Have you ever forgotten your pin for your baggage then search on Youtube? Generally they advice "set everything to 000, try to click the lock, turn to 001, try to click the lock again, keep doing this until 009, then try 010, try to click the lock, turn to 011, try to click the lock again, keep doing this until 019, then try 020, repeat and eventually you will open the lock". Wait a minute isn't the same as trying every combination from 000-999? That is just brute force! What a spin around just to get views!
Story aside, in this article I will introduce you to a simple demonstration of brute forcing a password using Hydra on Linux. This is no advance tutorial but only to give people who never heard of brute force illustration. I can define password brute forcing in just one sentence which is trying every single character combination to crack a password.
As a human is a heavy labor, which is why we create programs to do them for us. The application or programming concept is actually simple.
- Generate a dictionary of possible combinations.
- Inject those combinations in account login interfaces.
The previous two steps are the basics and enough to run as an application. The next steps are the complicated ones because system nowadays became smarter in detecting and handling brute force. For example, you have limited tries and the account will be lock for certain duration or even permanent or you can be blacklisted. Like the cat and mouse game, the brute force application must be adapted every time to the existing defense system. As I wrote that this article is simple demonstration only, so I will not dive into these complicated and adaptive parts.
It was a long time ago before 2015 that I was interested in penetration testing tools and operating systems. Back then I was using Backtrack, now it is Kali Linux, then there is Parrot OS. Back then I wrote an article about brute force demonstration using Hydra tool which was eventually lost. Now, I found the screenshot backups and decided to rewrote again. The demonstration is brute forcing my own test server where I activated telnet service for login. The brute force is on both username and password.
Beyond this is at your own risk if targeting other's server because it will be count as a hacking attempt. Get permission for penetration testing or do only on your own servers.
If you follow the process completely you will realize how resource consuming it is to perform a brute force. Which is why among all exploitation method, brute force is the last resort. A dictionary can size to over many gigabytes and to try all of the combinations, you need a fast network and computing power. Lastly, now you now that accounts can be brute forced, it is important to have a strong password.