Many users use the same password for multiple accounts. To brute force a username or password, a threat actor seeks a series of common or weak password combinations. Log in credentials may be discovered through network reconnaissance, user enumeration, and collection from an insider threat.
Brute force attacks on usernames or passwords rely on automated tools or human attackers to perform guesses on a large number of usernames or credentials. These tools can be likened to modern-day password crackers, where a password is entered against a list of thousands or even millions of passwords. The process is normally performed against a list of unauthorized usernames to appeal to common account names rather than valid usernames.
Brute forcing user accounts is a manual process that requires attackers to create a large list of usernames and the corresponding credentials to test against as credentials on a particular system. Each attempt by the attacker is recorded to determine whether the user account is valid. A password search that tries every combination of a username and every possible password is often the preferred attack method.
If group credential theft or attack is more of a concern than account cracking, the attacker can use other resources on the network to gain access to other usernames and passwords. A common method used by the threat actor is to use password sniffing. Password sniffing hardware can be configured to capture the password communications over a network to a username and password. Adding this capability to an environment allows a threat actor to extract usernames and passwords during active discovery.
Brute force attacks on user accounts take advantage of the inherent nature of how we choose passwords. Passwords are often comprised of a mixture of letters, numbers, and symbols. Repeating patterns, long passwords, or weak choices make them easier to guess. A brute-force attack aims to quess a large number of usernames and passwords without being detected. d2c66b5586