1

I keep reading about situations where a hacker could "easily" brute force a password (most recent example) but I'm confused about when some has an opportunity to do this kind of thing. If it is a website/web service, aren't attempts like this rate limited? I.e. I can't try my Amazon password 50 million times per second, even if my internet connection were more awesome than it is.

What needs to happen for someone to even have the opportunity to brute force their way into a system? And if systems can effectively throttle attempts to dozens or fewer per minute why is there such an emphasis on saying that GPU attacks can generate millions or billions of passwords per second if these are effectively useless?

Brad
  • 113
  • 5

2 Answers2

5

Mass brute force is usually done after the attackers have somehow seized a list of hashed passwords. This can happen in several situations; most common being:

  • A SQL injection attack which allows attackers to push some more or less constrained SQL expressions to be evaluated by the target database. Depending on the site structure and local constraints for the attack, attackers might not be able to do what they wish with the database, but still be able to dump some parts of it.

  • Data is extracted from a discarded medium, e.g. an old hard disk; possibly an electronically broken hard disk, that the attacker retrieves from a dumpster and repairs.

  • Indelicacy from an employee or intern, who stealthily grabs a copy of the database and stores it on a USB Flash drive.

The common trend here is that cracking passwords is used to extend an attack:

  • Attacker got a read-only glimpse of the database, and wants to escalate that into read-write access.
  • The original breach is risky (e.g. attacker had to be physically on the premises) and wants to come back to the server, but from the network and without incurring the risk of an encounter with security guards.
  • Attacker wants to get the password from one server because he knows that most users will reuse the same password on many other servers.

The third point is probably the most common motivation for attackers.

Tom Leek
  • 170,038
  • 29
  • 342
  • 480
  • I see, So brute force attacks like that a never a (effective/realistic) first line of attack. This is never occurring from a login page. It is always preceded by some cleverness/maliciousness in order to even setup the brute force attack. It sounds like (other than sql injection, which is technically avoidable) the routes to having a brute force opportunity are all human error/physical presence. – Brad Jun 23 '14 at 19:41
  • 1
    Well, you can _try_ a brute force on the "front page". My server gets a lot of brute force attacks on its SSH server (these are automated attacks from mindless botnets who try to replicate themselves). However, such attacks (called "online dictionary attacks") are limited by the rate at which the target server is willing to process them; thus, they don't work well in practice. Many servers will cease to respond to clients who sent too many failed login attempts, for instance. _Offline_ dictionary attacks are done over a purloined list of hashes, and are limited only by the attacker's CPU. – Tom Leek Jun 23 '14 at 19:45
  • So are these little bots trying to get into your server so easy to write that they are justified? I mean, if the odds are so extraordinarily low why even spend time on it? – Brad Jun 23 '14 at 20:11
  • Cause they're mindless botnets. :P Think the replicators in software form. – Andrew Hoffman Jun 23 '14 at 20:15
1

When they hack a website and 'data dump' a password table they now have access to all of the hashed passwords.

This gives the opportunity to bruteforce attack.

Andrew Hoffman
  • 1,997
  • 15
  • 17
  • I guess I'm confused about the workflow here. When getting this data dump, why do they need passwords at all at that point? And how did they get that without a password? And was that password brute forced? check or egg? – Brad Jun 23 '14 at 19:25
  • I'm no hacking expert, I suppose not all exploits or penetration vulnerabilities give 100% god-access to the website. But if there is a vulnerability to select from a database or download a file, a hacker can download the passwords, and then hope to steal access to an account by bruteforcing the password. The only way you can bruteforce that quickly is to know the end-resulting password hash, if you were to attempt to bruteforce against a website's login page, you'd DDOS it on accident. – Andrew Hoffman Jun 23 '14 at 19:30