Effectively Test for Brute Force Attacks: Reasons, Methods and Tools for more Security on the Internet

The importance of IT security is growing. 2/3 of all SMEs experience a cyber attack in a year. Attackers do not always come through the back door. Instead of security holes or social engineering, they use brute force. Brute force attacks are one of the oldest attack methods to gain access to a system. We explain how you can protect yourself against brute force attacks by testing and which tools are available to you.

Protect against Brute Force Attacks with targeted Tests

The principle of brute force attacks is very simple: an attacker gains access to a system by systematically trying out passwords or using software to do so. Brute force attacks are perfidious because, unlike security holes, they can never be completely avoided. The weak point of a brute force attack is the password and the way in which the password is requested. There is no protection in principle against brute force attacks. After all, the ability to access a website, database or computer is not a security vulnerability, but a feature. Effective protection against brute force attacks therefore requires targeted tests to check the password and password query.

Checking Password Security with John the Ripper and Hashcat

When attackers get their hands on a database of user data, that database alone does them little good. Today, sensitive data is almost always stored encrypted in so-called hashes. These hashes look like a random sequence of characters. But each string represents a specific set of user data.  However, attackers now have the opportunity to try to decrypt the hashes at their leisure. If you want to protect yourself from such scenarios, you should do exactly as the attackers do; use a password cracker to try to crack the passwords.

John the Ripper was one of the first brute force tools. At the time of John the Ripper's release, graphics cards were hardly used in the commercial sector. Therefore, the tool used only the CPU to perform the attacks for a long time. Support for GPU-based password calculations was added later and does not achieve the same performance as a modern brute force tool like Hashcat, which prioritises GPU-based calculations. Both tools are free and have a large dedicated community that provides support.

Test Brute-Force Attacks under Real-World Conditions with THC Hydra and Patator

With John the Ripper and Hashcat, you only test password security - not the login process itself. Therefore, to put your system under real-world conditions, use tools like THC Hydra. THC Hydra establishes many connections to the target server and tries out passwords from a predefined list. The software offers various configuration options to simulate an attack in its entire range and to put the system through its paces.

An alternative solution to Hydra is Patator. This is a small Python script that was developed as a leaner and more flexible alternative to Hydra. However, the greater flexibility is accompanied by complicated operation due to the command line environment.

Conclusion: Protecting against Brute-Force Attacks with Tests

Brute force attacks remain a relevant threat even in times of two-factor authentication and AI-based system for detecting conspicuous activity on the server. The existence of this attack vector can hardly be prevented because no system can function completely isolated. With tool-supported tests, they therefore simulate real brute force attacks to check whether their system would withstand an attack and identify possible gaps in the server configuration or password security.