Menu
homeGames

How to crack a password using a brute force attack. Brute force: Detailed analysis

Hello, friends! Recently, several interesting events have happened on the Internet: Yandex launched a beta version of Islands and changed the Wordstat interface, the Profit-Partner Center launched another promotion with gifts, and several new competitions were launched. But perhaps the most resonant thing is massive Brute Force attacks on websites, which affected hosting sites around the world at the end of July. Sites based on the CMS WordPress and Joomla are mainly susceptible to hacking. If hacked successfully, the site becomes part of a botnet and is used for new attacks.

If you haven't heard about it yet, that doesn't mean it doesn't concern you. Using brute force technology, a login and password are selected to enter the site at the standard WordPress address wp-login.php by enumerating characters. As a result, a very large number of requests are sent to the site, which can create an increased load on the server. So, if you have problems with the load, you need to be especially careful.

Protection against brute force attacks (password brute force) on the hosting side

Many hosting sites promptly responded to the actions of hackers, but, apparently, not all. In any case, I noticed active actions from Beget, Sprinthost and Makhost. TimeWeb and 1gb.ua did not make any visible movements, I can’t speak for the others.

I don’t remember exactly when I first heard about these attempts at mass password guessing, but then I immediately asked Makhost technical support, where my main blog is located, and received an answer that they were aware of the problem and everything was under control.

After some time, access to the admin panel was opened. I hope the situation is under control on Beget, but just in case, I changed the login address to the admin panel.

When I try to log into the admin panel of a blog hosted by sprinthost.ru, I am still greeted with the following page:

On mchost.ru there is a similar picture:

Honestly, I try to keep abreast of events and periodically communicate with hosting employees about this threat. And today I decided to ask a few questions to the head of the hosting development department, Igor Belov, whom many are already familiar with from my previous publication about transferring a site to Makhost. It turned out to be a kind of interview. I hope this information will be useful to you, especially since this is a real threat to our blogs that should not be underestimated.

Our clients are protected as much as possible

Igor, please briefly describe the current situation. The attacks are happening all over the world and have been going on for quite a long time. Doesn’t anyone except hosting providers and webmasters care about this?

The first attacks took place back in May, but they were not so noticeable, although they were noted in online news. Kaspersky Lab made statements on this matter, as far as I remember.

There have always been botnets on the Internet. A botnet is a group of infected computers, usually the computers of regular users. A computer can be in a botnet for years, and the user will not know about it. Most people neglect security issues. Botnets are created by different groups of attackers and are created in different ways. There are small networks, and there are huge ones. Attackers can use these networks themselves or rent them out for various purposes. For example, if you need to make sure that some site does not work, then an attack is ordered on this site. The botnet computers receive a signal with a command to enter this site after a certain period of time. As a result, the site is bombarded with a large number of requests.

Here you need to take into account that the customer of these attacks pays for the size of the network and duration, so there cannot be an eternal attack, because the larger the attack, the more expensive. In addition, backbone providers struggle with very strong attacks.

Essentially, botnets can execute any command. Therefore, you can give them a command to select passwords, so, apparently, someone thought of this :-). The point is that if you know the password, you can add links to the site, infect it with a virus (to expand the botnet or other ways to generate income), etc. In other words, you can get a small but benefit from this. Since millions of such sites are needed to generate significant profits, all this is done automatically.

By the way, I didn’t specifically use the word “hacker”, because... very often hackers find a vulnerability or develop hacks, but do not use them themselves, but sell them. And buyers, usually not hackers, already specialize in generating income.

Russian authorities do not search for such attackers, with rare exceptions, for example, when there was an attack on the Aeroflot website. They say that there are no technical means for this. In the US, the FBI only deals with large groups and networks and, usually, when cases involve the theft of banking information or hacking of large company websites. But by and large, the fight against this has always been on the end consumers.

How big are these attacks and which sites are affected by them?

Currently, WordPress and Joomla sites are subject to attacks. They are quite large-scale, both in strength and volume. All hosting companies that have a significant number of websites record these attacks, because... they go around the clock. It is not the hosting company that is being attacked, but the sites, and it does not matter what hosting it is on. There is a large database of sites and attacking bots go to these sites in order to guess passwords if WP or Joomla is installed there. The difficulty here is that requests come from millions of different IP addresses (apparently, different botnets are used), so blocking does not work. Initially, the creators of these attacks made a small technical error, which I will not mention, which allowed us to immediately launch minimal protection and increase it to maximum in a few days.

There is another important point here. The load on the servers immediately increased noticeably, because... The number of requests to sites has increased significantly.

What do hackers achieve and why do they need it?

Attackers try to gain access to the site’s admin area, and then they can use this in different ways – from placing links with advertising to infecting them with a virus. In addition to protecting against attacks, we have anti-virus protection, so if it detects a site infection, a report is sent by email indicating the details and infected files.

For us, as a hosting company, password selection is a daily situation. Therefore, we have learned to deal with it, but it is not always possible to address this to our clients. For example, when we added a function to the panel that prohibited setting easy passwords (11111111, password and others), there were complaints about this :-). People think that no one needs their site to be hacked, but they do not understand that these hacks are done automatically by bots, and people only control the process. And if a hacker earns only 10 rubles from hacking their site, for example, for placing an advertisement for several days or redirecting to another site, then from a million hacked sites there will already be 10 million. And there are clients who do not notice the hack for months.

What vulnerabilities can be exploited primarily and what should ordinary webmasters, especially beginners, do?

After the attacks began, we quickly took care of protection and now our clients are protected as much as possible from the hosting side. Moreover, we have prepared a backup protection mechanism in case the type of attack changes. Regarding recommendations. First, you need to have a strong password. Secondly, change the admin login address. But the best thing is to block access to the admin panel for all IP addresses except yours. This can be done through the .htaccess file, but, unfortunately, the latter is not suitable for all sites. After all, many people have a dynamic IP and will have to edit the .htaccess file every time they log into the admin panel.

You said that Makhost took care of its clients in a timely manner and installed additional protection. How reliable is this and are hosting employees monitoring the situation, since hackers can change their attack tactics using other methods?

Current protection is as reliable as it can be. But we have also prepared a backup option - a more comprehensive and serious defense, which, in fact, cannot be bypassed by such attacks. We will accept it if the attack tactics change, since the current defense is already doing a good job.

Have you ever seen similar attacks, and how often does this happen? Or is this the largest-scale action in recent times?

There were attacks on CMS all the time, but they were not so widespread and powerful. Typically, attack bots were designed to target some vulnerabilities of the CMS themselves, so they only affected a few sites. You just need to update the CMS on time. Selection of passwords for FTP, unfortunately, has also always existed, but again on a small scale. Typically, those sites that were hacked were those that neglected their own security, for example, by setting the simplest passwords. Now the situation is different in that there is a very strong search for passwords.

Unfortunately, these CMSs do not have a simple anti-hijacking mechanism. For example, login delays if the password is incorrect. Webmasters themselves should take care of protection by installing additional scripts and plugins. For our part, we will do everything possible so that they can sleep peacefully, without fear of losing the site. Believe me, our specialists have sufficient capabilities for this.

Thanks to Igor for this quick interview and insightful answers!

