Brute Force Password Cracking

The BackTrack Live CD I recently used in conjunction with a WEP proof of concept attack also comes with several SSH brute force password cracking tools. This reminded me of a previous brute force attack against my systems. One dark night in a data centre myself and a colleague were upgrading the hardware in a firewall cluster. We connected up the systems to the internet, powered on, and opened a terminal session. Within 5 minutes the terminal was flooded by failed logon attempts which was most surprising as SSH had not previously been enabled at the IP address in question. Fortunately for us, we had already configured the hardware offline and had changed the default password.

A review of the firewall logs indicated that our entire IP range had been scanned for open SSH ports and that once found, a brute force attack was launched. Further investigation suggested that the attack wasn’t specifically targeted at our firewall but was rather a speculative attempt to penetrate systems across a large IP address range. No doubt a successful authentication would have resulted in further exploitation.

There are several ways to protect against a brute force attack. The most obvious is to have some kind of account lockout, i.e. refuse logon attempts after a certain number of concurrent failures. However, this can lead to a denial of service attack where a hacker will deliberately lock out the account to prevent a legitimate user logging on. A slightly more sophisticated method is to use tarpitting where each failed logon increases the amount of time before a user can attempt a subsequent logon.

As ever, strong passwords are a must for protecting against brute force attacks. Last Bit have an interesting calculator to allow you to estimate the maximum time it would take to crack your password.

Perhaps the most simple but effective method of protection is to rename default accounts especially administrator and root. A speculative brute force attack will almost certainly use a generic account and so can be beaten whatever the strength of the password.