Also Known As Brute Force Cracking

Home , Cain and Abel (software), DaveGrohl, Dictionary attack, Hashcat, John the Ripper, Ophcrack

INTRODUCTION 1.1 Background Brute force (also known as brute force cracking) is a trial and error method used by application programs to decode encrypted data such as passwords or Data Encryption Standard (DES) keys, through exhaustive effort (using brute force) rather than employing intellectual strategies. In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data. Brute force tool can be misused to crack encrypted data, or by security analysts to test an organization's network security.[7]

Brute-force attacks are simple to understand. An attacker has an encrypted file say, your LastPass or KeePass password database. They know that this file contains data they want to see, and they know that there’s an encryption key that unlocks it. To decrypt it, they can begin to try every single possible password and see if that results in a decrypted file.[5]

There’s a difference between online and offline brute-force attacks. For example, if an attacker wants to brute-force their way into your Gmail account, they can begin to try every single possible password but Google will quickly cut them off. Services that provide access to such accounts will throttle access attempts and ban IP addresses that attempt to log in so many times. Thus, an attack against an online service wouldn’t work too well because very few attempts can be made before the attack would be halted.[5]

On the other hand, let’s say an attacker snagged an encrypted file from your computer or managed to compromise an online service and download such encrypted files. The attacker now has the encrypted data on their own hardware and can try as many passwords as they want at their leisure. If they have access to the encrypted data, there’s no way to prevent them from trying a large number of passwords in a short period of time. Even if you’re using strong encryption, it’s to your benefit to keep your data safe and ensure others can’t access it.

Speed all depends on hardware. Intelligence agencies may build specialized hardware just for brute-force attacks, just as Bitcoin miners build their own specialized hardware optimized for Bitcoin mining. When it comes to consumer hardware, the most effective type of hardware for brute-force attacks is a graphics card. As it’s easy to try many

1 different encryption keys at once, many graphics cards running in parallel are ideal. At the end of 2012, Ars Technica reported that a 25-GPU cluster could crack every Windows password under 8 characters in less than six hours. The NTLM algorithm Microsoft used just wasn’t resilient enough. However, when NTLM was created, it would have taken much longer to try all these passwords. This wasn’t considered enough of a threat for Microsoft to make the encryption stronger.[5]

Strong hashing algorithms can slow down brute-force attacks. Essentially, hashing algorithms perform additional mathematical work on a password before storing a value derived from the password on disk. If a slower hashing algorithm is used, it will require thousands of times as much mathematical work to try each password and dramatically slow down brute-force attacks. However, the more work required, the more work a server or other computer has to do each time as user logs in with their password. Software must balance resilience against brute-force attacks with resource usage.

There’s no way to protect yourself completely. It’s impossible to say just how fast computer hardware will get and whether any of the encryption algorithms we use today have weaknesses that will be discovered and exploited in the future. However, here are the basics:

 Keep your encrypted data safe where attackers can’t get access to it. Once they have your data copied to their hardware, they can try brute-force attacks against it at their leisure.

 If you run any service that accepts logins over the Internet, ensure that it limits login attempts and blocks people who attempt to log in with many different passwords in a short period of time. Server software is generally set to do this out of the box, as it’s a good security practice.

 Use strong encryption algorithms, such as SHA-512. Ensure you’re not using old encryption algorithms with known weaknesses that are easy to crack.

 Use long, secure passwords. All the encryption technology in the world isn’t going to help if you’re using “password” or the ever-popular “hunter2”.[5]

1.2 Motivation

There are many projects to choose, but choice is to be made according to present need and demands of public in current moment. Nowadays, computer as well as network security is the burning issue as development of technology is taking rapid progress. So it becomes a very important part of technology to ensure a good security to network and computer. Our software can be used for such testing purposes to check the loopholes in system. The program designed by us is easy to use and understand.

With the help of our respected teachers and scholars, we conclude to choose this project. They gave us several ideas in choosing a good project. In addition we get information about this project from our friends. We knew that we have to choose a project which is different from others and a unique one. So we found this one useful and unique.

1.3 Statements of Problems

During the course of development of the software, we have faced certain problems and difficulties. The main challenge was to embed special characters in it. As it is a brute forcing tool, all characters, numbers and special characters must be embedded. But finally, we have embedded special characters, numbers and characters according to their ASCII code order.

Our tool and its functioning depends upon the internet connection and its speed. So problems might occur if internet connection are not available or are of low bandwidth. So to avoid such problems, a good internet connection is preferred. A good internet connection can help to minimize the time complexity of brute forcing.