Simple ways to protect your WordPress admin from hacking

In any case, you yourself need to take care of the security of the site and use at least these simple steps to protect against password guessing:

  • do not use the standard admin login and set a complex password to log into the WordPress admin area (more details);
  • limit the number of login attempts to the admin panel, for example, using plugins or Limit Login Attempts;
  • if you have a static IP, then you can allow only him to log in through the .htaccess file;
  • change the default login address /wp-login.php and /wp-admin, for example, using a simple plugin or the more powerful Better WP Security;
  • Do not use the “Meta” widget, as it contains a direct “Login” link.

Here's the information. How are you doing? Have you felt the power of brute force attacks on your sites?

P.S. Anyone interested in promo codes for 3 months of free hosting at the “Pro” tariff from Makhost, please contact me, I’ll share.

In the field of information security and penetration testing, the task often arises when you need to crack a password. This could be a hash of the Windows system administrator password, a password for a wireless access point, or any other hash that you managed to obtain. In these cases, to crack the hash and obtain the password, a technique is used - hashcracking.

What is hashcracking?

Recovering passwords for hashes, or hash cracking, is a very exciting process that requires good knowledge in various fields - cryptography, combinatorics, programming and much more. You also need to have a good understanding of hardware to ensure that your farm runs smoothly for many weeks and months at maximum load.

At the same time, a real hashcracker is often completely isolated from the stages of extracting hashes and using broken passwords to access other people’s accounts. Moreover, he is not interested in this, he is not a hacker. All hashcracker forums only publish hashes (or lists of hashes) for decryption. These lists do not contain the resource name, user names, mailboxes, IP addresses, or any other private information. Therefore, even if a password is broken, a hashcracker will never use it, since it simply does not know where it comes from. And even if he knew, he still wouldn’t use it, since his goal is the hashcracking process itself, because for him it’s almost an art.

Most of the hashcrackers on the forums are like Robin Hoods. They spend their time and resources helping other users break hashes, while continually accumulating new passwords and rules for generating them. For them, any hashes are a challenge to their intellect, their experience, their skill. And these guys find the most complex passwords that no one else can recover. How do they do it? What software and hardware do they use? What else do you need to know to break hashes as efficiently as they do? We will talk about this in our article.

Rice. 1. Hashes and user passwords

Software

Nowadays, hash cracking is mainly done on video processors (GPUs). On regular processors (CPU), only those algorithms that are not implemented on the GPU are processed. In fact, it has become standard to use the oclHashcat program, which has assemblies for both Windows and Linux, and also supports all modern video processors - both NVIDIA and AMD. Most recently, its author transferred the program to the Open Source category, and now it is available on GitHub, so anyone can join in working on its new versions.

To distribute the work of this program among several computers, the hashtopus shell is used. Another popular GPU brute forcer remains the ageless John the Ripper (JtR) in the Jumbo build, which also has many algorithms for all video cards, but to obtain maximum efficiency it is still advisable to rebuild it for each specific hardware configuration.

There are many more programs for working on the CPU, but the most functional remain the same hashcat and JtR. You can also add to them the Hash Manager program, which is more tailored for processing hashes on an “industrial scale”, that is, very large lists that cannot be loaded into other programs. All these programs are free, and everyone decides for themselves what to choose for their daily work, only practice shows that it is desirable to be able to master all this software - as a rule, professional hashcrackers use one or another program depending on the specific situation.

You also need to take into account that all these programs are console programs, do not have a built-in GUI, and in order to use them as efficiently as possible, you need to be able to work in the console (see sidebar). And ideally, you also need to be able to program batch files (BAT or CMD) in order to customize the operation of programs as flexibly as possible. Then you can create a set of command files for different attacks one time, and then, when everything is configured, all hash cracking will come down to filling the file with the necessary hashes and launching one or another command file with certain parameters.

Console is a hashcracker's paradise

The most advanced hashcracker software is console-based and is controlled either through command line parameters or by editing configuration files. But the trend is that users are moving further and further away from the console, demanding a graphical interface, and the most popular question from forums for working with such programs is: “I launched the program, a black window popped up and closed. What to do?" The answer is obvious - study the console.

Most likely, Linux users already have the skills to work in the console, but for Windows users the best choice would be the FAR Manager program. With its help it is very convenient to work with lists of hashes and other files. And if you combine it with additional tools (for example, from the Hash Manager program), you get a killer kit that allows you to process any files literally in seconds.

To do this, you need to use the user menu (by pressing F2) to assign the most frequently used tools to the necessary keys - sort the file, extract passwords from the results file, count the number of lines in the file, and so on. After this, all work with the desired file will be reduced to three actions - place the cursor on it, call F2 and press the hot key.

After you completely customize FAR for yourself - color coloring of files, shortcut keys for tools, quick transitions to the desired directory, and so on - all the routine work of the hashcracker will become very comfortable, and therefore very effective.

Iron

In terms of hardware, hashcrackers are almost no different from cryptocurrency miners and assemble the same farms on video cards. True, they do not have dozens of video cards, but the presence of several powerful video cards is almost the norm for brute force hashes (see Fig. 2).

Rice. 2. A good desktop farm for brute hashes on five video cards

The requirements for the farm are the same as for cryptocurrency mining, that is, you need good cooling, stable power supply and proper placement of video cards so that they do not heat each other. Until recently, the main video cards for brute mining were (as in mining) video cards based on AMD processors, since they were more efficient in terms of price/speed ratio. However, after the release of the sm_50 (Maxwell) architecture from NVIDIA, it turned out that it is better for Brute, while video cards with this architecture consume much less power, and are also quieter and cooler. And now the most effective card for brute hashes is the NVIDIA GTX 980Ti card (see Fig. 3).

And it’s not for nothing that on the InsidePro forum more and more hashcrackers are switching to these video cards (judging by the signatures in their messages) - with a peak consumption of only 165 W on the MD5 algorithm, they produce a speed of about 15 billion passwords per second. But they have one drawback - the high price, which practically does not decrease, and due to the jump in the dollar exchange rate, it has risen even more. If the main criterion is price, and all other parameters are not important, then you can take video cards on AMD processors and pack your farm with them. For example, the usual price of a system with two average video cards is about $1200–1300.

Is it possible to make money from hashcracking?

Yes, sure. As a rule, you can make money in any business, the main thing is to be a professional in this matter. And hashcracking is no exception. All hashcracker forums have paid sections where orders for hash cracking are placed. Having good dictionaries, you can try your hand at cracking such hashes. You just need to take into account that the main rule on such forums is that whoever breaks the hash first gets paid for it. Therefore, powerful hardware is simply necessary to be able to break the hash faster than other hashcrackers. As a rule, cracking such hashes is the main income of a hashcracker.

There is another option for making money, which has been gaining popularity lately, but it is already for owners of large farms. You can rent out such farms to hashcrackers with a daily fee: it often happens that you need to quickly drill down a particularly valuable hash to a good depth, but the power of one or even several video cards is clearly not enough. Or large capacities may be required during hashcracking competitions.

Rice. 3. GTX 980Ti is a great choice for hashcracking

As for the CPU, everything is simple - the more cores, the higher the frequency and the larger the cache size, the faster the search will go. A powerful processor will allow you to both use the farm to brute force passwords on the GPU, and in parallel with them load the CPU with secondary work - for example, checking other hashes using dictionaries, while all GPUs are busy with a hybrid or combined attack. Support for the latest command sets (SSE and AVX latest versions) is also necessary, since almost all of the above programs have code tailored for these command sets, which significantly increases the search speed.

