Our November edition is finally here and it’s entirely dedicated to brute forcing and supply chain attacks. We prepared a handful of articles, tutorials, and case studies, and we hope it will be a great read for you! Let’s take a look at what’s inside.
First things first, we have a tutorial about BruteX - a great, but not so popular tool for brute forcing. The author will guide you through the installation and performing an attack simulation. BruteX is an interesting tool that can expand your virtual toolbox.
Next, Daniel García Baameiro will teach you how to build your own brute force tool in Bash. How cool is that? In the next article, you will learn about performing brute force attacks with Hydra - we recommend this article for beginners, as it is a great introduction to usage of this tool.
In the following articles you’ll get a chance to read about some very useful techniques, i.e. configuring OSSEC to mitigate brute force attacks, or about dictionary attacks and machine learning. We also talk about side-channel attacks and fault injection.
Don’t think we forgot about the supply chain part! If you’d like to read more about this topic, we have three great articles for you. You'll learn about the nature of supply chain attacks, how they are performed, and how to defend against them. Also, you'll read about supply chain exploitation with the usage of password spraying attacks.
Last but not least, if you still haven’t had enough of Wi-Fi hacking, you’ll learn about how the pattern of creating wireless network access passwords makes it easier for hackers to crack the password.
We hope that you will enjoy this edition and find something that will catch your interest. As always, we would like to send our gratitude to all our contributors, reviewers, and proofreaders.
We would also like to thank you for supporting us and being a part of this magazine! Stay safe during these weird times and enjoy the upcoming holidays with your loved ones. And most importantly - have fun hacking! :)
Enjoy the reading,
Magdalena Jarzębska and Hakin9 Editorial Team
Table of Contents
One tool I want to share with you in this article is bruteX. BruteX is a very lean, bash script with a small learning curve and the execution is really straightforward which is quite nice, especially in the age of complicated frameworks. BruteX may not be as widely utilized and you may or may not even know about it, but by the end of this article hopefully you will find a new weapon to include in your arsenal. Before we get to bruteX let’s take a brief look at some definitions of brute-forcing and port scanning.
Build your own Brute Force Tool
Daniel García Baameiro
In order to try to gain access to the private part of a website, brute force attacks tend to be used. These attacks are carried out by using a dictionary of possible users and passwords of a website. If valid credentials are found, access has been gained. This article aims to help users understand how web portals work so that they can then create their own tool in the programming language they feel most comfortable with.
Brute Forcing Using Hydra
Hydra is a login cracker written in C and developed by THC. Hydra makes use of different approaches in order to guess the correct combination of username and password. This article will help you understand the usage of this tool and perform a brute force attack with it.
Dictionary Attacks and Machine Learning
Brute force is a simple way to attack against these kinds of services. In some situations, password space is too big and you need to have an efficient dictionary to decrease the space. There is a typical way to combine words to make passwords. In this way, passwords are generated by some rules. When we face with lots of rules, machine learning could help us to make a dictionary with an acceptable success rate. In this paper, we want to review some machine learning techniques to do so and there pros and cons.
Configuring OSSEC to Mitigate Brute Force Attacks
Joas Antonio dos Santos, Cleber Soares
Brute force attacks are a series of combinations that an automated tool generates and tries to access a certain system, with the aim of breaking and accessing the system using guesswork. There are some types of brute force, both online and offline format. Traditional brute force already has a focus on testing random password combinations, often passing just a parameter, saying whether it's just numbers or not.
From Brute Force to Side Channel & Fault Injection: The Evolution of Breaking Foundations
Samantha Isabelle Beaumont
Building security into Cyber Physical Systems (CPS) today is no trivial task; with the vast interconnection of embedded devices and their components, the consideration of hardware and the entire world of software and physical security is an auto routing nest of risk the industry must navigate every day to remain afloat in today’s market of breaches and technological advancement. Whilst remote attack vectors and networked risk vectors are always high in priority, often one of the most foundational and fundamental components to CPS’s are overlooked: the physical components, or hardware. Why then, does this matter?
Securing The Supply Chain
The pandemic of 2019/2020/2021 has laid bare just how fragile our supply chain networks are with shortages predicted in the near and long term. Car dealerships are flush with pre-owned models while the latest models float aimlessly in the holds of ships anchored at the Pacific ports waiting their turn to unload. Manufacturers are unable to meet or ship orders due to chip shortages that may not recede for months to come. The Supply Chain is the oxygen of the world economy and needs to be protected if industry and whole the economic system is to survive.
Supply Chain War - You Cannot Defeat Nature
A supply chain attack is yet another type of a mixture of different techniques that allows the attackers to evade detection and infect victims systems. It’s as easy as sending a phishing email to compromise the developers and issue a malicious update, or as complex as infiltrating the certificate authorities systems and issue legitimate certificates for malicious applications without being detected for a long time. The techniques used for supply chain attacks varies widely and despite massive efforts in software security auditing and penetration tests, it’s yet another kind of type attack where the software developers don’t realize that their software has turned malicious.
When You're the Target, but not the One Being Attacked (Directly)
The supply chain is made up of external digital service providers, such as Internet providers, software or hardware suppliers, etc., which any company or public body today can contract to carry out different types of functions and tasks or to provide certain services to its own customers. Therefore, a supply chain attack is an attack capable of compromising the external digital service providers themselves, affecting, through this, a large number of intermediate or end users of the contracted service. In this article, we will present two case studies of such attacks, as well as introduce you to password spraying technique and discuss what are some ways to protect yourself from such attacks.
How Does the Pattern of Creating Wireless Network Access Passwords Make it Easier for Hackers to Crack the Password?
Rodrigo D'Afonseca Silva
In all these years dedicated to studying information security, pentest, vulnerability analysis, one of the areas that always fascinated me was hacking in wireless networks. It's something I can tell you with certainty: it's exciting when you can figure out the access password. Read this amazing article that we have prepared especially for you and you will understand how the pattern of creating passwords makes all the difference in our tests.