Alternatives to Bruteforceing in general

Hey gang! I have a job interview coming up and I’ve been able to get some of the questions I’ll be asked. One of which was "what are some ways to avoid brute force hacks? ".

My intuitive answer is to narrow the scope of the problem so you don’t need to use such a blunt instrument.

I know this question is quite broad and woolly but I was wondering if anybody had any insight that might be useful.

I don’t really have any useful insight here - it strikes me as a bit of an awkward question because it depends on what they mean by brute force.

First: I’d say your response is basically correct. The more information you can gather the less likely you will have to just try “everything” until something works. Enumeration is critical.

The example here is: Rather than try to brute force a Wordpress login prompt, you could exploit a plugin and upload a shell to get access.

Alternatively, if they are asking about other techniques, then is a phishing attack a brute force? For example, rather than trying to brute force OWA, you can phish a user and just log in with their credentials. But if your phish goes to 10,000 users is that counted?

Lastly, some people I’ve talked to have the idea that a “Low and Slow” attack isn’t a brute force. For example, instead of getting a list of 10,000 users and trying 1.4m passwords for each user, you try 1-2 passwords with the hope that it won’t trigger any account locks or security alerts.

Thanks! Something that occurred to me too is it’s only brute force when your resources are limited. For example, breaking 512 bit encryption will not be thought of as brute force post quantum horizon. Or, if you have access to 1,000,000 machines then your attack would take a lot less time (depending on this relative size)

Good point.

If it was me, I’d explain the answer depends on what they mean by brute force but it depends on how pushy you feel in the interview. Don’t throw away a job just to give a clever answer :smile:

As you’ve said, some people think running a password cracker with a wordlist is a brute force, but using a rainbow table isn’t. (I don’t agree with this, I am just pointing out different perspectives)

Brute force attacks against offline data is also very different from a brute force attack against a running system where you can be detected.

You could go with the approach of explaining how the question can mean different things and present different sets of alternatives.