Is there at least something in which the CPU can still compete with the GPU in terms of brute speed? For small volumes - no, of course. But on large hash lists of tens of millions of hashes (especially salted ones), very often processing the list on the CPU gives the same speed or even greater speed than on a video card. And hundreds of millions of hashes in the GPU are often simply not physically loaded - all that remains is to split the list into smaller fragments and brute them one by one, but this proportionally increases the attack time, while on the CPU you can load and process the entire list in one go, if RAM capacity allows.

And there is another topic where the CPU may overtake the GPU over time - the Intel Xeon Phi coprocessor. Yes, its price is still very high, but perhaps over time it will become acceptable, and it will be possible to buy it and use it to brute hashes on your home computer. Then we can get a very powerful system, since it contains about 60 quad-core processors (depending on the model), and this will give us up to 240 threads to search. On heavy algorithms like bcrypt (which are very slow even on video cards), this coprocessor can be many times faster than even the top video cards, so it’s not for nothing that the guys from the john-users team nicknamed it the “bcrypt killer.” True, there is no hashcracker software for it in the public domain yet, but over time it will definitely appear.

Of course, the reader may object - but what about the FPGA (FPGA) chips that produce enormous speeds when mining the same Bitcoin? Yes, they even produce terahashes per second, only they are programmed for the only SHA-256 algorithm, which is used very rarely when hashing regular user passwords (and another popular miner algorithm - SCRYPT - is used even less often). Plus, the FPGA chip itself produces low speed, and terahashes are obtained by combining dozens (or even hundreds of chips) into matrices, and this is not a cheap solution. But the main drawback of all FPGAs is that they are programmed only for the brute force of a single hash. Of course, many algorithms have already been ported to these chips, including MD5, but this has little practical benefit - it’s more profitable to buy a video card. Although both Altera and Xilinx are developing their FPGA lines very actively, and over time this topic may also become very interesting for hashcrackers.

Dictionaries

Success in hashcracking is based on good dictionaries, preferably consisting of real user passwords. Where can I get them? There are three ways, let's look at them in more detail.

  1. Download ready-made dictionaries from the Internet (by Googling the word wordlist). This is the simplest method, but these dictionaries are of very low quality - they contain a lot of garbage and artificially generated words, and few real passwords. So this is an option - if only for the first time.
  2. Download attachments to messages about broken hashes on the InsidePro and HashKiller forums - requests for help with brute force large lists are often posted there, and other forum users help by posting their results in hash:password format. This means you can download such files for yourself and extract all the passwords from there. These will already be very good dictionaries, but they will have one drawback - all passwords from such dictionaries are in the public domain and are also available to all other hashcrackers.
  3. Develop dictionaries yourself, constantly processing lists of uncracked hashes that can be downloaded from the same forums. This is the most effective method, although it takes the longest. However, such dictionaries are the most valuable, since they contain only real, unique and often private passwords. Professional hashcrackers even have such a term as “realpass mining”, that is, if there are paid hashes, the farm bruteths them, if there are none, the farm does not stand idle, but spends days bruteating lists of unbroken hashes from forums, continuously generating more and more unique passwords into the hashcracker piggy bank.

Obviously, someone who is serious about hashcracking follows the latter path and gradually accumulates his own and very effective vocabulary.

Frequency dictionaries

Let's say there is a huge list of salted hashes that needs to be processed quickly. How to do this if an attack on a large dictionary, even on a powerful farm, will go on for many days, or even weeks? There is only one answer - to use frequency dictionaries.

What it is? These are ordinary dictionaries, but in them passwords are sorted in descending order of frequency of their use. In such dictionaries, the most popular passwords come first - see examples of such dictionaries in the Hash Manager program distribution, files Top100xx.dic. Obviously, it is more efficient to check hashes first for the most frequently used passwords, then for more rare ones, and so on. This will allow you to quickly break all popular passwords and significantly simplify the list of hashes for subsequent work.

Thus, having accumulated quite a few dictionaries, you can collect statistics on them, form your own frequency dictionary and start processing all heavy lists of hashes from there.

Additional tools

Programs for brute hashes are only a small part of the hashcracker's arsenal of software. Or rather, this is the simplest part - I took a file with hashes, configured the necessary attacks and launched it. That's it - the program can run for days. Just look how many percent of hashes are broken.

Typically, a lot of different text files pass through a hashcracker:

  • lists of hashes in different types and formats, often with hashes of different types mixed, and you need to extract the hashes separately for each algorithm;
  • dictionaries that need to be cleaned, sorted, and duplicates removed;
  • accumulated brute results, in which both unsalted hashes with passwords and salted hashes with passwords are often mixed,
    and so on.

In general, hundreds and thousands of similar heterogeneous files are still a headache. And everyone gets out of it in different ways - some on Linux do part of the work using commands from the OS itself (for example, grep), some write scripts for themselves in Perl, some use various programs. But the fact is obvious - in addition to brute forcers, we also need tools that should work with text files: sort, clean, convert from one format to another, extract or rearrange data, check the format, and so on.

It is extremely difficult to work without these tools, and therefore each brute forcer usually comes with its own set of various utilities. Both hashcat has such a kit, and JtR too, but the largest set of utilities for Windows is the Hash Manager program. It contains more than 70 tools, built on the principle of one function = one file. Thus, from them, like from bricks, you can assemble a BAT file that processes files of any complexity. And 64-bit versions of the tools allow you to process files of unlimited size.

Here is an example BAT file demonstrating how to extract only Magento hashes with a two-character salt from a list in which hashes of different types are mixed:

REM Extract only lines that are 35 characters long ExtractLinesByLen . exe % 1 35 35

REM Rename the file with the extracted lines to file 2.txt

MOVE / Y % 1.Lines 2.txt

REM Checking the format of the hashes IsCharset . exe 2.txt? h 1

REM Check the salt format IsCharsetInPos . exe 2.txt 33 ":" IsCharsetInPos . exe 2.txt 34 ? l? u? d

IsCharsetInPos. exe 2.txt 35 ? l? u? d

REM Done! In file 2.txt there are only hashes from Magento

In the distribution package of the Hash Manager program, in the Bonus folder, you can find about 30 ready-made examples that perform various useful functions for the hashcracker.

Hash Algorithms

On the one hand, the set of current hashing algorithms remains almost unchanged over time. The reasons are simple - hashing algorithms for OS user passwords have not changed for years, and on the Internet, hundreds of thousands of resources are still based on outdated engines, and versions are not updated, despite the fact that all new versions of forums and CMS already support more reliable hashing - for example, In IPB version 4 the bcrypt algorithm is already installed. On the other hand, small changes are still happening - more and more very heavy algorithms are starting to come across - various variants of PBKDF2 and the same bcrypt, which are processed at a meager speed even on farms.

In total, hundreds of algorithms are already known; examples of their hashes can be viewed. The vast majority of hashing algorithms are based on one of the standard algorithms - MD5, SHA-1, SHA-256 and SHA-512, or combinations thereof. Brute forcers have long supported dozens of such algorithms in GPU versions and hundreds of algorithms in CPU versions.

Working with any hash begins with analyzing its format. If it has some familiar signature (see examples of hashes above), then it is immediately clear which algorithm to use to brute it. If the hash does not have a signature, then the engine of the forum or CMS from which it was taken is analyzed. There is a large list of engines with a description of the algorithm in each of them. If the engine is known, but the hashing algorithm is still not clear, then you can try to search the Internet for the distribution of this engine and analyze its source code, in terms of user authorization code.

