The purpose of this blog is to demonstrate how to brute force a login page using Burp Suite. There are other brute force tools such as Hydra and Ncrack. Although both are great tools, Burp Suite is more suitable for brute forcing a web application login page, whereas Hydra and Ncrack are more suitable for other protocols such as SSH and RDP.
Offline Password Cracking is an attempt to recover one or more passwords from a password storage file that has been recovered from a target system. Typically, this would be the Security Account Manager (SAM) file on Windows, or the /etc/shadow file on Linux. In most cases, Offline Password Cracking will require that an attacker has already attained administrator / root level privileges on the system to get to the storage mechanism.
As cybersecurity professionals we know a “strong” password is, supposedly, one that is at least 8 characters long with a combination of upper case, lower case, numbers, and special characters. But, as Bob Dylan said, the times they are a-changing. There is new movement in the industry to move away from this traditional password guidance to something more secure, user-centric, and friendly.
The most common two-factor authentication method is a password and a time-based one-time password (TOTP), which can be sent to your phone via SMS. So even if your password is compromised, the cybercriminals will need the second factor, a code sent to your phone, to log into your account. However, using SMS for two-factor authentication is not considered safe anymore. Why is it not safe anymore? What should we use then?
Online password cracking has advantages and disadvantages. It is effective if executed properly. There are numerous defenses to prevent attackers from cracking your passwords.
Black Box Penetration Testing tests a target with little to no prior knowledge about the target environment. Despite the best efforts of vulnerability scanning tools, they often miss critical vulnerabilities and major issues. These missed vulnerabilities can be exploited by attackers to gain full control of your environment. A Black Box Penetration Test identifies additional vulnerabilities and security issues. If minimizing cybersecurity risk is a goal, both a vulnerability scan and a Black Box Penetration Test are recommended.
Most of us are brainwashed about what constitutes a secure or “strong” password. We often think a password that consists of 8 characters with complexity requirements (uppercase, lowercase, number, special character) is more secure than a “passphase” with no complexity requirements. This is not true.
Connect with Us
- National Cybersecurity Awareness Month: 6 Things to Practice During the Month
- Cybersecurity Checklist for Business Closures, Consolidations, and Acquisitions
- What Is DevSecOps?
- Cybersecurity and a Remote Workforce: What Does the Future Look Like?
- 6 Penetration Testing Trends to Have on Your Cybersecurity Radar
- Hiring a CISO-as-a-Service? Ask These 8 Questions
- Incorporating Privacy and Security by Design into MedTech
- What is the Difference Between CMMC, DFARS, and NIST 800-171?
- At Risk: Medical Device Cybersecurity Vulnerabilities Expose Patients to Life-threatening Consequences
- 5 Reasons to Hire a Fractional CISO
- Why Private Cybersecurity Training Matters for Your Organization
- Is the CEH Certification Right For You?
- Internal Penetration Test vs Vulnerability Assessment: Which is Right for You?
- Best Beginner Cybersecurity Certification to Get
- Over-complicating Risk in Cybersecurity