Safe Brute Force Attacks

TL;DR

Brute force attacks can easily overwhelm a server (Denial of Service). This guide shows how to perform brute-force attempts responsibly by limiting the rate of requests and using techniques like account lockouts. We’ll cover throttling, CAPTCHAs, and monitoring.

How to Brute Force Safely

1. Understand the Risks: Before you start, remember that brute-forcing without permission is illegal. This guide assumes you have explicit authorization to test a system’s security (e.g., as part of a penetration test).
2. Rate Limiting: The most important step! Limit how many requests you send per second/minute. A server can handle a few requests, but hundreds or thousands will likely trigger a block.
   • Implement in your script: Use a delay between each attempt.

   import time
   for i in range(10):
     # Attempt login here...
     time.sleep(5) # Wait 5 seconds between attempts

3. Server-side rate limiting (best): If you control the server, configure it to reject requests exceeding a certain threshold. Tools like fail2ban can automatically block IPs after too many failed login attempts.
4. Account Lockout Policies: Configure the target system to lock accounts after a few incorrect password attempts.
   • This prevents an attacker from trying every possible password on a single account.
   • Lockout duration should be long enough to deter brute-forcing but not so long that legitimate users are inconvenienced.
5. CAPTCHAs: Implement CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart) on the login form.
   • This makes it difficult for automated scripts to submit passwords.
   • Be aware that CAPTCHAs can be bypassed, but they add a significant hurdle.
6. Use a Proxy (Carefully): Using proxies can distribute requests across multiple IPs, making it harder to block your attacks.
   • Be cautious: Free or low-quality proxies are often unreliable and may be blacklisted.
   • Ensure the proxy provider is reputable and doesn’t log your activity.
7. Targeted Attacks: Instead of brute-forcing all usernames, focus on likely targets.
   • Use a list of common usernames (e.g., admin, user, test).
   • Gather information about the target organization to identify potential usernames (e.g., from LinkedIn or company websites).
8. Password Lists: Use pre-made password lists.
   • RockYou.txt is a popular, large list of commonly used passwords.
   • Combine with targeted information for better results (e.g., if the target company uses specific naming conventions).
9. Monitoring: Continuously monitor the server’s performance and logs.
   • Look for signs of overload or suspicious activity.
   • Adjust your rate limiting as needed to avoid triggering blocks.
10. Ethical Considerations: Always obtain explicit permission before performing any security testing, including brute-force attacks. Document all your activities and report any vulnerabilities you discover responsibly.