If there are no source codes for the engine, then you need to get a hash of some pre-known password - for example, register a couple of new users on the forum, preferably with the same simple password like 123456. If their hashes are the same (we assume that the hacker has access to the hashes ), which means that only the password is used during hashing. If they are different, then something else is added to the password, unique for each user - salt, login, email. And then you can try to select an algorithm using the existing password and hash. For example, in the Hash Manager program, in the BonusSearchAlgorithm folder there is a BAT file for automatically searching for an algorithm using all algorithms available in the program (about 400), including checking passwords in Unicode, as well as salt (or username) in hexadecimal.

Well, if you still can’t determine the algorithm, then you can ask on the forum - for example, . What if someone has already encountered such hashes?

On the other side of the barricade

Now let's look at hashes through the eyes of the administrator of the resource that he wants to protect as much as possible from hacking. How can you make life more difficult for a hashcracker or even make it so that user hashes become unbreakable?

Sometimes, to do this, it is enough to switch to the latest version of the engine and select the algorithm that is the slowest in terms of brute speed. But if there are no plans to update the engine, and the administrator wants to protect his users’ passwords as much as possible from guessing, then there is another option - to patch the password verification code so that all newly registered users (or those who changed their passwords after a certain date) have their passwords hashed differently. How?

Of course, you can use any standard heavy-duty algorithm from the Linux crypt() function - sha512crypt or bcrypt. But if you manage to get such hashes, then the hashcracker will immediately determine the algorithm based on the signatures and will be able to break the hashes (albeit slowly). Conclusion - you need to hash passwords so that a hashcracker cannot unambiguously determine the algorithm by the type of hash, and this can only be done using non-standard methods.

For example, you can add a static salt to the password (even if it is the same for everyone, but very long - 200–500 characters) and hash it using the usual PHP md5 function. This salt is not present in the forum database (as, for example, in the vBulletin or osCommerce engines); it is stitched only in PHP code, which is much more difficult to access than hashes. But even if you get this salt, there are almost no brute forcers that support working with such a long salt (at least on the GPU - definitely not).

Another option is to cyclically hash the regular MD5 of the password 50–100 thousand times. This will have almost no effect on the speed of user authorization, but the speed of brute force of such hashes will be scanty (provided that it is still possible to find out the number of iterations - again, only from the PHP code). And if it doesn’t succeed, then you won’t be able to mate them at all.

You can also take a longer hash from another algorithm (for example, SHA-256 or SHA-512) and instead of the whole hash, store in the database a 32-character fragment from the middle of the hash (and the bytes can also be rearranged). A hashcracker, seeing such a hash, will be sure that it is MD5 (or its modification), and will try to brute it, but it is useless.

In general, the imagination is limitless here - over the years of working with hashes, the author has come across a lot of different ingenious types of hashing, but the fact is obvious - there are a lot of dumps from self-written CMS, or from commercial CMS without available source codes, or from patched (apparently) forums, and CMS remain unbroken to this day. What is mixed inside during hashing is unknown.

And timeless advice to all users: the most reliable option to protect your account from hacking, even if access to the hash of your password was obtained, is to use a long password consisting of random characters. Such passwords cannot be broken!

Hashcracking competitions

And where can a hashcracker compete with other hashcrackers in his ability to break hashes? Of course, at competitions! The main ones are the Crack Me If You Can competition, held by KoreLogic as part of the annual DEF CON conference, and the Hash Runner competition at the annual Positive Hack Days conference.

The rules of these competitions are very simple - you need to break as many competition hashes as possible in a limited time (usually 48 hours) and complete additional tasks also related to hashes. And since time is very limited, hashcrackers always form teams during such competitions.

Historically, from the very first competitions, three main teams were formed - InsidePro, hashcat and john-users, which all these years have consistently shared three prizes in various combinations. Even by the names of the teams, it is already obvious what software or site they have united around. Each team includes the author of this software, and the reason for this is also clear - at competitions there are always new or modified hashing algorithms, and you need to very quickly modify the brute-forcer program or add a new algorithm to it. It is very difficult for anyone who does not have the ability to quickly (often in a few hours or even minutes) adapt the software to the necessary features to qualify for a prize.

All competition reports are available on the teams' websites, as well as on the organizers' websites - for example, .

Rice. 4. Archive photo - organizers of the hashcracking competition at DEFCON 2012

Unfortunately, there are no other major hashcracking competitions. Sometimes there are small competitions on hashcracker forums, but their scope is much smaller. On the other hand, many professional hashcrackers are always in “competition mode”, since hashes worth hundreds and even thousands of dollars are periodically posted on forums, so immediately after their publication, hashcrackers join the fight for this hash in order to beat others, to be the first to break password and receive a “prize”, that is, payment for the password.

Conclusion

The increasing complexity of hashing algorithms and the use of increasingly complex and long passwords by users is offset by an increase in hashcracker computing power and the creation of increasingly powerful farms that break hashes at speeds that we could not even imagine a few years ago.

But the main thing is that the ideology itself - storing user passwords in the form of hashes - has not changed for many years, and this applies both to passwords of users of Internet resources and to users of various operating systems, which means that knowledge in the field of hashcracking will be relevant and for all the coming years!

How to break a hash if you have neither hardware nor software at hand?

To do this, you can check your hash in online hash databases like www.cmd5.ru. Or directly on services like www.hashchecker.de, which check the hash en masse in dozens of databases, and maybe you’ll get lucky.

But such services have a drawback - they mainly contain hashes from artificially generated passwords. So far, the only service where only real user hashes and passwords are collected is Hash Finder. It has already accumulated more than 500 million such hashes and passwords - all of them were actually used by someone at some point, so the percentage of passwords found on it is much higher than on other services.

Another option is to post your hash (or list of hashes) on one of the hashcracker forums, where you can always get help. Most popular forums:

You can also post your hash in paid threads of these forums, indicating the price for the found password. Then dozens of hashcrackers are guaranteed to start working with it, and there is a high probability of hacking the password.

Last updated by at November 18, 2016.

In the field of information security and penetration testing, the task often arises when you need to crack a password. This could be a hash of the Windows system administrator password, a password for a wireless access point, or any other hash that you managed to obtain. In these cases, to crack the hash and obtain the password, a technique is used - hashcracking.

What is hashcracking?

Recovering passwords for hashes, or hash cracking, is a very exciting process that requires good knowledge in various fields - cryptography, combinatorics, programming and much more. You also need to have a good understanding of hardware to ensure that your farm runs smoothly for many weeks and months at maximum load.

At the same time, a real hashcracker is often completely isolated from the stages of extracting hashes and using broken passwords to access other people’s accounts. Moreover, he is not interested in this, he is not a hacker. All hashcracker forums only publish hashes (or lists of hashes) for decryption. These lists do not contain the resource name, user names, mailboxes, IP addresses, or any other private information. Therefore, even if a password is broken, a hashcracker will never use it, since it simply does not know where it comes from. And even if he knew, he still wouldn’t use it, since his goal is the hashcracking process itself, because for him it’s almost an art.

Most of the hashcrackers on the forums are like Robin Hoods. They spend their time and resources helping other users break hashes, while continually accumulating new passwords and rules for generating them. For them, any hashes are a challenge to their intellect, their experience, their skill. And these guys find the most complex passwords that no one else can recover. How do they do it? What software and hardware do they use? What else do you need to know to break hashes as efficiently as they do? We will talk about this in our article.