1.4 Objectives

The main objectives of our system is to provide tool for testers to test whether brute force attacks can penetrate their system or not. So being based on the current security issues, we have list out the objectives of our tool as follows:

 To test whether a system is vulnerable to brute force attack.  To assure quality website which is safe from brute force attack.  To help in load testing as our tool hits the server more than thousand time within seconds.  To test the capacity of servers whether it is enough to handle multiple requests in a very short time.

1.5 Scope and Limitation According to the features that we have embedded in our tool, it has got various ranges of scopes. It can be used mainly as the security testing tool. Some of the fields where our tool can be used are:

 Information Security Information security is the most challenging task in technology field these days. Information are to be kept safe from several possible attacks. Brute force tool can be used in order to test the brute force attack. Brute force tool consumes time but assure high accuracy. It can help security testers whether the web system is vulnerable to the brute force attack or not.

 Load testing Brute force tool can be helpful in case of load testing purpose as well. This tool hits the server thousands of times within seconds. So a user can test the web server and its capacity to bear load multiple times within very short period of time.

Although we have tried our best to reduce errors and limitations, some of the limitation still exist. Some of the limitations are :

 As it is brute force tool, several hit and trials are carried out simultaneously. So it might take longer time if passwords are too strong.

1.6 Report Structure The organization of the report is managed in following ways:

Chapter 1: It includes the brief introduction along with its background. Statement of problems, objectives and limitation of project are well mentioned in this chapter.

Chapter 2: It includes literature review of the project. Past reference and used tools are described in this chapter.

Chapter 3: It includes detail methodology of the projects. Working mechanism along with block diagram is explained. Tools and platforms that are selected for developing project is included here.

Chapter 4: This chapter includes detail about results that project generates along with the test cases that are carried out in the course of development of the project.

Chapter 5: This chapter includes the conclusion of whole project and the future recommendation and enhancement.

Chapter 6: Reference section is included in this chapter.

LITERATURE REVIEW

Brute-force attacks are fairly simple to understand, but difficult to protect against. Encryption is math, and as computers become faster at math, they become faster at trying all the solutions and seeing which one fits.

These attacks can be used against any type of encryption, with varying degrees of success. Brute-force attacks become faster and more effective with each passing day as newer, faster computer hardware is released. Brute force attacks work by calculating every possible combination that could make up a password and testing it to see if it is the correct password. As the password’s length increases, the amount of time, on average, to find the correct password increases exponentially. This means short passwords can usually be discovered quite quickly, but longer passwords may take decades.

In previous days, different brute force cracker are developed and are still in use. Testers and coders are using such programs and systems to test whether their systems are vulnerable or not in brute forcing cases. Some of the widely used brute forcing tools are :

 Aircrack-ng

 Cain and Abel

 DaveGrohl

 Hashcat

 John the Ripper

 Ophcrack

 RainbowCrack

 THC Hydra

Aircrack-ng

Aircrack-ng is a complete suite of tools to assess WiFi network security. It focuses on different areas of WiFi security:

 Monitoring: Packet capture and export of data to text files for further processing by third party tools.  Attacking: Replay attacks, deauthentication, fake access points and others via packet injection.  Testing: Checking WiFi cards and driver capabilities (capture and injection).  Cracking: WEP and WPA PSK (WPA 1 and 2).

All tools are command line which allows for heavy scripting. A lot of GUIs have taken advantage of this feature. It works primarily Linux but also Windows.

Cain and Abel

Cain and Abel (often abbreviated to Cain) is a password recovery tool for Microsoft Windows. It can recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force and cryptanalysis attacks. Cryptanalysis attacks are done via rainbow tables which can be generated with the winrtgen.exe program provided with Cain and Abel. Cain and Abel is maintained by Massimiliano Montoro and Sean Babcock.

Its basic functions:

 Sniffing the network  Cracking encrypted passwords using Dictionary  Brute-Force and Cryptanalysis attacks  Recording VoIP conversations  Decoding scrambled passwords  Recovering wireless network keys  Revealing password boxes  Uncovering cached passwords  Analyzing routing protocols.

The latest version of the tool has many features, and has added sniffing to perform Man in the Middle attacks.

DaveGrohl

DaveGrohl is a brute-force password cracker for Mac OS X. It was originally created in 2010 as a password hash extractor but has since evolved into a standalone or distributed password cracker. It supports all of the standard Mac OS X user password hashes (MD4, SHA-512 and PBKDF2) used since OS X Lion and also can extract them formatted for other popular password crackers like John the Ripper.[4] The latest stable release is designed specifically for Mac OS X Lion and Mountain Lion.

