Is brute forcing a waiste of time?

Viewing 16 reply threads
  • Author
    Posts
    • #3274
      seVor
      Participant

      I am just curious how many people actually have sucess with this?  It is time consuming right? Plus I imagine that it is quite aggressive.  Any system that has logging on it should pick it up right away, of course if you are doing it ethically they should probably expect it to be in their logs. 

      hmmm..  just found my self asking this question and thought I would throw it up on here.

      Thanks!

    • #21699
      Kev
      Participant

      No not a waste of time at all. I assume you mean brute forcing in a general context. Given the proper circumstances,you might be surprised how often I have the opportunity.

    • #21700
      jason
      Participant

      In general, it’s not a waste of time. However, YMMV depending on the tools that you are using and what exactly it is that you are trying to brute force.

    • #21701
      apollo
      Participant

      brute forcing is also situation dependent.  It is something that you should probably discuss in the planning stages and make sure that it is in the scope of your pen test.  You also want to discuss during this session what types of security the network has on it so that you can know what the impact is.  Having yourself black-holed by an IPS or locking out a whole lot of accounts during your engagement wouldn’t be awesome.

    • #21702
      Michael J. Conway
      Participant

      If you can grab the shadow file and run, bruting may take some time, but you will find weak passwords quickly. This can also give you clues to settign up a custom dictionay for other systems on that network. But as others pointed out, you need to be careful about bruting over a network.

    • #21703
      vijay2
      Participant

      With continued awareness about securing passowrds, I think burte forcing is becoming less attractive option. Agreed that brute forcing can give you really low hanging fruit, but you would get more out using options lile Social Engineering. pass the hash and others.

      Also, with brute forcing you should remember that the attempts are logged and there is always a issue of locking out accounts.

      Hope this Helps

      VJ 

    • #21704
      seVor
      Participant

      Greate posts everyone!! Thanks..

      @vijay2 wrote:

      With continued awareness about securing passowrds, I think burte forcing is becoming less attractive option. Agreed that brute forcing can give you really low hanging fruit, but you would get more out using options lile Social Engineering. pass the hash and others.

      Also, with brute forcing you should remember that the attempts are logged and there is always a issue of locking out accounts.

      Hope this Helps

      VJ 

      Ya I would be affraid of the logging and locking of passwords.  Is there a more passive way to do this? 

      Or does it even matter since all this would have been discussed up front?

    • #21705
      Kev
      Participant

      @seVor wrote:

      Or does it even matter since all this would have been discussed up front?

      Thats a very important point. I always make it very clear what I will do and  the possible repercussions there might be. Sometimes this might limit you and I make that very clear also. If they limit me too much I might not even take the gig. Make everything clear and the possible problems that might result so you are totally covered. I have found those that are really concerned with security are willing to give you a lot of rope. Hopefully not enough to just hang yourself ,lol!

    • #21706
      Xen
      Participant

      I don’t ALWAYS recommend brute force.
      Yes,you will recover the password but in how much time?
      Just take this eg.
      A 5 character password would be recovered instantly if we consider only lowercase letters but if there is a combination of both uppercase and lowercase it will take 12min to recover it.
      A 7 character lowercase password will take 4 hrs. but a combination of uppercase and lowercase would devour 23 days of your life.
      A 9 character lowercase takes 4 months and a combination of uppercase and lowercase would take 178 years to crack.
      And I have not taken special characters in to consideration yet.

      So according to me if you want to bruteforce choose a considerable amount of time and give it up if you couldn’t crack the password in that time limit.

    • #21707
      Michael J. Conway
      Participant

      @Xen wrote:

      So according to me if you want to bruteforce choose a considerable amount of time and give it up if you couldn’t crack the password in that time limit.

      There are always rainbow tables……

    • #21708
      SynJunkie
      Participant

      Bruteforcing a waste of time?  Can anyone say “Twitter”!!!

      http://blog.wired.com/27bstroke6/2009/01/professed-twitt.html

      Syn

    • #21709
      KrisTeason
      Participant

      Hahaha, Wow I had no idea Twitter didn’t have a password policy to lock an account after so many failed attempts. This is a good example / wake up call for people to enforce strong passwords, password was happiness, come on that’s on everybody’s dictionary list.

    • #21710
      oneeyedcarmen
      Participant

      @KrisTeason wrote:

      Hahaha, Wow I had no idea Twitter didn’t have a password policy to lock an account after so many failed attempts.

      Supposedly they do now. They’ve also implemented a timeout. We’ll see.

    • #21711
      SynJunkie
      Participant

      from what i hear the timeout (i actually heard it was a capture???) acts differently depending on how you access the account, i.e the wbsite locks you out, fine you can get in using your blackberry! a little more work needs to done it would seem.

    • #21712
      ciscostu
      Participant

      If it’s good enough for Matasano, it’s good enough for me-

      http://www.matasano.com/log/1342/my-pentest-secret-password-guessing/

    • #21713
      acj
      Participant

      Actual brute forcing for getting into a system remotely or during a pen-test, I do think is a waste of time.  However, a dictionary attack against the resource (e.g. load up TSGrinder with a list of passwords and usernames) is not a waste of time.  9 times out of 10 I’ve been able to get in that way (against routers, ssh, etc).

      The only time I’ve really used brute force is when I _had_ to crack something (It was an encrypted home directory on a mac that someone locked up data before they were fired – got paid well for it to 🙂  Just my $0.02.  -AJC

    • #21714
      timmedin
      Participant

      It depends on the goal, sometimes part of the test *is* to trigger the logging and see if anyone is paying attention behind the curtain.

      Building a dictionary and using that is very handy and is a good first pass. Straight up brute forcing over the network isn’t usually effective, but it does work sometimes. Obviously it is  more effective (attempts per second) when you can hammer on it locally (e.g. file decryption).

      The nice thing with brute forcing is that it doesn’t take a lot of babysitting. You can let that thing run and monitor it for success.

Viewing 16 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?