Software

Nowadays, hash cracking is mainly done on video processors (GPUs). On regular processors (CPU), only those algorithms that are not implemented on the GPU are processed. For GPU brute-force, the use of the oclHashcat program has actually become a standard, which has builds for both Windows and Linux, and also supports all modern video processors - both NVIDIA and AMD. Most recently, its author transferred the program to the Open Source category, and now it is available on GitHub, so anyone can join in working on its new versions.

To distribute the work of this program among several computers, the hashtopus shell is used. Another popular GPU brute forcer remains the ageless John the Ripper (JtR) in the Jumbo build, which also has many algorithms for all video cards, but to obtain maximum efficiency it is still advisable to rebuild it for each specific hardware configuration.

There are many more programs for working on the CPU, but the most functional remain the same hashcat and JtR. You can also add to them the Hash Manager program, which is more tailored for processing hashes on an “industrial scale”, that is, very large lists that cannot be loaded into other programs. All these programs are free, and everyone decides for themselves what to choose for their daily work, only practice shows that it is desirable to be able to master all this software - as a rule, professional hashcrackers use one or another program depending on the specific situation.

You also need to take into account that all these programs are console programs, do not have a built-in GUI, and in order to use them as efficiently as possible, you need to be able to work in the console (see sidebar). And ideally, you also need to be able to program batch files (BAT or CMD) in order to customize the operation of programs as flexibly as possible. Then you can create a set of command files for different attacks one time, and then, when everything is configured, all hash cracking will come down to filling the file with the necessary hashes and launching one or another command file with certain parameters.

Console is a hashcracker's paradise

The most advanced hashcracker software is console-based and is controlled either through command line parameters or by editing configuration files. But the trend is that users are moving further and further away from the console, demanding a graphical interface, and the most popular question from forums for working with such programs is: “I launched the program, a black window popped up and closed. What to do?" The answer is obvious - study the console.

Most likely, Linux users already have the skills to work in the console, but for Windows users the best choice would be the FAR Manager program. With its help it is very convenient to work with lists of hashes and other files. And if you combine it with additional tools (for example, from the Hash Manager program), you get a killer kit that allows you to process any files literally in seconds.

To do this, you need to use the user menu (by pressing F2) to assign the most frequently used tools to the necessary keys - sort the file, extract passwords from the results file, count the number of lines in the file, and so on. After this, all work with the desired file will be reduced to three actions - place the cursor on it, call F2 and press the hot key.

After you completely customize FAR for yourself - color coloring of files, shortcut keys for tools, quick transitions to the desired directory, and so on - all the routine work of the hashcracker will become very comfortable, and therefore very effective.

Iron

In terms of hardware, hashcrackers are almost no different from cryptocurrency miners and assemble the same farms on video cards. True, they do not have dozens of video cards, but the presence of several powerful video cards is almost the norm for brute force hashes.


The requirements for the farm are the same as for cryptocurrency mining, that is, you need good cooling, stable power supply and proper placement of video cards so that they do not heat each other. Until recently, the main video cards for brute mining were (as in mining) video cards based on AMD processors, since they were more efficient in terms of price/speed ratio. However, after the release of the sm_50 (Maxwell) architecture from NVIDIA, it turned out that it is better for Brute, while video cards with this architecture consume much less power, and are also quieter and cooler. And now the most effective card for brute hashes is the NVIDIA GTX 980Ti card.


And it’s not for nothing that on the InsidePro forum more and more hashcrackers are switching to these video cards (judging by the signatures in their messages) - with a peak consumption of only 165 W on the MD5 algorithm, they produce a speed of about 15 billion passwords per second. But they have one drawback - the high price, which practically does not decrease, and due to the jump in the dollar exchange rate, it has risen even more. If the main criterion is price, and all other parameters are not important, then you can take video cards on AMD processors and pack your farm with them. For example, the usual price of a system with two average video cards is about $1200–1300.

As for the CPU, everything is simple - the more cores, the higher the frequency and the larger the cache size, the faster the search will go. A powerful processor will allow you to both use the farm to brute force passwords on the GPU, and in parallel with them load the CPU with secondary work - for example, checking other hashes using dictionaries, while all GPUs are busy with a hybrid or combined attack. Support for the latest command sets (SSE and AVX latest versions) is also necessary, since almost all of the above programs have code tailored for these command sets, which significantly increases the search speed.

Is there at least something in which the CPU can still compete with the GPU in terms of brute speed? For small volumes - no, of course. But on large hash lists of tens of millions of hashes (especially salted ones), very often processing the list on the CPU gives the same speed or even greater speed than on a video card. And hundreds of millions of hashes in the GPU are often simply not physically loaded - all that remains is to split the list into smaller fragments and brute them one by one, but this proportionally increases the attack time, while on the CPU you can load and process the entire list in one go, if RAM capacity allows.

And there is another topic where the CPU may overtake the GPU over time - the Intel Xeon Phi coprocessor. Yes, its price is still very high, but perhaps over time it will become acceptable, and it will be possible to buy it and use it to brute hashes on your home computer. Then we can get a very powerful system, since it contains about 60 quad-core processors (depending on the model), and this will give us up to 240 threads to search. On heavy algorithms like bcrypt (which are very slow even on video cards), this coprocessor can be many times faster than even the top video cards, so it’s not for nothing that the guys from the john-users team nicknamed it the “bcrypt killer.” True, there is no hashcracker software for it in the public domain yet, but over time it will definitely appear.


Of course, the reader may object - but what about the FPGA (FPGA) chips that produce enormous speeds when mining the same Bitcoin? Yes, they even produce terahashes per second, only they are programmed for the only SHA-256 algorithm, which is used very rarely when hashing regular user passwords (and another popular miner algorithm - SCRYPT - is used even less often). Plus, the FPGA chip itself produces low speed, and terahashes are obtained by combining dozens (or even hundreds of chips) into matrices, and this is not a cheap solution. But the main drawback of all FPGAs is that they are programmed only for the brute force of a single hash. Of course, many algorithms have already been ported to these chips, including MD5, but this has little practical benefit - it’s more profitable to buy a video card. Although both Altera and Xilinx are developing their FPGA lines very actively, and over time this topic may also become very interesting for hashcrackers.

Is it possible to make money from hashcracking?

Yes, sure. As a rule, you can make money in any business, the main thing is to be a professional in this matter. And hashcracking is no exception. All hashcracker forums have paid sections where orders for hash cracking are placed. Having good dictionaries, you can try your hand at cracking such hashes. You just need to take into account that the main rule on such forums is that whoever breaks the hash first gets paid for it. Therefore, powerful hardware is simply necessary to be able to break the hash faster than other hashcrackers. As a rule, cracking such hashes is the main income of a hashcracker.

There is another option for making money, which has been gaining popularity lately, but it is already for owners of large farms. You can rent out such farms to hashcrackers with a daily fee: it often happens that you need to quickly drill down a particularly valuable hash to a good depth, but the power of one or even several video cards is clearly not enough. Or large capacities may be required during hashcracking competitions.

Dictionaries

Success in hashcracking is based on good dictionaries, preferably consisting of real user passwords. Where can I get them? There are three ways, let's look at them in more detail.

