A password brute force attack is an attempt to gain unauthorized access to a system or network using a password-cracking technique. Common targets of brute force attacks are hosts running FTP, SSH and Windows.
You can find out if hosts on your network are vulnerable to brute force attacks by performing password brute force tests at scan time. Just enable password brute forcing in an option profile and then apply that profile to a scan.
- Use system-generated password lists. We attempt to guess the password corresponding to each detected user login name on the host.
- Create and use custom password brute force lists.
- Use both system-generated and custom password brute force lists (system lists are tested first).
There are 5 levels of password testing available: None, Minimal, Limited, Standard, Exhaustive.
Tell me about the testing levels
At Minimal, we attempt to access the User Database (through authentication or anonymously), and if we can will check that the usernames do not have a blank password. If the user database is not accessible, then we will only check Administrator and Guest per this method.
With Limited, we perform the same methodology as above, but also test that the username and password are not identical.
With Standard, we attempt to access the user database. If we can, then we will perform testing of the accounts according to a password generation scheme as well as performing the tests above. If we don't have access to the user database (for example for Windows hosts), then this check is similar to Limited for the Administrator and Guest accounts.
With Exhaustive, this is similar to Standard, but we add additional password checking according to our methodology and how fast the target is responding to our requests. Dynamically generated passwords are only used when Exhaustive is selected. Note that selecting Exhaustive will increase scan time.
For Windows hosts, Standard is the same as Limited
If the Standard level is set and you're scanning Windows hosts, we'll always perform the Limited level tests.
Is the scan against a Domain Controller?
If yes the behavior will be similar to Limited, unless Exhaustive is chosen. This is to prevent locking all accounts on the Domain Controller.
Actual number of attempts at each level
The actual number of attempts made at each level is dependent on several factors. If you have a lockout policy established, preventing users from connecting to systems after a set number of failed login attempts, then we recommend that you do not enable brute forcing. This is the only way to ensure that users will not be locked out.
How to create a custom list
Create a custom list of login/password combinations to test.
1) Go to the Password Brute Forcing section in your option profile. Select Custom and click Configure.
2) Click New. Provide a title for your list, select a list type, and enter login/password combinations. Start with a login name (preceded by L:) followed on the next line with the corresponding password (preceded by P:). If the password is blank, you must still enter P: on the password line.
1) FTP login/password combinations for brute forcing an FTP service on a target host. If the scanning engine detects an FTP service running on the host, then it attempts to log into the service using the credentials provided in the FTP brute force list.
2) SSH login/password combinations for brute forcing Unix-based hosts that support the SSH protocol (SSH1 and SSH2). If the scanning engine detects an SSH service running on the host, then it attempts to log into the service using the credentials provided in the SSH brute force list.
3) Windows login/password combinations for brute forcing Windows hosts. The service attempts to connect to the local user database on each target host and tests the credentials provided in the Windows brute force list. Note that the credentials are not forwarded to the Windows domain controller to authenticate against the domain user database. You must scan the domain controller to brute force domain accounts.
Managers and Unit Managers can create, edit and delete brute force lists for the subscription.
When deleting a brute force list, if the selected list is assigned to one or more option profiles, then it will be removed from those option profiles automatically.
How to verify brute force test
We provide information in scan results, scan reports and host information about whether brute force attempts are successful by returning these QIDs:
QID 5005. NetBIOS Brute Force of Accounts. This QID is returned when brute forcing of a Windows host was successful. See the Result section of the vulnerability for a list of login/password combinations that were successful.
QID 38259. SSH User Login Bruteforced. This QID is returned when brute forcing of a Unix-based host was successful through SSH. See the Result section of the vulnerability for a list of login/password combinations that were successful.
QID 27056. Valid FTP Account Has Been Found. This QID is returned when brute forcing of a host was successful through FTP. See the Result section of the vulnerability for a list of login/password combinations that were successful.
Note that there are additional QIDs returned when an FTP server is accessible using the "anonymous" and "ftp" accounts. QID 27000 is returned when an FTP server is accessible using these accounts with any password. QID 27001 is returned when an FTP server is accessible using these accounts with a blank password.
Your scan results may return additional QIDs related to brute forcing. You can perform a search in the KnowledgeBase for all vulnerabilities in the "Brute Force Attack" category.