Brute force sounds great, considering it wiil eventually discover the password.
But what are the weaknesses to this attack? why doesn't every hacker just use the brute force method initially? there are a few reasons to use brute force as a last resort, and I will discuss them here.
[Time]
Brute force attacks cycle through every possible combination possible.
Going from a single character to N characters long.
Switching between alphanumeric and symbols, how long do you tink this will take? One of the major caveats of a brute force attack is the TIME it takes to actually find the password.
If the password is poorly chosen by the user, then it could take a cople minutes to maybe a couple hours.
How about a long password with a combination of upper case, letters, numbers and symbols? This could take days, or even years before the combination is reached.
It is likely the attacker does not want to wait more then a day or a week at max while brute forcing.
[Block]
Another drawback of a brute force attack is that many administrators often BLOCK them.
Thet usually set a lock out policy if a brute forece attack has been detected, which is pretty obvious if they see many concurrent connections from a single IP failing to login to the system.
Although this can be used as a good DoS(Denial of Service) attack by locking users out of their account, generally during a pentest, we do not want to lock users our of their work environment.
댓글 없음:
댓글 쓰기