  1. Download ready-made dictionaries from the Internet (by Googling the word wordlist). This is the simplest method, but these dictionaries are of very low quality - they contain a lot of garbage and artificially generated words, and few real passwords. So this is an option - if only for the first time.
  2. Download attachments to messages about broken hashes on the InsidePro and HashKiller forums - requests for help with brute force large lists are often posted there, and other forum users help by posting their results in hash:password format. This means you can download such files for yourself and extract all the passwords from there. These will already be very good dictionaries, but they will have one drawback - all passwords from such dictionaries are in the public domain and are also available to all other hashcrackers.
  3. Develop dictionaries yourself, constantly processing lists of uncracked hashes that can be downloaded from the same forums. This is the most effective method, although it takes the longest. However, such dictionaries are the most valuable, since they contain only real, unique and often private passwords. Professional hashcrackers even have such a term as “realpass mining”, that is, if there are paid hashes, the farm bruteths them, if there are none, the farm does not stand idle, but spends days bruteating lists of unbroken hashes from forums, continuously generating more and more unique passwords into the hashcracker piggy bank.

Obviously, someone who is serious about hashcracking follows the latter path and gradually accumulates his own and very effective vocabulary.

Frequency dictionaries

Let's say there is a huge list of salted hashes that needs to be processed quickly. How to do this if an attack on a large dictionary, even on a powerful farm, will go on for many days, or even weeks? There is only one answer - to use frequency dictionaries.

What it is? These are ordinary dictionaries, but in them passwords are sorted in descending order of frequency of their use. In such dictionaries, the most popular passwords come first - see examples of such dictionaries in the Hash Manager program distribution, files Top100xx.dic. Obviously, it is more efficient to check hashes first for the most frequently used passwords, then for more rare ones, and so on. This will allow you to quickly break all popular passwords and significantly simplify the list of hashes for subsequent work.

Thus, having accumulated quite a few dictionaries, you can collect statistics on them, form your own frequency dictionary and start processing all heavy lists of hashes from there.

Additional tools

Programs for brute hashes are only a small part of the hashcracker's arsenal of software. Or rather, this is the simplest part - I took a file with hashes, configured the necessary attacks and launched it. That's it - the program can run for days. Just look how many percent of hashes are broken.

Typically, a lot of different text files pass through a hashcracker:

  • lists of hashes in different types and formats, often with hashes of different types mixed, and you need to extract the hashes separately for each algorithm;
  • dictionaries that need to be cleaned, sorted, and duplicates removed;
  • accumulated Brute results, in which both unsalted hashes with passwords and salted hashes with passwords are often mixed, and so on.

In general, hundreds and thousands of similar heterogeneous files are still a headache. And everyone gets out of it in different ways - some on Linux do part of the work using commands from the OS itself (for example, grep), some write scripts for themselves in Perl, some use various programs. But the fact is obvious - in addition to brute forcers, we also need tools that should work with text files: sort, clean, convert from one format to another, extract or rearrange data, check the format, and so on.

It is extremely difficult to work without these tools, and therefore each brute forcer usually comes with its own set of various utilities. Both hashcat has such a kit, and JtR too, but the largest set of utilities for Windows is the Hash Manager program. It contains more than 70 tools, built on the principle of one function = one file. Thus, from them, like from bricks, you can assemble a BAT file that processes files of any complexity. And 64-bit versions of the tools allow you to process files of unlimited size.

Here is an example BAT file demonstrating how to extract only Magento hashes with a two-character salt from a list in which hashes of different types are mixed:

REM Extract only lines with a length of 35 characters ExtractLinesByLen.exe %1 35 35 REM Rename the file with extracted lines to a file 2.txt MOVE /Y %1.Lines 2.txt REM Check the hash format IsCharset.exe 2.txt ?h 1 REM Check salt format IsCharsetInPos.exe 2.txt 33 ":" IsCharsetInPos.exe 2.txt 34 ?l?u?d IsCharsetInPos.exe 2.txt 35 ?l?u?d REM Done! In file 2.txt there are only hashes from Magento

Hash Algorithms

On the one hand, the set of current hashing algorithms remains almost unchanged over time. The reasons are simple - hashing algorithms for OS user passwords have not changed for years, and on the Internet, hundreds of thousands of resources are still based on outdated engines, and versions are not updated, despite the fact that all new versions of forums and CMS already support more reliable hashing - for example, In IPB version 4 the bcrypt algorithm is already installed. On the other hand, small changes are still happening - more and more very heavy algorithms are starting to come across - various variants of PBKDF2 and the same bcrypt, which are processed at a meager speed even on farms.

In total, hundreds of algorithms are already known; examples of their hashes can be viewed. The vast majority of hashing algorithms are based on one of the standard algorithms - MD5, SHA-1, SHA-256 and SHA-512, or combinations thereof. Brute forcers have long supported dozens of such algorithms in GPU versions and hundreds of algorithms in CPU versions.

Working with any hash begins with analyzing its format. If it has some familiar signature (see examples of hashes above), then it is immediately clear which algorithm to use to brute it. If the hash does not have a signature, then the engine of the forum or CMS from which it was taken is analyzed. There is a large list of engines with a description of the algorithm in each of them. If the engine is known, but the hashing algorithm is still not clear, then you can try to search the Internet for the distribution of this engine and analyze its source code, in terms of user authorization code.

If there are no source codes for the engine, then you need to get a hash of some pre-known password - for example, register a couple of new users on the forum, preferably with the same simple password like 123456. If their hashes are the same (we assume that the hacker has access to the hashes ), which means that only the password is used during hashing. If they are different, then something else is added to the password, unique for each user - salt, login, email. And then you can try to select an algorithm using the existing password and hash. For example, in the Hash Manager program, in the Bonus\SearchAlgorithm folder there is a BAT file for automatically searching for an algorithm using all algorithms available in the program (about 400), including checking passwords in Unicode, as well as salt (or username) in hexadecimal.

Well, if you still can’t determine the algorithm, then you can ask on the forum - for example, . What if someone has already encountered such hashes?

On the other side of the barricade

Now let's look at hashes through the eyes of the administrator of the resource that he wants to protect as much as possible from hacking. How can you make life more difficult for a hashcracker or even make it so that user hashes become unbreakable?

Sometimes, to do this, it is enough to switch to the latest version of the engine and select the algorithm that is the slowest in terms of brute speed. But if there are no plans to update the engine, and the administrator wants to protect his users’ passwords as much as possible from guessing, then there is another option - to patch the password verification code so that all newly registered users (or those who changed their passwords after a certain date) have their passwords hashed differently. How?

Of course, you can use any standard heavy-duty algorithm from the Linux crypt() function - sha512crypt or bcrypt. But if you manage to get such hashes, then the hashcracker will immediately determine the algorithm based on the signatures and will be able to break the hashes (albeit slowly). Conclusion - you need to hash passwords so that a hashcracker cannot unambiguously determine the algorithm by the type of hash, and this can only be done using non-standard methods.

For example, you can add a static salt to the password (even if it is the same for everyone, but very long - 200–500 characters) and hash it using the usual PHP md5 function. This salt is not present in the forum database (as, for example, in the vBulletin or osCommerce engines); it is stitched only in PHP code, which is much more difficult to access than hashes. But even if you get this salt, there are almost no brute forcers that support working with such a long salt (at least on the GPU - definitely not).

Another option is to cyclically hash the regular MD5 of the password 50–100 thousand times. This will have almost no effect on the speed of user authorization, but the speed of brute force of such hashes will be scanty (provided that it is still possible to find out the number of iterations - again, only from the PHP code). And if it doesn’t succeed, then you won’t be able to mate them at all.

You can also take a longer hash from another algorithm (for example, SHA-256 or SHA-512) and instead of the whole hash, store in the database a 32-character fragment from the middle of the hash (and the bytes can also be rearranged). A hashcracker, seeing such a hash, will be sure that it is MD5 (or its modification), and will try to brute it, but it is useless.

