What is a Brute Force Attack?

In a brute force attack, a threat actor tries to gain access to sensitive data and systems by systematically trying as many combinations of usernames and guessed passwords as possible. If successful, the actor can enter the system masquerading as the legitimate user and remain inside until they are detected. They use this time to move laterally, install back doors, gain knowledge about the system to use in future attacks, and, of course, steal data.

Brute force attacks have been around as long as there have been passwords. They not only remain popular, but are on the rise due to the shift to remote work.

Prior to the global COVID-19 pandemic, most employees worked in offices with infrastructures that were monitored by security controls. Now that so many employees are using their own devices and networks to connect to their corporate networks, attackers are focusing on remote desktop protocol (RDP) and other remote access services as attack vectors. RDP is a particularly popular way to deliver ransomware, such as Maze.

Why Hackers Use Brute Force Attacks

Attackers can use brute force attacks to steal sensitive data, spread malware, hijack systems for malicious purposes, make websites unavailable, profit from ads, reroute website traffic to commissioned ad sites, and infect sites with spyware in order to collect data to sell to advertisers.

The level of technological skill required to launch a credential stuffing attack is extremely low, as is the cost. For as little as $550, anyone with a computer can launch a credential stuffing attack.

How Does a Brute Force Attack Work?

Adversaries use automated tools to execute brute force attacks, and those lacking the skill to build their own can purchase them on the dark web in the form of malware kits. They can also purchase data such as leaked credentials that can be used as part of a credential stuffing or hybrid brute force attack. These lists may be offered as part of a package, in which the seller includes the lists along with the automated tools, as well as other value-adds, such management consoles.

Once the attacker sets up their tools and seeds them with the lists, if relevant, the attack begins.

Brute force attacks can be conducted with botnets. Botnets are systems of hijacked computers that provide processing power without the consent or knowledge of the legitimate user. Like the malware kits mentioned above, bot kits can also be purchased on the dark web. Last year, a botnet was used to breach SSH servers belonging to banks, medical centers, educational institutions, and others.

Brute force attacks are resource-intensive, but effective. They may also be the first part of a multi-stage attack. An example of this is explained in detail on the CrowdStrike blog, examining a case where a brute force attack was part of a multi-step exploit that enabled unauthenticated privilege escalation to full domain privileges.

Types of brute force attacks

Simple brute force attack

A simple brute force attack uses automation and scripts to guess passwords. Typical brute force attacks make a few hundred guesses every second. Simple passwords, such as those lacking a mix of upper- and lowercase letters and those using common expressions like ‘123456’ or ‘password,’ can be cracked in minutes. However, the potential exists to increase that speed by orders of magnitude. All the way back in 2012, a researcher used a computer cluster to guess up to 350 billion passwords per second.

Dictionary Attack

A dictionary attack tries combinations of common words and phrases. Originally, dictionary attacks used words from a dictionary as well as numbers, but today dictionary attacks also use passwords that have been leaked by earlier data breaches. These leaked passwords are available for sale on the dark web and can even be found for free on the regular web.

Dictionary software is available that substitutes similar characters to create new guesses. For example, the software will replace a lowercase “l” with a capital “I” or a lowercase “a” with an “@” sign. The software only tries the combinations its logic says are most likely to succeed.

Credential Stuffing

Over the years, more than 8.5 billion usernames and passwords have been leaked. These stolen credentials are sold between bad actors on the dark web and used in everything from spam to account takeovers.

A credential stuffing attack uses these stolen login combinations across a multitude of sites. Credential stuffing works because people tend to re-use their login names and passwords repeatedly, so if a hacker gets access to a person’s account with an electric company, there is an excellent chance those same credentials will provide access to that person’s online bank account as well.

Gaming, media, and retail businesses tend to be favorite targets, but credential stuffing attacks are commonly launched against all industries.

Reverse Brute Force Attack

In a regular brute force attack, the attacker starts with a known key, usually a username or account number. Then they use automation tools to figure out the matching password. In a reverse brute force attack, the attacker knows the password and needs to find the username or account number.

Hybrid Brute Force Attack

A hybrid brute force attack combines a dictionary attack and a brute force attack. People often tack a series of numbers – typically four – onto the end of their password. Those four numbers are usually a year that was significant to them, such as birth or graduation, and so the first number is normally a 1 or a 2.

In a reverse brute force attack, attackers use the dictionary attack to provide the words and then automate a brute force attack on the last part – the four numbers. This is a more efficient approach than using a dictionary attack alone or a brute force attack alone.

Password Spraying

Traditional brute force attacks try to guess the password for a single account. Password spraying takes the opposite approach and tries to apply one common password to many accounts. This approach avoids getting caught by lockout policies that limit the number of password attempts. Password spraying is typically used against targets with single sign-on (SSO) and cloud-based apps that use federated authentication.


A brute force attack is a numbers game, and it takes a lot of computing power to execute at scale. By deploying networks of hijacked computers to execute the attack algorithm, attackers can save themselves the cost and hassles of running their own systems. In addition, the use of botnets adds an extra layer of anonymity. Botnets can be used in any type of brute force attack.

