THC hydra is one of the oldest password cracking tools developed by “The Hackers. The idea of a brute force attack is to try any possibility, one by one, until finding the good password. As the MD5 algorithm is really fast, is the perfect candidate for that kind of strategy. In this article, we’ll see the tools you can use to attempt a brute force attack on a MD5 hash.
A brute force attack is a popular cracking method that involves guessing usernames and passwords to gain unauthorized access to a system or sensitive data. While a relatively simple, brute force methods continue to have a high success rate and account for over 80% of attacks on web applications.
While some attackers continue to perform manual brute force attacks, most use automated tools and scripts that leverage commonly used password combinations to bypass authentication processes or try to access encrypted data by searching for the right session ID. Other common targets for brute force attacks are API keys and SSH logins.
And increasingly, attackers use real user credentials obtained from data leaks, data breaches, or the dark web.
What is the purpose of a brute force attack?
The purpose of brute force attacks can range from stealing personal information and disrupting service to infecting web page visitors with malware or ransomware.
Brute force attacks can also occur in the early stages of more sophisticated cyberattacks, typically as a form of reconnaissance or initial infiltration into the first layer of security.
To launch a cyberattack attackers need to gain a point of entry. Brute force techniques are a 'set and forget' method of gaining access.
If the brute force attack works, attackers can use privilege escalation or abuse poor access control to gain additional access. This is why strong passwords, defense in depth, and the principle of least privilege are important parts of any cybersecurity strategy.
Additionally, brute force attacks can be used to test whether different addresses return valid webpages which could be exploited due to known vulnerabilities.
What does a brute force attack look like?
It's not uncommon to get an email from a third-party vendor or service provider telling you that someone has attempted to log into your account from a random location.
When this happens, it can be an indication that you've fallen victim to a brute force attack. If this happens to you, we suggest updating your passwords immediately.
In fact, many security-conscious organizations will rotate or change passwords on a regular basis to minimize the risk of undetected or unreported brute force attacks.
If you suspect your organization or your users are under attack, here are some things to look for:
- Multiple failed login attempts from the same IP address
- Login attempts with multiple usernames from the same IP address
- Multiple login attempts for a single username coming from different IP addresses
- An unusual pattern in failed login attempts such as sequential alphabetical or numerical patterns
- An abnormal amount of bandwidth being used after a successful login attempt which could signal that someone is downloading sensitive data
Brute force attack examples
Brute force attacks happen all the time and there are numerous high profile examples:
- Alibaba: In 2016, attackers used a database of 99 million usernames and passwords to compromise nearly 21 million accounts on Alibaba's eCommerce site TaoBao in a massive brute force attack.
- Magento: In 2018, up to 1,000 open-source accounts were affected by brute force attacks that took advantage of weak passwords to steal information and distribute malware.
- Northern Irish Parliament: In 2018, several members of the Northern Irish Parliament were victims of brute force attacks.
- Westminster Parliament: A brute force attack in 2017 led to up to 90 email accounts being compromised.
- Firefox: In 2018, it was revealed that Firefox's master password feature could be easily brute-forced.
What are the types of brute force attack?
- Simple brute force attacks: A generic type of attack that can use different, systematic approaches to guess possible passwords but does not apply any underlying logic. This is typically used on local files as there is no limit to the number of attempts
- Dictionary attacks: This type of brute force attack uses a list of common words and passwords instead of randomly iterating. This can improve the success rate over pure brute force password cracking but often requires a large number of attempts against possible targets to guess the correct password.
- Hybrid brute force attacks: A hybrid attack uses both a dictionary attack and regular iterative patterns. Instead of trying all possible combinations, it will perform small modifications to words in a dictionary, such as adding special characters or changing the case of letters.
- Rainbow table attacks: A precomputed table for reversing cryptographic hash functions, used to guess a function up to a certain length consisting of a limited set of characters
- Reverse brute force attack: Uses a collection of common passwords against many possible usernames to gain access. Typically targets users who are known to use weak passwords
- Credential stuffing: Uses username-password combinations exposed in the biggest data breaches, data leaks, or phishing scams and tries them on multiple websites. Credential stuffing can have a good success rate as people reuse the same username and password across web applications.
How to prevent brute force attacks
As brute force attacks don't rely on vulnerabilities or exploits, keeping software up to date isn't enough to protect yourself. A few common methods you can use to prevent brute force attacks:
- Use strong passwords
- Restrict access to authentication URLs
- Limit login attempts
- Use CAPTCHAs
- Enforce two-factor authentication
Use strong passwords
Brute force attacks rely on reused or weak passwords. Passwords that have the following characteristics can prevent brute force attacks:
- Unique: Avoid reusing passwords, even if they are complex passwords as websites can be compromised and passwords can be cracked. By reusing passwords, you're giving attackers an easy way to gain unauthorized access to your accounts on other websites.
- Long: All else equal, longer passwords are harder to crack than shorter passwords. For example, a nine-character password takes significantly longer to brute force than an eight-character password, and an eight-character password takes significantly longer than a seven-character password. Once character count is beyond a certain point, brute-forcing a properly randomized password becomes unrealistic.
