly a question of resource and knowledge between the attacker and the defender: best of the two will win. For the attacker it means a successful exploit, for the defenser it means at least a unsuccessful attack, but the goal is often the identification of the attacker. This is a constant whatever you use as anonymization tools: nothing at all is enough if the target is not interested in knowing who you are, but I would not rely even on TOR to attack the NSA...

That means that if you attack a site, all depends on what you are attacking:

  • if they have little interest in security, your attack is likely to be unnoticed, and could even be successful
  • if the use average security, your address will be banned before having a chance to be successful, but things will not go further
  • if they protect highly sensitive informations, chances are that you find some policemen knocking at your door - or even more drastic action if the site was owned by a criminal organization...

TL/DR: it makes sense to explain how to use tools to attack sites, because this is useful knowledge for pentesters, you can also find some guides on how to protect your anonymity from average sites, because many people do not like to be excessively tracked. But it is unlikely that you find a security specialist to explain how to build an attack from the beginning, because 1/ they are not interested in teaching that and 2/ they know that there is no fit all way.

Serge Ballesta
  • 25,952
  • 4
  • 42
  • 84