DaveGrohl supports both dictionary and incremental attacks. It may also run in distributed mode which allows it to use multiple computers to attack the same password hash. A dictionary attack will scan through a number of pre-defined wordlists while an incremental attack will count through a character set until it finds the password. When in distributed mode, it uses Bonjour to find all the server nodes on the local network and therefore requires no configuration.

John the Ripper

John the Ripper is a free password cracking software tool. Initially developed for the Unix operating system, it now runs on fifteen different platforms (eleven of which are architecture-specific versions of Unix, DOS, Win32, BeOS, and OpenVMS). It is one of the most popular password testing and breaking programs as it combines a number of password crackers into one package, autodetectspassword hash types, and includes a customizable cracker. It can be run against various encrypted password formats including several crypt password hash types most commonly found on various Unix versions (based on DES, MD5, or Blowfish), KerberosAFS, and Windows NT/2000/XP/2003 LM hash. Additional modules have extended its ability to include MD4-based password hashes and passwords stored in LDAP, MySQL, and others.

One of the modes John can use is the dictionary attack. It takes text string samples (usually from a file, called a wordlist, containing words found in a dictionary or real

8 passwords cracked before), encrypting it in the same format as the password being examined (including both the encryption algorithm and key), and comparing the output to the encrypted string. It can also perform a variety of alterations to the dictionary words and try these. Many of these alterations are also used in John's single attack mode, which modifies an associated plaintext (such as a username with an encrypted password) and checks the variations against the hashes.

John also offers a brute force mode. In this type of attack, the program goes through all the possible plaintexts, hashing each one and then comparing it to the input hash. John uses character frequency tables to try plaintexts containing more frequently used characters first. This method is useful for cracking passwords which do not appear in dictionary wordlists, but it takes a long time to run.

Hashcat

Hashcat is the self-proclaimed world’s fastest CPU-based password recovery tool. It is released as free software (it had a proprietary codebase until 2015). Versions are available for Linux, OS X, and Windows and can come in CPU-based or GPU-based variants. Examples of hashcat supported hashing algorithms are Microsoft LM hashes, MD4, MD5, SHA-family, Unix Crypt formats, MySQL, Cisco PIX.

Ophcrack

Ophcrack is a free open source (GPL licensed) program that cracks Windows log-in passwords by using LM hashes through rainbow tables. The program includes the ability to import the hashes from a variety of formats, including dumping directly from the SAM files of Windows. On most computers, ophcrack can crack most passwords within a few minutes.

Rainbow tables for LM hashes are provided for free by the developers. By default, ophcrack is bundled with tables that allows it to crack passwords no longer than 14 characters using only alphanumeric characters. Available for free download are four Windows XP tables and four Windows Vista tables.

RainbowCrack

RainbowCrack is a computer program which generates rainbow tables to be used in password cracking. RainbowCrack differs from "conventional" brute force crackers in that it uses large pre-computed tables called rainbow tables to reduce the length of time needed to crack a password drastically. RainbowCrack was developed by Zhu Shuanglei, and implements an improved time-memory trade-off cryptanalysis attack which originated in Philippe Oechslin's Ophcrack.

THC Hydra

THC Hydra is a fast network logon password cracking tool. When it is compared with other similar tools, it shows why it is faster. New modules are easy to install in the tool. You can easily add modules and enhance the features. It is available for Windows, Linux, Free BSD, Solaris and OS X. This tool supports various network protocols. Currently it supports Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS- HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP, SOCKS5, SSH (v1 and v2), Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add. This tool makes it possible for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely.

2.1 Comparative Study

Above mentioned all tools are password cracking tool with the techniques of brute forcing. Some of them use dictionary attack whereas some of them follow incremental method.

2.1.1 Explanation of the Depth Field and Fudge Factor of Aircrack-ng

The best explanation is an example. We will look at a specific byte. All bytes are processed in the same manner.

You have the votes like in the screen shot above. For the first byte they look like: AE(50) 11(20) 71(20) 10(12) 84(12)

The AE, 11, 71, 10 and 84 are the possible secret key for key byte 0. The numbers in parentheses are the votes each possible secret key has accumulated so far.