- Complex: While simple passwords are easy to remember, they are also often simple to crack. We suggest using a password manager to generate robust passwords for you.
Read our guide on how to create a strong password here.
Restrict access to authentication URLs
For a brute force attack to work, it needs to be able to test the credentials against a login page. Many automated URLs use the default login page URL and scan the web for victims.
For example, a brute force attack tool might scan the web for WordPress sites and navigate to /wp-login.php, WordPress' default login page.
Changing /wp-login.php to /yoursite-login can be enough to mitigate the risk of many automated attacks. Unfortunately, this won't work for more targetted attacks or if the page is linked from other parts of your site.
Limit login attempts
Brute force attacks rely on being able to attempt multiple passwords and accounts in a single session. Consider using lockout functionality to restrict the number of times an incorrect login can be tested.
A common way to do this is to temporarily ban an IP address from logging in after three failed attempts, where subsequent failures are banned for longer and longer periods.
Use CAPTCHAs
A CAPTCHA is a type of challenge-response test used in computing to determine whether or not the user is human. By using a CAPTCHA solution, you can prevent bots and automated tools from testing username and password combinations on your website by forcing them to complete a challenge before submitting the form.
reCAPTCHA is a free security service that protects your websites from spam, abuse, and brute force attacks provided by Google.
Enforce two-factor authentication
Two-factor authentication prevents the compromise of a single authentication factor (like a password) from compromising the account. The mechanism typically works by requesting the traditional login information, then sending a confirmation to a device, usually a smartphone, such as a text, phone call, or in-app security verification screen.
Ideally, only the authorized person would have the smartphone and could then accept or reject the authentication requests as necessary. More advanced mechanisms can require bio-authentication, such as a fingerprint swipe, which prevents lost or stolen phones from being used to falsely issue confirmations.
Popular brute force attack tools
There are a number of popular brute force attack tools:
- THC-Hydra: Runs through a large number of password combinations via simple brute force or dictionary-based attacks, and can attack more than 50 protocols and multiple operating systems.
- Aircrack-ng: A network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs. It can be used on Windows, Linux, iOS, and Android and uses a dictionary of widely used passwords to breach network security.
- John the Ripper: A free password cracking software tool. Originally developed for the Unix operating system, it can run on fifteen different platforms.
- L0phtCrack: A password auditing and recovery application used to test passphrase strength and to recover lost Microsoft Windows passwords by using dictionary, brute-force, hybrid, and rainbow table attacks.
- Hashcat: A password recovery tool that was a proprietary codebase until it was open-sourced in 2015. Examples of Hashcat-supported hashing algorithms are Microsoft LM hashes, MD4, MD5, SHA-family, Unix Crypt formats, MySQL, and Cisco PIX.
- DaveGrohl: A brute force password cracker for MacOS. It supports all of the standard Mac OS X user password hashes (MD4, SHA-512 and PBKDF2) used since OS X Lion and also can extract them formatted for other popular password crackers like John the Ripper.
- Ncrack: A Unix password cracking program designed to allow system administrators to locate users who may have weak passwords vulnerable to a dictionary attack.
How UpGuard can prevent brute force attacks
Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar, and NASA use UpGuard's security ratings to protect their data, prevent data breaches and assess their security operations.
UpGuard BreachSight's identity breaches module searches for third-party data breaches on the open, deep, and dark web and shows you where an employee's credentials have been exposed.
If we find a match, we will add the breach name, risk, data exposed, date of breach, publish date, notification status, and number of employees exposed to your UpGuard account.
The severity of a breach depends on the type and amount of data exposed. As an example, a data breach that includes passwords could result in attackers gaining unauthorized access to your organization using the exposed credentials.
This example requires that employees reuse passwords across services, which is not uncommon.
We can also help you assess your other security controls by monitoring your organization for 70+ security controls providing a simple, easy-to-understand cyber security rating and automatically data exposures in S3 buckets, Rsync servers, GitHub repos, and more.
UpGuard Vendor Risk can minimize the amount of time your organization spends assessing related and third-party information security controls by automating vendor questionnaires and providing vendor questionnaire templates.
We can also help you instantly benchmark your current and potential vendors against their industry, so you can see how they stack up.
The major difference between UpGuard and other security ratings vendors is that there is very public evidence of our expertise in preventing data breaches and data leaks.
Our expertise has been featured in the likes of The New York Times, The Wall Street Journal, Bloomberg, The Washington Post, Forbes, Reuters, and TechCrunch.
You can read more about what our customers are saying on Gartner reviews.
If you'd like to see your organization's security rating, click here to request your free Cyber Security Rating.
Get a 7 day free trial of the UpGuard platform today.
- AirGrab Password PRO v.1.0.39The AirGrab Password PRO allows you to create random passwords that are highly secure and extremely difficult to crack or guess due to an optional combination of lower and upper case letters, numbers and other symbols.
- AirGrab Password v.1.0.37The AirGrab Password allows you to create random passwords that are highly secure and extremely difficult to crack or guess due to an optional combination of lower and upper case letters, numbers and other symbols.
