How Many Brute Force Attacks On Your Server?
 

http://en.wikipedia.org/wiki/Brute-force_attack

Ive read this through 100 times and it says the same thing.... A brute force attack is basically about "trying to guess someone's password".

If the server had anything of value it would have been well passworded and secure. So what is the point of even trying? Success rate must be one in a billion.

How many brute force attacks do you face per day on average and what kind?

Do you mean trying to brute force the password of a site on a server?

They use software that can run though millions of password and username combos in seconds or literally try various combinaztions of letters until they get the tight one.

OK lets say:

Username: Antwerp (6 characters)

Password: x6NgPtRW4ua2 (12 characters)


Roughly how long to crack it, considering:

(1) You have to know both.
(2) You may only have 5 attempts per hour (assuming IP block and Account block kick in).
(3) Password may change before you find the solution.
(4) There's a good chance if over zealous, your IP is permanently blocked.

Yeah those are pretty good odds when key gen is running GHz

How is it good odds?

1 billion = 1,000,000,000

1,000,000,000 / 5 = 200,000,000 Hours

200,000,000 / 24 = 8,333,333 Days

8,333,333 / 365 = 22,831 Years

It could take upto 22,831 Years to find the correct solution.
The average human lives for upto 100 years maximum.

So the odds are not good unless I am missing something.

Correct me if I am wrong on any of the below.

I don't know much about this stuff. But I think instead of brute force, most probably use a dictionary attack (maybe that is a type of brute force, i don't know). Where the program uses a list of common passwords, usually a file of cracked passwords from something like rockyou. RockYou had a huge list of 32 million passwords that is now used to crack other sites.

I have played with OclHashcat plus. But you would need to have gotten the password hash offline somehow. Something like "x6NgPtRW4ua2" would take a long time. Depend on how many graphics cards you got running.

Many people try to use masks in OclHashCat Plus. Like before trying to brute force all possible passwords. They try all lower case five place ?l?l?l?l?l. Then all lower case 6 places. Then maybe an Upper Case followed by 4 lower case. And so on.

Here ya go. For just the password.
http://calc.opensecurityresearch.com/

Yeah you are missing it by a long shot. Not sure why you are dividing GHz by 5? And who knows how many machines are attacking? Passwords as we know them are fucking pointless.

Yup, assuming nothing kicks in.

Notice the difference in time for a 6 char password versus a 12 char password. One is:
38 minutes 12 seconds

the other is:
1610348 years 65 days 23 hours 45 minutes and 21 seconds

:winkwink:

As the tech gets faster the password gets longer ...LOL ;) at this rate you'll need 1000 char pass by 2025!

but but but... you told that encryption doesnt work !:1orglaugh:1orglaugh:1orglaugh

No I said that if you think you can hide from intelligence agencies with encryption, you might want to reconsider ;)

Yea, If all virtual currencies we have are deemed useless. What are people gonna use all that processing for?

The bad thing about wireless is the password just flies through the air, Waiting to be picked up.

if you are specific target, it will be very hard...if you are normal user (among others milions users who use encryption) - you are free to go and it works

How many of you have been a victim of government surveillance. I guess not.

Even if you are a specific target, encryption works if you are talking about man in the middle, it is very difficult to defeat good encryption. Snowden himself has said the same thing, except that he did stress that intelligence agencies (NSA & GCHQ) are making major inroads into cracking encryption.

On the whole, however, it still works and it still protects your privacy so go ahead and use it if you wish to.

Im assuming its one machine but sure if its more then its a different issue.

Dividing by 5 due to my assumption above that only 5 attempts can be made before the login is locked and the IP s banned for at least one hour. So therefore 5 attempts per hour. Anyway, it wasn't scientific, its just a rough idea of how many calculations need to be done and how time consuming it will be if those kind of restraints exist.

Any good hacker will pull your /etc/shadow file through your webserver and then use rainbow tables.

depends on. in the past bruteforce was good for admins and other high targetted accounts, but now, when everyone is warned about how easy is to bruteforce password, so everyone who needs to secure data is choosing hard to bruteforce passwords, bruteforce is now just wasting bandwidth of your hosting. most of the hacks are done by real hackers and programmers and security gurus, not by kids, so nothing to worry about :winkwink: another thing is bruteforce/combo bruteforce paid users, not that hard, as paid users dont care about your content :winkwink: have luck and stay safe :)

there are 2 types of hackers one with specific targets and others without any targets.

The article in your OP is about decrypting an encrypted password, by brute forcing multiple combinations, trying to arrive at the same result as the encrypted password.

The encrypted password is obtained by some other means, so all brute forcing happens locally. It's not the same as brute force login attempts to a remote server.

You lack basic understanding to understand how it works. Let people that are trained in security do that for you.

So you say I should quit trying to understand and learn about it? If I took that approach, Id be nowhere and broke......

The point I am making is that most of these attempts are a waste of effort and its only a script kiddie who should be dumb enough to imagine that he's going to get anywhere.

Christians, lol

Yeah, I'm pretty sure any good hacker is going to do it the way you say.

The first sign of brute force is probably someone trying to login with : admin/imgod

:1orglaugh

i kunt a4d a server... :(

/dydytdy36447/admin.php :)

I used to be into hacking before i got into all this. They just use a bruteforce tool called sentry. Load it up with thousand and thousands of proxies plus thousands of logins (combos). If your sites have really good secuirity it doesnt really matter. They just extract the logins from similar sites which security is not so good and run them against your site. People are too lazy to use different passwords etc on each site and this is what bruteforcers prey on. Works 90% of the time. You wanna avoid it then generate people a login when they signup and dont let them pick there own

When you brute force you use a list of proxy servers.. with a good enough list you can throw countless combinations per minute at your target. If you do it right and set it to rotate the ip's correctly, you can go forever.

It's pretty easy to bruteforce, especially with the free software out there to do it. Even programs that use OCR to read captcha's, perform form logins, etc..

It's relatively easy to get passwords to several servers and a few dozen members areas on top of that in just an hour or so.

:thumbsup:thumbsup:thumbsup Exactly right! :thumbsup:thumbsup:thumbsup

Based on your conclusions it's clear how far off the target you are that you should stop now as it's just a waste of time for you.
Exactly my point. You lack basic understanding about something that makes no sense to you, so you're, based on your very limited knowledge, trying to draw conclusions for everyone.

Stick to what you do.

I am not trying to draw conclusions at all - I am simply giving my opinion.

Incidently and I should have specified that im talking more about attacks on the admin side like trying to gain access in Root, SSH, Cpanel, WHM, FTP etc using brute force attacks. Which to my mind, is generally hopeless using that specific method. Im not talking about a vulnerability like heartbleed etc.

Any admin with sense would have chosen a smart unknown login and a min 10 character password with upper, lower casings, multi character, alpha numeric etc.