How Many Brute Force Attacks On Your Server?

[RummyBoy]

http://en.wikipedia.org/wiki/Brute-force_attack

Ive read this through 100 times and it says the same thing.... A brute force attack is basically about "trying to guess someone's password".

If the server had anything of value it would have been well passworded and secure. So what is the point of even trying? Success rate must be one in a billion.

How many brute force attacks do you face per day on average and what kind?

[Ran Ohm]

Do you mean trying to brute force the password of a site on a server?

They use software that can run though millions of password and username combos in seconds or literally try various combinaztions of letters until they get the tight one.

[RummyBoy]

OK lets say:

Username: Antwerp (6 characters)

Password: x6NgPtRW4ua2 (12 characters)


Roughly how long to crack it, considering:

(1) You have to know both.
(2) You may only have 5 attempts per hour (assuming IP block and Account block kick in).
(3) Password may change before you find the solution.
(4) There's a good chance if over zealous, your IP is permanently blocked.

[srockhard]

Quote:

Originally Posted by RummyBoy

[url]Success rate must be one in a billion.

Yeah those are pretty good odds when key gen is running GHz

[RummyBoy]

Quote:

Originally Posted by srockhard

Yeah those are pretty good odds when key gen is running GHz

How is it good odds?

1 billion = 1,000,000,000

1,000,000,000 / 5 = 200,000,000 Hours

200,000,000 / 24 = 8,333,333 Days

8,333,333 / 365 = 22,831 Years

It could take upto 22,831 Years to find the correct solution.
The average human lives for upto 100 years maximum.

So the odds are not good unless I am missing something.

[lezinterracial]

Quote:

Originally Posted by RummyBoy

OK lets say:

Username: Antwerp (6 characters)

Password: x6NgPtRW4ua2 (12 characters)


Roughly how long to crack it, considering:

(1) You have to know both.
(2) You may only have 5 attempts per hour (assuming IP block and Account block kick in).
(3) Password may change before you find the solution.
(4) There's a good chance if over zealous, your IP is permanently blocked.

Correct me if I am wrong on any of the below.

I don't know much about this stuff. But I think instead of brute force, most probably use a dictionary attack (maybe that is a type of brute force, i don't know). Where the program uses a list of common passwords, usually a file of cracked passwords from something like rockyou. RockYou had a huge list of 32 million passwords that is now used to crack other sites.

I have played with OclHashcat plus. But you would need to have gotten the password hash offline somehow. Something like "x6NgPtRW4ua2" would take a long time. Depend on how many graphics cards you got running.

Many people try to use masks in OclHashCat Plus. Like before trying to brute force all possible passwords. They try all lower case five place ?l?l?l?l?l. Then all lower case 6 places. Then maybe an Upper Case followed by 4 lower case. And so on.

[lezinterracial]

Here ya go. For just the password.
http://calc.opensecurityresearch.com/

[srockhard]

Quote:

Originally Posted by RummyBoy

How is it good odds?

1 billion = 1,000,000,000

1,000,000,000 / 5 = 200,000,000 Hours

200,000,000 / 24 = 8,333,333 Days

8,333,333 / 365 = 22,831 Years

It could take upto 22,831 Years to find the correct solution.
The average human lives for upto 100 years maximum.

So the odds are not good unless I am missing something.

Yeah you are missing it by a long shot. Not sure why you are dividing GHz by 5? And who knows how many machines are attacking? Passwords as we know them are fucking pointless.

[Markul]

Quote:

Originally Posted by lezinterracial

Here ya go. For just the password.
http://calc.opensecurityresearch.com/

Yup, assuming nothing kicks in.

Notice the difference in time for a 6 char password versus a 12 char password. One is:
38 minutes 12 seconds

the other is:
1610348 years 65 days 23 hours 45 minutes and 21 seconds

[srockhard]

As the tech gets faster the password gets longer ...LOL ;) at this rate you'll need 1000 char pass by 2025!