- HTTPBrute v.1.00HTTPBrute is used to calculate HTTP Digest Access Authentication as per RFC 2617. The tool will be able to perform bruteforce attacks to retrieve a lost password for a given Authentication response. MD5 is the only hashing algorithm ...
- Brutezip v.0.12A shell script which determines by bruteforce the best compression format (bzip2, gzip, Z, zip, etc.) and which compression level to use in order to archive a file the smallest ...
- FileHashler v.0.1.0Java based API and commandline utility for cross-platform file encryption and archivation (up to 2,1 GB). Uses Twofish and SHA-256 *** due to current design error FHL has a weakness to bruteforce attacks and usage is deprecated!!
- HumanSudokuSolver v.0.1HumanSudokuSolver is intended to solve Sudoku puzzles in a way human beings would do (non bruteforce). It currently solves most of the puzzles I tried and can output a step-by-step solution. Developers who want to contribute are ...
- PseudoQ v.0.9.0A java application for creating, playing and solving SuDoku puzzles of various types. Features both a Swing GUI and command-line operation. The automatic solving of puzzles uses 'smart' techniques rather than a bruteforce search of every ...
- Ukodos v.0.0.2A non-brute-force sudoku solver. Ukodos is sodoku backwards; According to wikipedia, Sodoku is a bacterial zoonotic ...
- Websiteoutlook V PHP Clone Script v.2Step by Step Installation New Comment System (using Disqus.com) Generate Social Bookmark Link Details Get Website server Info Website Hosting Server City, Country detail Alexa Ranks (Improve) Pagerank (improved) DMOZ Directory Display MyWot ...
- Aorta p2p Tasklet cluster v.rcGeneric clustering/load-balancing platform (over a LAN or internet) using java based P2P Aorta workers that execute java 'tasklets'. Various tasklets can be implemented to solve fractals, process images, render webpages, crack RSA 'brute ...
- SoftPerfect WiFi Guard v.2.1.4A specialised network scanner that helps to protect and keep your WiFi network secure. It scans your wireless network at set intervals and alerts you immediately if it has found any new or unknown connected devices that could belong to an intruder.
- System Cleaner for Mac v.1.2.7Mac Cleanse helps you cover your tracks by quickly and easily removing recent file history, chat logs, caches, cookies, web site history, and more!
- Sticky Password v.8.0Sticky Password manager give you automatic login and form-filling, synchronization options via secure cloud or your Wi-Fi, plus biometric authentication. Protected by AES-256 - the world's leading encryption standard. Free version available.
- Password Page Protection Software v.1.0Password Page Protection Software allows you to easily add password protection to a web page. It generates password protection code which is added to the top of a web page to prevent unauthorized access with a high level of security and reliability.
- Password Dragon v.5.0Password Dragon is a free, easy and secure password manager that works on Windows, Mac and Linux. * First of all it's free. No strings attached. Password Manager does not contain any spyware or ad-ware. * The application is very intutive, user ...
- Password Recovery for MS Access v.1.0Password Recovery by HXTT is a free toolkit for MS Access databases from 95, 97, 2000, XP, 2002, to 2003. MS Access uses underlying Jet Database Engine, which is used used in a variety of Microsoft products such as Money, Project, IIS, Exchange, and ...
- Password Recovery for Corel Paradox v.1.0Password Recovery by HXTT is a free toolkit for Corel Paradox databases from 3.0, 3.5, 4.x, 5.x, 7.x to 11.x. That freeware can help you to retrieve forgotten database password from Paradox password protected files (*.db; *.px; *.xnn; *.xgn; ...
- Force Quit all Applications for Mac OS v.1.0Force quit all open applications Now! This small app will force quit all applications, helpful if your system is having trouble, or you need to quickly close all open applications.
- Million Dollar Password 2009 Edition for Mac OS v.1.0Team up with celebrity guests and try to guess the Million Dollar Password in this amazing version of one of television’s most popular game shows. Use your teammate’s clever, one-word, clues to guess the password and win big. The more ...
- 1Password Password Manager and Form Filler for Mac OS v.3.4.3A state-of-the-art password manager and form filler that keeps track of all your confidential information in a highly encrypted format. You are able to store all your confidential information like passwords, credit card numbers and other sensitive ...
Brute Force Attack Software Machine
Brute Force Attack Tool Mac
- Wifi Password Decryptor PASSWORD WIFI is the software specially developed for
- SoftPerfect WiFi Guard A specialised network scanner that helps to protect and keep
- AirGrab Password PRO The AirGrab Password PRO allows you to create random
- Password Recovery for MS Access Password Recovery by HXTT is a free toolkit for MS Access
- PDF Secure PDF Secure software automates the process of password
- Archive Toolbar Icons Archive Toolbar Icons is a collection of stock toolbar
- G-Force G- Force 3.9.2 is a feature-rich and trustworthy audio
- AirGrab Password The AirGrab Password allows you to create random
- WISeID WISeID the best free password manager to secure your
- Recover PDF Password for Mac Recover PDF Password for Mac unlocks both 'owner' and