Tools Used for Brute Force Attacks

Tools, many free, are available on the open internet that work against a wide variety of platforms and protocols. Here are just a few:

  • Aircrack-ng: Aircrack-ng is a brute force wifi password tool that is available for free. It comes with WEP/WPA/WPA2-PSK cracker and analysis tools to perform attacks on Wi-Fi 802.11 and can be used for any NIC that supports raw monitoring mode.
  • DaveGrohl: DaveGrohl is a brute forcing tool for Mac OS X that supports dictionary attacks. It has a distributed mode that enables an attacker to execute attacks from multiple computers on the same password hash.
  • Hashcat: Hashcat is a CPU-based password cracking tool available for free. It works on Windows, Mac OS, and Linux systems, and works in many types of attacks, including simple brute force, dictionary, and hybrid.
  • THC Hydra: THC Hydra cracks passwords of network authentications. It performs dictionary attacks against more than 30 protocols, including HTTPS, FTP, and Telnet.
  • John the Ripper: This is a free password-cracking tool that was developed for Unix systems. It is now available for 15 other platforms, including Windows, OpenVMS, and DOS. John the Ripper automatically detects the type of hashing used in a password, so it can be run against encrypted password storage.
  • L0phtCrack: L0phtCrack is used in simple brute force, dictionary, hybrid, and rainbow table attacks to crack Windows passwords.
  • NL Brute: An RDP brute-forcing tool that has been available on the dark web since at least 2016.
  • Ophcrack: Ophcrack is a free, open source Windows password cracking tool. It uses LM hashes through rainbow tables.
  • Rainbow Crack: Rainbow Crack generates rainbow tables to use while executing an attack. Rainbow tables are pre-computed and so reduce the time required to perform an attack.

How to Protect Against Brute force Attacks

Use multifactor authentication

When users are required to offer more than one form of authentication, such as both a password and a fingerprint or a password and a one-time security token, a brute force attack is less likely to succeed.

Implement IT hygiene

Gain visibility into the use of credentials across the environment  and require passwords to be changed regularly.

Set up policies that reject weak passwords

Longer passwords are not always better. What really helps is to require a mix of upper- and lowercase letters mixed with special characters. Educate users on best password practices, such as avoiding adding four numbers at the end and avoiding common numbers, such those beginning with 1 or 2. Provide a password management tool to prevent users from resorting to easily-remembered passwords and use a discovery tool that exposes default passwords on devices that haven’t been changed.

Implement proactive threat hunting

Threat hunting can expose the types of attacks that standard security measures can miss. If a brute force attack has been used to successfully enter the system, a threat hunter can detect the attack even though it’s operating under the guise of legitimate credentials.

is the process of identifying, evaluating, treating, and reporting on security vulnerabilities in systems and the software that runs on them. This, implemented alongside with other security tactics, is vital for organizations to prioritize possible threats and minimizing their “attack surface.”

Security vulnerabilities , in turn, refer to technological weaknesses that allow attackers to compromise a product and the information it holds. This process needs to be performed continuously in order to keep up with new systems being added to networks, changes that are made to systems, and the discovery of new vulnerabilities over time.

Vulnerability management software can help automate this process. They’ll use a vulnerability scanner and sometimes endpoint agents to inventory a variety of systems on a network and find vulnerabilities on them. Once vulnerabilities are identified, the risk they pose needs to be evaluated in different contexts so decisions can be made about how to best treat them. For example, vulnerability validation can be an effective way to contextualize the real severity of a vulnerability.

What is the difference between Vulnerability Management and Vulnerability Assessment?

Generally, a Vulnerability Assessment is a portion of the complete Vulnerability Management system. Organizations will likely run multiple Vulnerability Assessments to get more information on their Vulnerability Management action plan.

The vulnerability management process can be broken down into the following four steps:

  1.  Identifying Vulnerabilities
  2.  Evaluating Vulnerabilities
  3.  Treating Vulnerabilities
  4.  Reporting Vulnerabilities 

Step 1: Identifying Vulnerabilities

At the heart of a typical vulnerability management solution is a vulnerability scanner. The scan consists of four stages:

  1. Scan network-accessible systems by pinging them or sending them TCP/UDP packets
  2. Identify open ports and services running on scanned systems
  3. If possible, remotely log in to systems to gather detailed system information
  4. Correlate system information with known vulnerabilities

Vulnerability scanners are able to identify a variety of systems running on a network, such as laptops and desktops, virtual and physical servers, databases, firewalls, switches, printers, etc. Identified systems are probed for different attributes: operating system, open ports, installed software, user accounts, file system structure, system configurations, and more. This information is then used to associate known vulnerabilities to scanned systems. In order to perform this association, vulnerability scanners will use a vulnerability database that contains a list of publicly known vulnerabilities.

Properly configuring vulnerability scans is an essential component of a vulnerability management solution. Vulnerability scanners can sometimes disrupt the networks and systems that they scan. If available network bandwidth becomes very limited during an organization’s peak hours, then vulnerability scans should be scheduled to run during off hours.

