MODULE- 3: Brute Force Attack & Countermeasures

Objective of the Module

Objective of this Module is to understand about types of Password Attacks, Hash Function, Password
Hashes, Brute Force Attack ,Suggesting & Implementing Countermeasures .

Brute Force Attack

If any web site requires user authentication, it is a good target for a brute-force attack. An
attacker can always discover a password through a brute-force attack, but the disadvantage is that it
could take years to find it. Depending on the password's length and complexity, there could be trillions
of possible combinations. Brute-force attacks put user accounts at risk and flood the website with
unnecessary traffic.
Hackers launch brute-force attacks using widely available tools that utilize wordlists and smart rule
set to intelligently and automatically guess user passwords. Although such attacks are easy to detect,
they are not so easy to prevent.
An attacker gains unauthorized access to the hashed or encrypted password runs a program
offline/online to encrypt or hash a database of possible passwords and compares the results with the
hashed or encrypted password.
The brute force attack may be conducted through dictionary or exhaustion attacks or pre-
calculated hashed or encrypted databases.

Types of Password Attacks

There are three types of password attacks:
1. Dictionary Attack
2. Brute Force Attack
3. Hybrid Attack
Dictionary Attack
It is an attack that tries all of the phrases or words in a dictionary, to crack a password or key.
A dictionary attack uses a predefined list of words compared to a brute force attack that tries
all possible combinations.
Brute Force Attack
It is an attack in which cryptanalysis technique or other kind of attack method involving an
exhaustive procedure that tries all possibilities, one-by-one. For example, the program might
follow a sequence like this:
"aaaaaaaa"
"aaaaaaab"
"aaaaaaac" ...
Until the password is found
Hybrid Attack
A hybrid attack is a mixture of a brute force attack and a dictionary attack. There are many
different ways a hybrid attack can be performed, in it's simplest form a hybrid attack may
simply add a couple of numbers to the end of each dictionary word tried, this increases the
number of tested combinations without having to resort to a true brute force attack.
Password cracking software generally uses a combination or selection of all three methods to
try and guess the system password.

Hash function
A hash function is a mathematical function which converts a large, possibly variable-sized
amount of data into a small datum. The values returned by a hash function are called hash
values, hash codes, hash sums, or simply hashes. Hashes compile a stream of data into a
small digest and it's strictly a one way operation.

NIELIT, Gorakhpur | Brute Force Attack & Countermeasures Page 1

The ideal hash function has four main properties
▪ It is easy to compute the hash for any given data,
▪ It is extremely difficult to construct a text that has a given hash,
▪ It is extremely difficult to modify a given text without changing its hash,
▪ It is extremely unlikely that two different messages will have the same hash.

Cryptographic hash functions have many applications such as message integrity checks,
digital signatures, authentication, and various information security applications. Their hash
values can also be used as fingerprints for detecting duplicate data files, file version changes,
and similar applications, or as checksums to guard against accidental data corruption.
In various standards and applications, commonly used hash functions are MD5, SHA-512,
SHA-1, and RIPEMD-160.

Password Hashes
It is dangerous for computer systems to store passwords in clear text (in their original form).A
more secure way is to store a hash of the password, rather than the password itself. Since
these hashes are not reversible, there is no way to find out what password produced this
hash.

Fig: Storing a hash instead of a password

NIELIT, Gorakhpur | Brute Force Attack & Countermeasures Page 2

Fig: Testing a guessed password against the stored hash

Hands on Lab for Brute Force Attack & Countermeasure

Tools Used
The following tool would be used to perform this module

John the Ripper

John the Ripper is a fast password cracker, currently available for many flavors of UNIX,
Linux, Windows, DOS, BeOS, and OpenVMS. John the Ripper is free and Open Source
software. Its primary purpose is to detect weak passwords. Besides several crypt (3)
password hash types most commonly found on various UNIX flavors. It also supports
Kerberos AFS and Windows NT/2000/XP/2003 LM hashes, plus several more with contributed
patches.

Machine Details for this Lab

Power on the below Virtual Machine to be used in this lab.

S.No Computer Name IP Address Services/Tools Username Password

1 Windows 7 10.0.0.12 John the ripper nielit 123
2 Kali Linux 10.0.0.11 John the ripper root 12345678

NIELIT, Gorakhpur | Brute Force Attack & Countermeasures Page 3

Hands on Lab
Brute Force Attack & Countermeasure in Windows7 (10.0.0.12)
The following steps would be used to locate the path of "hash.txt" file having
passwords which would be used to crack from Windows7(10.0.0.12).

Note: For this Lab “John the Ripper” tool has downloaded and has extracted in a folder name
“john” in c:/ location and “hash.txt” file with three username and their passwords in md5
encrypted mode is exist in c:/->john/run/hash.txt location

1. Login Windows 7 (10.0.0.12) machine with following credentials.

user- nielit
Password -123

2. Browse to "john folder"(c:\john\run \hash.txt) to find the location of "hash.txt" file, in this
file there exist three usernames and their passwords in md5 encrypted mode as shown
below.

The following steps would be used to start the "Brute Force Attack" to crack the
Password which is saved in "hash.txt" file from Windows7(10.0.0.12).

3. Open command Prompt (Click -> 0pen command prompt) with "run as administrator
mode". In command prompt follow the path “c:\john\run>john hash.txt” as given below to
crack the username and their related passwords

NIELIT, Gorakhpur | Brute Force Attack & Countermeasures Page 4

 4. The output is shown below as three users and their passwords. After cracking two
passwords delete the "john.pot" file by follow the given path (c:\>john>run>john.pot) after
deleting john.pot file third user and their password would be displayed.