In general, the imagination is limitless here - over the years of working with hashes, the author has come across a lot of different ingenious types of hashing, but the fact is obvious - there are a lot of dumps from self-written CMS, or from commercial CMS without available source codes, or from patched (apparently) forums, and CMS remain unbroken to this day. What is mixed inside during hashing is unknown.

And timeless advice to all users: the most reliable option to protect your account from hacking, even if access to the hash of your password was obtained, is to use a long password consisting of random characters. Such passwords cannot be broken!

Hashcracking competitions

And where can a hashcracker compete with other hashcrackers in his ability to break hashes? Of course, at competitions! The main ones are the Crack Me If You Can competition, held by KoreLogic as part of the annual DEF CON conference, and the Hash Runner competition at the annual Positive Hack Days conference.

The rules of these competitions are very simple - you need to break as many competition hashes as possible in a limited time (usually 48 hours) and complete additional tasks also related to hashes. And since time is very limited, hashcrackers always form teams during such competitions.

Historically, from the very first competitions, three main teams were formed - InsidePro, hashcat and john-users, which all these years have consistently shared three prizes in various combinations. Even by the names of the teams, it is already obvious what software or site they have united around. Each team includes the author of this software, and the reason for this is also clear - at competitions there are always new or modified hashing algorithms, and you need to very quickly modify the brute-forcer program or add a new algorithm to it. It is very difficult for anyone who does not have the ability to quickly (often in a few hours or even minutes) adapt the software to the necessary features to qualify for a prize.

All competition reports are available on the teams' websites, as well as on the organizers' websites - for example, .


Unfortunately, there are no other major hashcracking competitions. Sometimes there are small competitions on hashcracker forums, but their scope is much smaller. On the other hand, many professional hashcrackers are always in “competition mode”, since hashes worth hundreds and even thousands of dollars are periodically posted on forums, so immediately after their publication, hashcrackers join the fight for this hash in order to beat others, to be the first to break password and receive a “prize”, that is, payment for the password.

Conclusion

The increasing complexity of hashing algorithms and the use of increasingly complex and long passwords by users is offset by an increase in hashcracker computing power and the creation of increasingly powerful farms that break hashes at speeds that we could not even imagine a few years ago.

But the main thing is that the ideology itself - storing user passwords in the form of hashes - has not changed for many years, and this applies both to passwords of users of Internet resources and to users of various operating systems, which means that knowledge in the field of hashcracking will be relevant and for all the coming years!

How to break a hash if you have neither hardware nor software at hand?

To do this, you can check your hash in online hash databases like www.cmd5.ru. Or directly on services like www.hashchecker.de, which check the hash en masse in dozens of databases, and maybe you’ll get lucky.

But such services have a drawback - they mainly contain hashes from artificially generated passwords. So far, the only service where only real user hashes and passwords are collected is Hash Finder. It has already accumulated more than 500 million such hashes and passwords - all of them were actually used by someone at some point, so the percentage of passwords found on it is much higher than on other services.

Another option is to post your hash (or list of hashes) on one of the hashcracker forums, where you can always get help. The most popular forums: forum.insidepro.com, forum.hashkiller.co.uk, forum.antichat.ru/forums/76.

You can also post your hash in paid threads of these forums, indicating the price for the found password. Then dozens of hashcrackers are guaranteed to start working with it, and there is a high probability of hacking the password.

Brute force (derived from the English phrase: brute force) is a type of hacker attack - a method of hacking accounts in computer systems, payment/banking services and websites through the automated selection of password and login combinations.

Brute force is based on the mathematical method of the same name (brute force), in which the correct solution - a finite number or symbolic combination - is found by searching through various options. In fact, each value from a given set of potential answers (solutions) is checked for correctness.

How brute force works

A hacker writes a special program for guessing passwords or uses a ready-made solution from his colleagues. It can be targeted at a specific email service, website, social network (i.e., it is intended for hacking a specific resource). Next, preparations for hacking are carried out. It consists of the following steps:

  1. Preparation of a proxy list

In order to hide the true IP address of the computer from which the attack will be carried out, and to prevent blocking from the site where the account needs to be hacked, an Internet connection is configured through a proxy server.

The search for proxy addresses/ports is carried out in the Proxy Grabber. This utility independently retrieves all the data for connecting to intermediary servers from sites that provide proxies (they are specified in the list). In other words, a proxy is collected.

The resulting database is saved in a separate text file. And then all the server addresses contained in it are checked for functionality in the proxy checker. Quite often, programs designed for automated proxy mining combine the functions of both a grabber and a checker.

As a result, you get a ready-made proxy list in the form of a list of IP/port, saved in a txt file. (You will need it when setting up the brute force program).

  1. Search for bases for Brute

You need to connect a dictionary to brute force - a certain set of combinations of passwords and logins - which it will substitute in the login form. It, like the proxy list, has the form of a list in a regular text file (.txt). Dictionaries, also known as databases, are distributed through hacker forums, websites and file hosting services. More experienced “craftsmen” create them on their own and provide them to everyone for a fee. The larger the base (number of combinations, logins, accounts), the better (for the hacker) - the greater the likelihood of hacking success.

  1. Setting up brute force

The proxy list is loaded; the selection program will automatically change the proxy so that the web server does not detect the attack and, accordingly, the source (host) of the attack.

A dictionary of password/login combinations is connected. The number of threads is set - how many combinations brute force will check at the same time. A powerful computer with high Internet speed can confidently handle 120-200 streams (this is the optimal value). The speed of the brute directly depends on this setting. For example, if you set only 10 threads, the selection will be very slow.

  1. Running brute force

The program records successful hacking attempts: it saves the linked accounts (password/login) to a file. The duration of the selection procedure ranges from several hours to several days. However, it is not always effective due to the high cryptographic strength of the login data or the implementation of other protective measures by the attacker.

Types of brute force

Personal hacking

Hunting for a specific account - on a social network, on an email service, etc. Through or in the process of virtual communication, the attacker extracts from the victim a login to access a website. Then he cracks the password using brute force methods: he uses brute force to indicate the address of the web resource and the obtained login, and connects the dictionary.

The chances of such a hack are small, for example, compared to the same XSS attack. It can be successful if the account owner used a password of 6-7 characters with a simple symbol combination. Otherwise, “solving” more stable variants of 12, 15, 20 letters, numbers and special characters will take years - tens and hundreds of years, based on the calculations of the mathematical search formula.

Brut/check

A database with logins/passwords from mailboxes of one mail service (for example, mail.ru) or different ones is connected to brute force. And a proxy list - to mask the node (since email web services quickly detect an attack based on multiple requests from one IP address).

The brute's options indicate a list of keywords (usually site names) - landmarks by which he will search for login information on hacked mailboxes (for example: steampowered, worldoftanks, 4game, VK). Or a specific Internet resource.

When registering in an online game, social network or forum, a user, as expected, indicates his email (mailbox). The web service sends a message to the specified address with login information and a link to confirm registration. It is these letters that brute force is looking for in order to extract logins and passwords from them.

Click “START” and the cracking program begins brute force. It operates according to the following algorithm:

  1. Loads the login/password for the email from the database.
  2. Checks access, or “checks” (automatically logs in): if it is possible to log into the account, it adds one in the good column (this means another work email has been found) and begins to view it (see the following points); if there is no access, it is listed as bad.
  3. In all “beeps” (open emails), brute force scans letters according to the request specified by the hacker - that is, it looks for logins/passwords to the specified sites and payment systems.
  4. When the required data is found, it copies it and writes it into a separate file.

