Tuesday, 29 November 2011

Brute Force Methods

Brute force means manual labor for your computer and, usually, lots of it. It isn't too difficult to do, but it is time consuming. What brute force methods entail is the inputting of one password after another until finally - maybe - something hopefully works. Or just until you give up and move on to a better method.

Brute force methods are usually the first and last thing a hacker does when trying to break into a system. The first time he does it, it's a half-hearted attempt. If he can guess the password right away, or after the first seventy-five or hundred attempts or so, then that's fine. After that fails it's on to trying out other angles for
a while. If none of those more sophisticated ways work, then it's back to brute force for the big finish.

Brute force, after all, must work eventually. The "must" is what draws hackers to it; the "eventually" is what drives them crazy. Brute force takes a lot of time, but not much else. That time is spent in research, trial and error, and in writing special programs to hurl one password after another at the system.

Brute force is the least graceful way to fly, but since it eventually must be effective, eventually all hackers will resort to using it at one time or an-other. You may find yourself in a situation where you know nothing about the people who use a particu-lar system; where common names and passwords have failed; and where no trick seems to work. In these cases, you will have to try the most brutal of all brute force approaches: you will have to write a little program that will repeatedly dial the com-puter system, enter a new name/password combi-nation, and keep repeating this until something works. This could take forever.

Some hackers use a dictionary file they get from their word processing programs or off a bulletin board. This is a good idea, but only if you use it properly. Edit the dictionary file so it includes common names, each letter of the alphabet, musicians, names of cars and presidents, numbers, ce-lebrity nicknames and other common password material. Get rid of the words like "perspectives" that just seem too weird for anyone to use as pass-words.

Speaking of making things go faster for your-self, the same holds true when brute forcing non-language passwords. If you live in New York, you should begin your attack by brute forcing New York SSNs only. There are many ways to bring down the number of potential codes you have to check. The military uses what is called the TAC Access Control System (TACACS) to ensure legitimacy of usership of its network computers. The access codes that TACACS looks at are strings of alphanumeric characters - but the strings will never contain the numerals zero and one, nor the letters Q and Z. The theory behind this decision is that a user reading his or her access code off a code card can easily confuse Is, Os, Qs and Zs with other letters or numbers.

Once you have edited your dictionary of possible passwords to best suit your needs, or once you have determined which codes are the ones most likely to occur, you write yourself a little program in whatever language you know, to dial the modem, enter one word at a time as a password, and try, try again. And again. And again. This is a simple program to write, but if you don't have the expertise to do so, plenty of programs like this are available on BBSs.

There are some things to consider when writing the program. How many times will the computer system allow you to enter bad name/password combinations before it logs you off? Three? Eight? If it gives you three chances before saying bye-bye, make sure your program outputs exactly three name/password combos before redialing the number.

Often remote computers will accept characters as input even before the input prompt is put on the screen.

If this isn't the case with the system you're trying to get into, you'll have to put a delay loop in your program to make sure passwords are not being entered before the cursor is on the screen.

Finally, what happens when your program does manage to ferret out a workable usernarne and password? Unless you're sitting there, monitoring the computer as it does its thing, you need some way of knowing when a brute force attempt has been successful. Otherwise your program will continue to spit out passwords, and the system operators - who by now almost certainly have noticed what is going on - will be absolutely furious! Have the program monitor text as it is sent from the remote computer. When something other than the login prompts are received, have the program flash the screen and ring the loud bell on your printer. Either that, or have it input the logoff command, and print the usable username/password on the screen for you to see when you wake up the next morning.

If you know Joe User works for Company X, then you can have the program run through every combination of password with usernarnes Joe, User, JUser, and Joe User - not to mention other varieties like joe, JOE, and joeuse. (But from your research and experimenting you should have some idea what format the username
will be in, so you shouldn't have to try too many variations.) If, on the other hand, you don't know the name of anyone who works there, you'll have to either find out (i.e., look in company directories, call up and ask, look in annual reports, newspaper articles, or any of a hundred other places to find names) or try every
combination of possible first names. If you must resort to trying every first name, make sure you try female and foreign names. You might want to take a trip to the library and find out what the most popular first and last names are. But remember, you don't need the current popular names - you need names that were popular and common twenty or thirty years ago, when parents were naming the people who work in the company you're trying to break into.

Certainly, it is not absolutely essential to write a program to spit out passwords. If you have the time and patience, you can sit down and enter passwords yourself. But remember that this will take even longer than the already immense amount of time it takes a computer to brute force its way in. I must emphasize that no matter how many pre-cautions you take to eliminate excess work, brute force will almost always take an extremely long time to bring results. Therefore, it's important to do what you can to speed up the entry of passwords. If you have to redial the modern after every three passwords, make sure you're running your attack off a phone line with Touch Tone capabilities.

Also, before you begin a brute force approach, set yourself up with the highest baud modem you can possibly acquire, even if you need to borrow one from a friend. Moving just a few notches up the baud ladder makes a big difference in speed.