Now if you decide to use a fudge factor of 3. Aircrack-ng takes the vote from the most possible byte AE(50):

50 / 3 = 16.666666

Aircrack-ng will test (brute force) all possible keys with a vote greater than 16.6666, resulting in

AE, 11, 71 being tested, so we have a total depth of three:

0 / 3 AE(50) 11(20) 71(20) 10(12) 84(12)

When aircrack-ng is testing keys with AE, it shows 0 / 3, if it has all keys tested with that byte, it switches to the next one (11 in this case) and displays:

1 / 3 11(20) 71(20) 10(12) 84(12)

2.1.2 John the Ripper Variants

The important thing to understand is that password cracking time is an average. The attacker will try a lot of passwords, and may be lucky... or not. John the Ripper will use the provided word list, and then try "variants" of the said words, in some order which may or may not be representative of what an attacker will do. If your password is chosen "at random" (uniformly) in a set of N possible passwords, then the average attack time will be the time it takes to compute N/2 hashes (with whatever hash function is used in your specific situation). This means that if you generate one million such passwords, and each time get the attacker to crack the chosen password, and then sum up all the times taken and divide by one million, then you will find that average times. Sometimes the attacker was faster; sometimes he was slower. Or, said otherwise: no, John the Ripper is not the much fabled "password meter" which will give an absolute "strength value" to your password. The strength of a password is a property of how you generate it, not of the password itself. For any given password, you can only reason on averages and pray for the best. The whole idea is that a password which is sufficiently random (more correctly, a password which is generated from a sufficiently random process) will bring the probability of an attacker getting lucky sufficiently low to be neglected (if the attacker has only one chance in 14 millions to get the password within one week of computations, then you can even out the chances by buying a lottery ticket, which has one chance in 14 millions to make you rich enough to ignore those trivial matters of stolen passwords).

2.1.3 Ophcrack Variants The multi-platform password cracker Ophcrack is incredibly fast. How fast? It can crack the password "Fgpyyih804423" in 160 seconds. Most people would consider that password fairly secure. The Microsoft password strength checker rates it "strong". The Geekwisdom password strength meter rates it "mediocre".

Passwords are never stored in plaintext. At least they shouldn't be, unless you're building the world's most insecure system using the world's most naive programmers. Instead, passwords are stored as the output of a hash function. Hashes are one-way operations. Even if an attacker gained access to the hashed version of your password, it's not possible to reconstitute the password from the hash value alone.

But it is possible to attack the hashed value of your password using rainbow tables: enormous, pre-computed hash values for every possible combination of characters. An attacking PC could certainly calculate all these hashes on the fly, but taking advantage of a massive table of pre-computed hash values enables the attack to proceed several orders of magnitude faster-- assuming the attacking machine has enough RAM to store the entire table (or at least most of it) in memory. It's a classic time-memory tradeoff, exactly the sort of cheating shortcut you'd expect a black hat attacker to take.

It takes a long time to generate these massive rainbow tables, but once they're out there, every attacking computer can leverage those tables to make their attacks on hashed passwords that much more potent.

The smallest rainbow table available is the basic alphanumeric one, and even it is 388 megabytes. That's the default table you get with the Ophcrack bootable ISO. Even that small-ish table is remarkably effective.

2.1.4 Basic Comparision

From above tools, our project is quite different from them. Some of them have higher time complexity and some of them have comparatively lower. But in case of our tool, time complexity is highest. We haven’t embedded dictionary attack, but instead we have embedded incremental method of cracking. It tries almost all possible combination of the password with the help of permutation and combination techniques.

Mathmatically, we can find combination as :

푛! 퐶 = (푛 − 푟)! 푟!

From n number of available characters, r length of passwords are formed which are sequentially tested against the server. With increase in length of the password, time complexity also increase exponentially. So it is quite hard to estimate the exact time elapse to find a right password of desired length. But it is certain to find the highly probable password.

2.1.5 Alternatives of the Brute force tools and methods

As we know that with emerging technologies, security issues also arise. So there are several techniques that resist the brute force methods. In another hand, it is a tedious method as it has higher time complexity and increases exponentially with increase in parameters passed. That’s the reason that new attack techniques arise as the alternative of brute force methods. Some of the widely used attack techniques are: a. Phishing b. Malware c. Offline Cracking d. Shoulder surfing e. Spidering f. SQL injection

Phising

Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication. The word is a neologism created as a homophone of fishing due to the similarity of using a bait in an attempt to catch a victim. Communications purporting to be from popular social web sites, auction sites, banks, online payment processors or IT administrators are

14 commonly used to lure unsuspecting victims. Phishing emails may contain links to websites that are infected with malware. Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to deceive users, and exploits the poor usability of current web security technologies.[9]