Thus, a massive “hijacking” of accounts occurs – from tens to hundreds. The attacker disposes of the obtained “trophies” at his own discretion - sale, exchange, data collection, theft of money.

Remote computer hacking

Brute force, in conjunction with other hacker utilities, is used to gain remote access to a password-protected victim’s PC via an Internet channel.

This type of attack consists of the following stages:

  1. A search is performed for IP networks in which the attack on user computers will be carried out. Address ranges are taken from special databases or through special programs, such as IP Geo. In it you can select IP networks for a specific district, region, and even city.
  2. Selected IP ranges and selection dictionaries are set in the settings of the Lamescan brute force (or its analogue), intended for remote brute force login/password. Once launched, Lamescan does the following:
  • makes a connection to each IP from a given range;
  • after establishing a connection, it tries to connect to the host (PC) via port 4899 (but there may be other options);
  • if the port is open: tries to gain access to the system, when prompted for a password, performs guessing; if successful, it saves the IP address of the host (computer) and login information in its database.

  1. The hacker launches the Radmin utility, designed to manage remote PCs. Sets the victim’s network coordinates (IP, login and password) and gains full control over the system - the desktop (displayed visually on the display of the attacker’s computer), file directories, settings.

Programs for Brutus

Classic brute force, one of the very first. However, it does not lose its relevance and competes with new solutions. It has a fast brute force algorithm and supports all major Internet protocols - TCP/IP, POP3, HTTP, etc. It can forge cookies. Brutes the dictionary and generates passwords independently.

Powerful brute checker. Equipped with an expanded arsenal of functions for working with databases (checking, sorting by domain). Supports various types of proxies and checks their functionality. Scans letters in mailboxes based on settings such as date, keyword, address, unread messages. Can download letters from Mail.ru and Yandex.

Appnimi Password Unlocker

A program for brute-forcing a password for a file on a local computer. A sort of workhorse. The free version of the program allows you to select passwords of no more than 5 characters. You can read about how to install and use Appnimi Password Unlocker

We've released a new book, Social Media Content Marketing: How to Get Inside Your Followers' Heads and Make Them Fall in Love with Your Brand.

Subscribe

Brute force is an activity or software for activities associated with an attempt to hack a site, server or program by selecting passwords according to specified criteria (number of characters, range of numbers and letters, etc.).

Despite the expansion of the information security staff of corporations and large portals, news about the hacking of certain servers, sites, databases and leaks of commercial or confidential information constantly creeps into the media. An important tool in the hands of cybercriminals is the brute force method - brute force, which allows you to try passwords and all kinds of combinations until they match completely.

But one should not assume that brute force attacks are used only against commercial structures and military ministries to extract financial profit or disrupt the operation of defense systems. By analogy with a nuclear bomb and the “peaceful atom” technology, a parallel can be drawn with a hacker attack on an email or website and recovering a forgotten password on a social network or in a Windows account. Yes, the password selection method is also used for good purposes, when all possible recovery options are impossible. Let's take a look at the main developments for the Brute and briefly learn about each.

Famous brute force actions

Monthly attacks on banking structures, various departments and ministries abroad reached Russian-language news platforms in a distorted form and were not covered much. But at the beginning of August 2013, RuNet, and more specifically, the owners of websites on popular CMS faced massive attacks on resources. The attackers' goal was access to admin panels, and if hosting providers had not caught on in time and forced owners to assign IP addresses to admin panels, the consequences could have been very dire. The pages /wp-login.php and /wp-admin were attacked; the hacked sites joined the botnet network and joined the army of attackers.

Brute force programs

The portal administration is not responsible for the illegal use by users of information about the software provided to them. The article is for informational purposes only. In addition, all programs are regarded by the operating system and antiviruses as dangerous to use, and therefore may contain malicious code.

Brutus - AET2

One of the most popular developments for cracking the password of third-party computers via the network. The program is available on the darknet, but in the public domain it is quickly blocked by search engines and network antiviruses. Installation of the application is standard, let's go straight to the settings.

In the Target window, enter the server address. In Authentication options we enter the most common user names, although the program refers to the user.txt document of the computer being hacked. Check the box next to Single user. In the Pass Mode drop-down window, select Brute Force. Next - Range.

A window will pop up to set parameters; if there is any information about the contents of the password, indicate it here. This can be character length, lower case, upper case, all characters, numbers only, or letters.

[ Web ] Brute Forcer

This utility is intended for brute force of websites, and more specifically, personal account accounts on various portals. To work you need to know the following parameters:

  • personal account address (like sire.ru/wp-admin for the WordPress admin area);
  • input fields (login, password);
  • successful login indicator.

The application has a built-in password dictionary manager.

Router Brute force

The password selection method is also used in more prosaic cases - for example, to gain access to Wi-Fi. The program is developed for the Android system. There is a built-in dictionary of common passwords, which can be supplemented with downloaded modifications and additions from the Internet, or you can enter it yourself. The default value in the login field is “admin”.

Brute force for VK

Specialized forums and public social networks are teeming with messages and offers of services for hacking VKontakte pages using the selection method. All kinds of “hacker” sites offer to download a miraculous program that will select the key to any VK page in a matter of minutes. There is some truth in this - the password and login for the social network account will become known to the program developers, since the gullible user who downloaded the application will enter them in the settings window. All, absolutely all software promoted under the VKontakte hacking brand has two goals - to extract funds for the user to pay for the software, or to steal his data.

Hacking personal VKontakte pages using a brute force method was relevant until 2011, after which developers became concerned about user safety and introduced scripts that made it possible to block suspicious accounts with a large number of login attempts and bots that bypassed anti-captcha. The portal administration has the right to file a claim in court about an attempt to hack a user’s account based on the IP address from which the action was carried out.

How to protect yourself from hacking

No matter how trivial it may sound, do not disclose confidential data, even if you like the interlocutor. Set passwords a little more complex than the notorious 123456789, qwerty, dates of birth, first and last names, and other template combinations.

To intercept a login, knowledge of which will free up scammers, just follow the link containing the Trojan virus. Therefore, we ignore links incoming from dubious individuals, no matter how tempting the content on them may seem and no matter what benefits it promises.

Social engineering for brute

Often, to simplify the task and establish the maximum possible criteria, attackers resort to surveying a potential victim on social networks or through other messengers. The main information that the scammer extracts is the names, phone numbers, surnames, dates of birth of relatives and friends, childhood friends. All this greatly simplifies the search, reducing to a relative minimum the number of options for processing the password and login.

Is the game worth the candle?

What is brute force in modern realities? Let's be honest - all programs offer only a theoretical solution to the problem, since in practice it will not be easy to compile many variations of passwords at least in the range from 0-9, A-z, A-z, provided there are 6 to 9 characters, the total sum of combinations is equal to 220 trillion!, and the selection of such a number of requests, taking into account the use of even powerful equipment, changing IP addresses will exceed 90 thousand years! Of course, setting certain criteria such as dates, names, significant events, excluding unnecessary parameters and types of combinations, connecting anti-captcha services, as well as conducting an operation through a network consisting of many computers will significantly speed up the process, but again does not guarantee results and is unlikely will be worth the effort and money spent.

It is worth resorting to password selection only when the basis of what you are looking for is known, for example, it is some number or date, and you only need to select a combination of several numbers or letters for it. To avoid doing this manually, it is better to use automated brute force.