If some systems on a network become unstable or behave erratically when scanned, they might need to be excluded from vulnerability scans, or the scans may need to be fine-tuned to be less disruptive. Adaptive scanning

is a new approach to further automating and streamlining vulnerability scans based on changes in a network. For example, when a new system connects to a network for the first time, a vulnerability scanner will scan just that system as soon as possible instead of waiting for a weekly or monthly scan to start scanning that entire network.

Vulnerability scanners aren’t the only way to gather system vulnerability data anymore, though. Endpoint agents allow vulnerability management solutions to continuously gather vulnerability data from systems without performing network scans. This helps organizations maintain up-to-date system vulnerability data whether or not, for example, employees’ laptops are connected to the organization’s network or an employee’s home network.

Regardless of how a vulnerability management solution gathers this data, it can be used to create reports, metrics, and dashboards for a variety of audiences.

Step 2: Evaluating Vulnerabilities

After vulnerabilities are identified, they need to be evaluated so the risks posed by them are dealt with appropriately and in accordance with an organization’s risk management strategy. Vulnerability management solutions will provide different risk ratings and scores for vulnerabilities, such as Common Vulnerability Scoring System (CVSS) scores. These scores are helpful in telling organizations which vulnerabilities they should focus on first, but the true risk posed by any given vulnerability depends on some other factors beyond these out-of-the-box risk ratings and scores.

Here are some examples of additional factors to consider when evaluating vulnerabilities:

  • Is this vulnerability a true or false positive?
  • Could someone directly exploit this vulnerability from the Internet?
  • How difficult is it to exploit this vulnerability?
  • Is there known, published exploit code for this vulnerability?
  • What would be the impact to the business if this vulnerability were exploited?
  • Are there any other security controls in place that reduce the likelihood and/or impact of this vulnerability being exploited?
  • How old is the vulnerability/how long has it been on the network?

Like any security tool, vulnerability scanners aren’t perfect. Their vulnerability detection false-positive rates, while low, are still greater than zero. Performing vulnerability validation with penetration testing tools

and techniques helps weed out false-positives so organizations can focus their attention on dealing with real vulnerabilities. The results of vulnerability validation exercises or full-blown penetration tests can often be an eye-opening experience for organizations that thought they were secure enough or that the vulnerability wasn’t that risky.

Step 3: Treating Vulnerabilities

Once a vulnerability has been validated and deemed a risk, the next step is prioritizing how to treat that vulnerability with original stakeholders to the business or network. There are different ways to treat vulnerabilities, including:

  • Remediation: Fully fixing or patching a vulnerability so it can’t be exploited. This is the ideal treatment option that organizations strive for.
  • Mitigation: Lessening the likelihood and/or impact of a vulnerability being exploited. This is sometimes necessary when a proper fix or patch isn’t yet available for an identified vulnerability. This option should ideally be used to buy time for an organization to eventually remediate a vulnerability.
  • Acceptance: Taking no action to fix or otherwise lessen the likelihood/impact of a vulnerability being exploited. This is typically justified when a vulnerability is deemed a low risk, and the cost of fixing the vulnerability is substantially greater than the cost incurred by an organization if the vulnerability were to be exploited.

Vulnerability management solutions provide recommended remediation techniques for vulnerabilities.  Occasionally a remediation recommendation isn’t the optimal way to remediate a vulnerability; in those cases, the right remediation approach needs to be determined by an organization’s security team, system owners, and system administrators. Remediation can be as simple as applying a readily-available software patch or as complex as replacing a fleet of physical servers across an organization’s network.

When remediation activities are completed, it’s best to run another vulnerability scan to confirm that the vulnerability has been fully resolved.

However, not all vulnerabilities need to be fixed. For example, if an organization’s vulnerability scanner has identified vulnerabilities in Adobe Flash Player on their computers, but they completely disabled Adobe Flash Player from being used in web browsers and other client applications, then those vulnerabilities could be considered sufficiently mitigated by a compensating control.

Step 4: Reporting vulnerabilities

Performing regular and continuous vulnerability assessments enables organizations to understand the speed and efficiency of their vulnerability management program over time. Vulnerability management solutions typically have different options for exporting and visualizing vulnerability scan data with a variety of customizable reports and dashboards. Not only does this help IT teams easily understand which remediation techniques will help them fix the most vulnerabilities with the least amount of effort, or help security teams monitor vulnerability trends over time in different parts of their network, but it also helps support organizations’ compliance and regulatory requirements


Staying Ahead of Attackers through Vulnerability Management

Threats and attackers are constantly changing, just as organizations are constantly adding new mobile devices, cloud services, networks, and applications to their environments. With every change comes the risk that a new hole has been opened in your network, allowing attackers to slip in and walk out with your crown jewels.

Every time you get a new affiliate partner, employee, client or customer, you open up your organization to new opportunities, but you’re also exposing it to new threats. Protecting your organization from these threats requires a vulnerability management solution that can keep up with and adapt to all of these changes. Without that, attackers will always be one step ahead.


Leave a comment