[klinton]

Quote:

Originally Posted by Markul

Notice the difference in time for a 6 char password versus a 12 char password. One is:
38 minutes 12 seconds

the other is:
1610348 years 65 days 23 hours 45 minutes and 21 seconds

but but but... you told that encryption doesnt work !

[Markul]

Quote:

Originally Posted by klinton

but but but... you told that encryption doesnt work !

No I said that if you think you can hide from intelligence agencies with encryption, you might want to reconsider ;)

[lezinterracial]

Quote:

Originally Posted by srockhard

As the tech gets faster the password gets longer ...LOL ;) at this rate you'll need 1000 char pass by 2025!

Yea, If all virtual currencies we have are deemed useless. What are people gonna use all that processing for?

The bad thing about wireless is the password just flies through the air, Waiting to be picked up.

[klinton]

Quote:

Originally Posted by Markul

No I said that if you think you can hide from intelligence agencies with encryption, you might want to reconsider ;)

if you are specific target, it will be very hard...if you are normal user (among others milions users who use encryption) - you are free to go and it works

[RummyBoy]

How many of you have been a victim of government surveillance. I guess not.

Even if you are a specific target, encryption works if you are talking about man in the middle, it is very difficult to defeat good encryption. Snowden himself has said the same thing, except that he did stress that intelligence agencies (NSA & GCHQ) are making major inroads into cracking encryption.

On the whole, however, it still works and it still protects your privacy so go ahead and use it if you wish to.

[RummyBoy]

Quote:

Originally Posted by srockhard

Yeah you are missing it by a long shot. Not sure why you are dividing GHz by 5? And who knows how many machines are attacking? Passwords as we know them are fucking pointless.

Im assuming its one machine but sure if its more then its a different issue.

Dividing by 5 due to my assumption above that only 5 attempts can be made before the login is locked and the IP s banned for at least one hour. So therefore 5 attempts per hour. Anyway, it wasn't scientific, its just a rough idea of how many calculations need to be done and how time consuming it will be if those kind of restraints exist.

[bigwebenterprises]

Any good hacker will pull your /etc/shadow file through your webserver and then use rainbow tables.

[lucas131]

depends on. in the past bruteforce was good for admins and other high targetted accounts, but now, when everyone is warned about how easy is to bruteforce password, so everyone who needs to secure data is choosing hard to bruteforce passwords, bruteforce is now just wasting bandwidth of your hosting. most of the hacks are done by real hackers and programmers and security gurus, not by kids, so nothing to worry about another thing is bruteforce/combo bruteforce paid users, not that hard, as paid users dont care about your content have luck and stay safe

[freecartoonporn]

there are 2 types of hackers one with specific targets and others without any targets.

[rowan]

Quote:

Originally Posted by RummyBoy

OK lets say:

Username: Antwerp (6 characters)

Password: x6NgPtRW4ua2 (12 characters)


Roughly how long to crack it, considering:

(1) You have to know both.
(2) You may only have 5 attempts per hour (assuming IP block and Account block kick in).
(3) Password may change before you find the solution.
(4) There's a good chance if over zealous, your IP is permanently blocked.

The article in your OP is about decrypting an encrypted password, by brute forcing multiple combinations, trying to arrive at the same result as the encrypted password.

The encrypted password is obtained by some other means, so all brute forcing happens locally. It's not the same as brute force login attempts to a remote server.

[ladida]

You lack basic understanding to understand how it works. Let people that are trained in security do that for you.

[RummyBoy]

Quote:

Originally Posted by ladida

You lack basic understanding to understand how it works. Let people that are trained in security do that for you.

So you say I should quit trying to understand and learn about it? If I took that approach, Id be nowhere and broke......

The point I am making is that most of these attempts are a waste of effort and its only a script kiddie who should be dumb enough to imagine that he's going to get anywhere.