Sl.No. User Password

1 test1 123
2 test2 abcd
3 test3 abc@123

5. The cracked all passwords can also be stored in John.pot file, which has created
automatically. Delete the "john.pot" file to crack the hashes again. If this file exists, John the
Ripper could not crack the hashes. Use the following command for deleting john.pot file.

NIELIT, Gorakhpur | Brute Force Attack & Countermeasures Page 5

Brute Force Attack & Countermeasure in Kali(10.0.0.11)machine
The following steps would be used to create users and assign passwords to them.

6. Login to kali Linux (10.0.0.11) Machine with following credentials and Open a terminal
window in Kali Linux.
Username: "root"
Password: "12345678
7. Create two users (test1 & test2) by using following command on kali linux terminal.

8. Assign passwords to users.

test1:- 1234
test2:- password

The following steps would be used to Extracting hashes from kali (10.0.0.11)machine

9. To see the passwords hashed stored in kali (10.0.0.11), type the following command:
# cat /etc/passwd

The following steps would be used to unmask the password

10. As above output password hashed as X, to unmask the password use following command
# unshadow (to unmask the passwords).

NIELIT, Gorakhpur | Brute Force Attack & Countermeasures Page 6

11. use the "unshadow" command in order to unmask/decrypt the passwords.
# unshadow /etc/passwd /etc/shadow > hashfile

12. Now check the "hashfile" by using following command.

# cat hashfile

the X has been replaced with the actual hash values.

13. To check various cracking modes available with John the Ripper type the following
command
# john -h

The following steps would be used to crack the password using wordlist mode from
John the Ripper

14. To use simple and powerful wordlist mode to crack the password from kali (10.0.0.11)
machine use following command.
# john --wordlist=/usr/share/john/password.lst hashfile

NIELIT, Gorakhpur | Brute Force Attack & Countermeasures Page 7

15. The cracked passwords are stored in john.pot ,which can be accessible with the
following command.
# cat /root/.john/john.pot

Note: If user attempt to crack the password again, it will not have success This is because
hashes and their corresponding passwords are stored within the john.pot file; john will not
crack the password hash again. If user want the passwords to be cracked again, need to
remove the information stored in the john.pot file.

NIELIT, Gorakhpur | Brute Force Attack & Countermeasures Page 8

Implementing the countermeasures to create a secured environment

Brute Force Attack & Countermeasure from Windows 7(10.0.0.12)machine.

The following steps would be used to locate the path of "hash1.txt" file having complex
passwords which would be used to crack from Windows7(10.0.0.12).

Note: “hash1.txt” file with two username and their passwords in md5 encrypted mode is exist
in c:/->john/run/hash1.txt location
users and their passwords are :-
Sl.No. User Password
1 test1 P@ssw0rd
2 test2 Abc_123

16. Switch to Windows7 (10.0.0.12) machine, open the command prompt(using Run as
administrator mode)and type the following command as shown below:

No cracked passwords are listed here while taking a long time.

Brute Force Attack & Countermeasure for stronger password from

kali(10.0.0.11)machine.

The following steps would be used to create new users with strong passwords.

17. Switch to kali Linux (10.0.0.11) Machine and execute the following command to create
new users (test3 & test4)

18. Assign passwords to users.

test3:- P@ssw0rd
test4:- Abc_123

The following steps would be used to Extracting hashes from kali (10.0.0.11)machine

NIELIT, Gorakhpur | Brute Force Attack & Countermeasures Page 9

19. To see the passwords hashed stored in kali (10.0.0.11), type the following command:
# cat /etc/passwd

The following steps would be used to unmask the password

20. As above output password hashed as X, to unmask the password use following command
# unshadow (to unmask the passwords).

21. use the "unshadow" command in order to unmask/decrypt the passwords.

# unshadow /etc/passwd /etc/shadow > hashfile

22. Now check the "hashfile" by using following command.

# cat hashfile

The following steps would be used to crack the password using wordlist mode from
John the Ripper

23. To use simple and powerful wordlist mode to crack the password from kali (10.0.0.11)
machine use following command.
# john --wordlist=/usr/share/john/password.lst hashfile

No password is listed in output

Lab Outcome

NIELIT, Gorakhpur | Brute Force Attack & Countermeasures Page 10

 In Insecure environment
▪ The user has extracted 3 passwords from password hash file "hash.txt" stored on
Windows7(10.0.0.12) machine using "John the Ripper tool".
▪ The user has extracted 2 weak passwords for kali users "test1 & test2" from Kali (10.0.0.11)machine
using "John the Ripper tool".
In secure environment
▪ The user is unable to crack the password from password hash file "hash1.txt" stored on
Windows7(10.0.0.12) machine using "John the Ripper tool"in feasible time.
▪ The user is unable to crack the strong passwords for kali users "test3 & test4" from Kali
(10.0.0.11)machine using "John the Ripper tool".

Suggested More Countermeasures

▪ Use strong passwords for all account types.
▪ Disable unnecessary services.
▪ Apply lockout policies to end-user accounts to limit the number of retry attempts that can be used to
guess the password.
▪ Do not use default account names, and rename standard accounts such as the administrator's
account and the anonymous Internet user account used by many Web applications.
▪ Protect system unauthorized access.
▪ Audit failed logins for patterns of password hacking attempts

NIELIT, Gorakhpur | Brute Force Attack & Countermeasures Page 11