MITRE ATT&CK vulnerability spotlight: Brute force
The MITRE ATT&CK matrix is a tool developed by MITRE, a U.S. government federally-funded research and development center (FFRDC). It is designed to help with formalizing the development of cyber defenses and performing penetration testing by breaking down the attack life cycle into discrete stages and describing the methods by which each stage can be accomplished.
What are credential brute force attacks?
MITRE’s ATT&CK matrix describes several different stages in the attack life cycle, including credential access, where an attacker tries to steal credentials to access a system or elevate privileges. Brute-force attacks are one method of accomplishing this stage of the attack.
A brute-force attack involves taking a “guess and check” approach to determining a password. The attacker has some means of determining if a password is correct or incorrect and tries different options until they find one that works.
Password-guessing attacks fall into three main categories:
- Brute force: Try all combinations of allowable characters for a password until the correct one is found
- Dictionary: Work through a list of common or likely passwords to take advantage of weak password use
- Hybrid: Start with a dictionary attack and then move on to a brute-force attack if it fails
Different approaches to password guessing have their own pros and cons. A brute-force attack is guaranteed to find a solution, while a dictionary attack is only as good as its dictionary. On the flip side, dictionary attacks are much faster at finding common passwords than brute-force ones. As a result, most attacks are hybrid attacks, going for the low-hanging fruit first before moving on to grind through stronger passwords.
Brute-force attacks against credentials can be performed in a couple of different ways. They can be performed offline (using stolen hashes) or online (against a live authentication system).
Offline brute-force attacks are faster and subtler but also require more access by the attacker. In order to perform an offline brute-force password attack, an attacker needs access to the password hashes for one or more accounts on a system. These hashes can be collected in a variety of different ways.
Once an attacker has acquired a collection of password hashes, the complexity of breaking the passwords depends on how well they are protected. Three common mistakes can help simplify the process of brute-forcing passwords:
- Weak hash functions: Hash functions like MD5 and SHA-1 are deprecated. However, they have been shown to be used by a large number of content management systems and web application frameworks
- Misuse of salt: A salt should be a unique, random value appended to a password before hashing it. However, some organizations fail to use salts or use the same salt for the entire password database
- Insufficient iterations: By iterating the hash function multiple times between the password and the final hash, brute-force attacks can be slowed down. Using too few iterations allows passwords to be cracked more quickly
If a system has made none of these mistakes, cracking the password may be more difficult, but can still be possible. The Hashcat password cracking tool can crack an eight-character Windows NTLM password (the standard minimum length) in less than two and a half hours using a brute-force search. Since many people use weak passwords, a dictionary attack can make cracking even faster.
If an attacker doesn’t have access to password hashes, they can still crack passwords using a brute-force attack against online authentication services. Commonly-targeted services include:
- FTP (21/TCP)
- HTTP/HTTP Management Services (80/TCP & 443/TCP)
- Kerberos (88/TCP)
- LDAP (389/TCP)
- MSSQL (1433/TCP)
- MySQL (3306/TCP)
- NetBIOS/SMB/Samba (139/TCP & 445/TCP)
- Oracle (1521/TCP)
- RDP/Terminal Services (3389/TCP)
- SSH (22/TCP)
- Telnet (23/TCP)
- VNC (5900/TCP)
This method is much less subtle than an offline attack and requires network access to the target. If the authentication system is properly secured, it will lock the account after a few failed login attempts.
Examples of credential brute-force attacks
An offline brute-force password attack is fairly subtle. An attacker steals a number of password hashes (which happens on a near-daily basis with data breaches) and then cracks them on a machine under their own control.
Online attacks, on the other hand, are much more visible. One example is the credential-stuffing attack against the UK Parliament in 2017. The attacker used a list of common passwords to gain access to the email accounts of the UK House of Commons. In the end, 90 of the 650 accounts were compromised since the owners were using passwords that were not in accordance with guidance from the Parliamentary Digital Service. The system did not have two-factor authentication in place and was receiving over 48,000 authentication attempts per hour from the attackers.
Detection and mitigation
The detectability of a brute-force attack against user credentials depends on the method used. If passwords are cracked offline, then the only activity visible to the target is the initial theft of the credentials. Online password attacks, on the other hand, are extremely visible, since they produce a large number of failed authentications. Monitoring for these failed authentications can help to detect an attack, and checking for successful authentications can help to determine if the attacker successfully breached the system.
In a password-spraying attack, an attacker may choose a common password and try to authenticate using it across multiple different accounts. This type of attack is designed to evade mechanisms that use thresholds of failed authentications to detect attacks. For this reason, it’s also useful to check for failed attempts across many accounts as well as for a specific account.
Brute-force attacks can also be mitigated in a few different ways. Setting a threshold-based block on an account ensures that an attacker only gets a few guesses during an online attack before being locked out. Implementing strong password policies and multi-factor authentication are good ways to both make the attack more difficult and limit the utility of the stolen credentials.
Conclusion: Protecting against brute-force attacks
Brute-force password-guessing attacks are a simple but effective way for an attacker to gain access to user credentials. The large number of data breaches in recent years has given an attacker a large collection of password hashes to crack, and the common use of weak passwords and the reuse of them across multiple accounts means that successfully cracked passwords are likely to be of value. Implementing multi-factor authentication and strong password policies can help protect against this type of attack.
- Brute Force, MITRE
- Pass the salt! Popular CMSs aren’t securing passwords properly, Naked Security
- Use an 8-char Windows NTLM password? Don’t. Every single one can be cracked in under 2.5hrs, The Register
- Private not state hackers likely to have targeted UK parliament: sources, Reuters
- Blame shoddy security for UK parliament hack, says report, ZDNet