[Best-In-BC]

Christians, lol

[blackmonsters]

Quote:

Originally Posted by lezinterracial

Correct me if I am wrong on any of the below.

I don't know much about this stuff. But I think instead of brute force, most probably use a dictionary attack (maybe that is a type of brute force, i don't know). Where the program uses a list of common passwords, usually a file of cracked passwords from something like rockyou. RockYou had a huge list of 32 million passwords that is now used to crack other sites.

I have played with OclHashcat plus. But you would need to have gotten the password hash offline somehow. Something like "x6NgPtRW4ua2" would take a long time. Depend on how many graphics cards you got running.

Many people try to use masks in OclHashCat Plus. Like before trying to brute force all possible passwords. They try all lower case five place ?l?l?l?l?l. Then all lower case 6 places. Then maybe an Upper Case followed by 4 lower case. And so on.

Yeah, I'm pretty sure any good hacker is going to do it the way you say.

The first sign of brute force is probably someone trying to login with : admin/imgod

[CurrentlySober]

i kunt a4d a server...

[brassmonkey]

/dydytdy36447/admin.php

[ianmoone332000]

I used to be into hacking before i got into all this. They just use a bruteforce tool called sentry. Load it up with thousand and thousands of proxies plus thousands of logins (combos). If your sites have really good secuirity it doesnt really matter. They just extract the logins from similar sites which security is not so good and run them against your site. People are too lazy to use different passwords etc on each site and this is what bruteforcers prey on. Works 90% of the time. You wanna avoid it then generate people a login when they signup and dont let them pick there own

[Naughty-Pages]

Quote:

Originally Posted by RummyBoy

O
(2) You may only have 5 attempts per hour (assuming IP block and Account block kick in).
(4) There's a good chance if over zealous, your IP is permanently blocked.

When you brute force you use a list of proxy servers.. with a good enough list you can throw countless combinations per minute at your target. If you do it right and set it to rotate the ip's correctly, you can go forever.

It's pretty easy to bruteforce, especially with the free software out there to do it. Even programs that use OCR to read captcha's, perform form logins, etc..

It's relatively easy to get passwords to several servers and a few dozen members areas on top of that in just an hour or so.

[mikesouth]

Quote:

Originally Posted by ianmoone332000

I used to be into hacking before i got into all this. They just use a bruteforce tool called sentry. Load it up with thousand and thousands of proxies plus thousands of logins (combos). If your sites have really good secuirity it doesnt really matter. They just extract the logins from similar sites which security is not so good and run them against your site. People are too lazy to use different passwords etc on each site and this is what bruteforcers prey on. Works 90% of the time. You wanna avoid it then generate people a login when they signup and dont let them pick there own

Exactly right!

[ladida]

Quote:

Originally Posted by RummyBoy

So you say I should quit trying to understand and learn about it? If I took that approach, Id be nowhere and broke......

Based on your conclusions it's clear how far off the target you are that you should stop now as it's just a waste of time for you.

Quote:

The point I am making is that most of these attempts are a waste of effort and its only a script kiddie who should be dumb enough to imagine that he's going to get anywhere.

Exactly my point. You lack basic understanding about something that makes no sense to you, so you're, based on your very limited knowledge, trying to draw conclusions for everyone.

Stick to what you do.

[RummyBoy]

Quote:

Originally Posted by ladida

Exactly my point. You lack basic understanding about something that makes no sense to you, so you're, based on your very limited knowledge, trying to draw conclusions for everyone.

I am not trying to draw conclusions at all - I am simply giving my opinion.

Incidently and I should have specified that im talking more about attacks on the admin side like trying to gain access in Root, SSH, Cpanel, WHM, FTP etc using brute force attacks. Which to my mind, is generally hopeless using that specific method. Im not talking about a vulnerability like heartbleed etc.

Any admin with sense would have chosen a smart unknown login and a min 10 character password with upper, lower casings, multi character, alpha numeric etc.