Brute-Force-Angriff

Brute force refers to the attempt to determine a password, PIN, or encryption key by systematically trying every possible combination. No knowledge of the content is required—only computing power and time.

Types of Brute Force Attacks

Online vs. Offline Brute Force

Online Brute Force:
  → Attack against a running system (login form, RDP, SSH)
  → Limited by network latency, account lockout, rate limiting
  → Typical: max. 1,000–10,000 attempts/hour
  → Detectable via log entries

Offline Brute Force:
  → Cracking stolen password hashes locally
  → No connection to the target system required
  → Speed: billions of attempts/second
  → Hashcat on GPU: 100 billion MD5 hashes/second!
  → Not detectable until the result is used

Dictionary Attack

Instead of all combinations: use dictionary files
→ RockYou2024: 10 billion real passwords from data breaches
→ Much more efficient than full brute force

Example:
  bcrypt (rounds=12) with password "Summer2023":
  Pure brute force: ~trillions of years
  Dictionary + mutations (Summer2023!): Minutes to hours

Rainbow Tables

Pre-computed hash tables for fast lookup:

Problem with Rainbow Tables:
  → MD5("password") = always 5f4dcc3b5aa765d61d8327deb882cf99
  → Table: Hash → Password
  → Very fast

Countermeasure: Salt
  → Random salt + password → Hash
  → MD5(salt + "password") = unique
  → Rainbow tables useless
  → BCRYPT, PBKDF2, Argon2 have built-in salt

Speeds of modern hardware

GPU-based password cracking (Hashcat, RTX 4090):

MD5 (insecure!):
  164 billion hashes/second
  8-character password with numbers, lowercase, and uppercase letters: < 1 hour

SHA1 (insecure):
  60 billion hashes/second

bcrypt (rounds=12) (secure):
  ~12,000 hashes/second
  8-character complex password: billions of years

Argon2id (secure):
  ~1,000 hashes/second
  Even more secure than bcrypt

Password Length vs. Security

Time to crack with RTX 4090 (MD5, Brute Force):
  6 lowercase characters:     < 1 second
  8 lowercase characters:     ~22 minutes
  8 characters + numbers:      ~3 hours
  10 characters (any combination): ~800 years
  16 characters (any combination): ~trillions of years

With bcrypt rounds=12:
  Everything becomes 10,000,000 times more secure
  → 8 characters (any combination) with bcrypt: ~6,000 years
  → 12+ characters: astronomically secure

Security Measures

For Application Developers

# Secure password hashing with bcrypt:
import bcrypt

# Hashing (when saving):
hashed = bcrypt.hashpw(password.encode('utf-8'), bcrypt.gensalt(rounds=12))

# Verifying (during login):
is_valid = bcrypt.checkpw(password.encode('utf-8'), hashed)

# Even better: Argon2id (OWASP Recommendation 2024):
from argon2 import PasswordHasher
ph = PasswordHasher(time_cost=3, memory_cost=65536, parallelism=4)
hash = ph.hash(password)
is_valid = ph.verify(hash, password)

Rate Limiting and Account Lockout

Preventing Online Brute-Force Attacks:

Rate Limiting:
  Max. 5 failed logins in 15 minutes per IP
  After that: exponential backoff or CAPTCHA

Account Lockout (Active Directory):
  GPO: Account Lockout Threshold = 10 attempts
  GPO: Account Lockout Duration = 30 minutes
  GPO: Reset Account Lockout Counter = 10 minutes

Warning: Account lockout can be exploited for DoS attacks
→ Lockout notifies user; admin alert after X lockouts

MFA - Most Effective Protection

MFA renders brute force irrelevant:
  Attacker knows password "Summer2023!" → Login still fails
  → No access without second factor

TOTP (Time-based One-Time Password):
  Valid for 30 seconds → Brute force within this time: impossible

Brute Force in Penetration Tests

Typical brute-force targets in penetration testing:
  → SSH access on servers
  → RDP on Windows systems
  → Web applications (login forms)
  → Active Directory (password spraying)

Password spraying (instead of brute force):
  Instead of many passwords for one account:
  One password against many accounts (below the lockout threshold)
  "Winter2024!" against all 500 accounts → no lockout trigger