A brute-force attack uses random combinations of numbers and letters to guess a username and password. A brute-force attack involves repeated access attempts as the application uses the random letter, number, and character combinations. Brute-force applications are designed to grind away at a server or data file by simply guessing usernames and repeatedly accessing a server.
A brute-force attack requires the server to respond willingly to repeated attacks. Depending on the speed of the systems involved, thousands of attempts can be made per minute. A brute-force attack is a rather unsophisticated attempt to try everything, including a dictionary file, a sniffer, and repeated login attempts.
An example of a brute-force attack is a hacker’s attempt to break a code using a combination of computers and information. Suppose a hacker responds to a challenge to decrypt a single message that has been encrypted by the RC4 algorithm and an asymmetric key.
To defeat this algorithm, the hacker resorts to sophisticated and extensive measures. He uses 120 work-stations clustered together, two supercomputers, and information from three major research centres. Even with all this equipment, it takes him eight days to defeat the encryption algorithm. In fact, for breaking the encryption, eight days is a rather short time.
Applications such as grinder and authforce are designed to conduct brute-force attacks against Windows 2000 systems and Apache Server, respectively. Many others exist. Brute-force attacks conducted against secure systems require a great deal of time, and they are often the result of either desperation or great determination.
Many systems, however, are prone to exposure from such attacks, mainly because of inadequate security settings and policies. Brute-force attacks are often easy to detect because they involve repeated login attempts, and account lockout can be enabled as a strategy to defeat such attacks.