A phishing email leads the unsuspecting reader to a faked online banking, payment or other site in order to login and put right some terrible problem with their security. Why bother going to the trouble of cracking the password when the user will happily give it you anyway?[9]

Malware

Malware, or “malicious software,” is designed to secretly access your computer, or server, and compromise its main functions, steal data, bypass access controls or otherwise harm your computer. There are several types of malware, including computer viruses, worm viruses, spyware, adware, scareware and crimeware. To spread Malware, perpetrators can create malicious websites of their own, exploit a vulnerability in the applications a website relies on or exploit a vulnerability on the web server or its configuration.[8]

Malware is often download from an email attachment or from a suspicious website. However, malware can also infect servers and upload malicious code or web pages that deliver malware to the site’s visitors. [8]

A key logger or screen scraper can be installed by malware which records everything you type or takes screen shots during a login process, and then forwards a copy of this file to hacker central.[9]

Some malware will look for the existence of a web browser client password file and copy this which, unless properly encrypted, will contain easily accessible saved passwords from the user's browsing history.[9]

Offline Cracking

It’s easy to imagine that passwords are safe when the systems they protect lock out users after three or four wrong guesses, blocking automated guessing applications. Well, that would be true if it were not for the fact that most password hacking takes place offline, using a set of hashes in a password file that has been ‘obtained’ from a compromised system.[9]

Often the target in question has been compromised via an hack on a third party, which then provides access to the system servers and those all-important user password hash files. The password cracker can then take as long as they need to try and crack the code without alerting the target system or individual user.[9]

Shoulder surfing

The most confident of hackers will take the guise of a parcel courier, aircon service technician or anything else that gets them access to an office building.[9]

Once they are in, the service personnel ‘uniform’ provides a kind of free pass to wander around unhindered, and make note of passwords being entered by genuine members of staff. It also provides an excellent opportunity to eyeball all those post-it notes stuck to the front of LCD screens with logins scribbled upon them.[9]

Spidering

Savvy hackers have realised that many corporate passwords are made up of words that are connected to the business itself. Studying corporate literature, website sales material and even the websites of competitors and listed customers can provide the ammunition to build a custom word list to use in a brute force attack.[9]

Really savvy hackers have automated the process and let a spidering application, similar to those employed by leading search engines to identify keywords, collect and collate the lists for them.[9]

SQL injection

SQL injection is a code injection technique, used to attack data-driven applications, in which nefarious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.[10]

METHODOLOGY Our project is carried out in a managed way. For strong base and wide range of guesses we are going to use JAVA as programming language. Brute force attack is quite similar to the dictionary attack.

Our system or tool is a desktop application. In our system, we place a text bar where user can enter a website that he wants to test for brute forcing. At first our tool parses the available forms in website. After with a help of username and id, it starts brute forcing. If it finds the right passwords then it is displayed to the users and if it doesn’t find, then an error message is displayed.

3.1 Brute Force Algorithm

In order to apply brute-force search to a specific class of problems, one must implement four procedures, first, next, valid, and output. These procedures should take as a parameter the data P for the particular instance of the problem that is to be solved, and should be as:

1. first (P): generate a first candidate solution for P. 2. next (P, c): generate the next candidate for P after the current one c. 3. valid (P, c): check whether candidate c is a solution for P. 4. output (P, c): use the solution c of P as appropriate to the application.

The next procedure must also tell when there are no more candidates for the instance P, after the current one c. A convenient way to do that is to return a "null candidate", some conventional data value Λ that is distinct from any real candidate. Likewise the first procedure should return Λ if there are no candidates at all for the instance P. The brute-force method is then expressed by the algorithm.

3.2 Working Mechanism

We have developed our tool with a user friendly interface. It is quite easy to use. In case in difficulties, we have provided help section where user can find a manual to use the tool.

At the first step, user have to enter the desired url to test. After that, with the help of Jsoup libraries, all the form elements are parsed that are available in the website and is shown to the user. What user has to do is find out the login form and pick a form id of the login form. With form id, user has to select the parameters such as uppercase, lowercase, special characters and numbers. Then tool starts to generate the passwords and auto logins with generated passwords. For that purpose, HTMLUnit is used. For the n number of password length that user provides, tool generates 2n combinations of the passwords. Thus generated passwords are auto login and hit the server in short period of time. If password is found, then user is provided that password along with the information about the server hit and total time taken.

With increase in length of the password and parameters, time complexity increases exponentially rather than linearly. So this tool consumes comparatively much time as parameters increase.

3.3 Block Diagram

Start the tool Enter a URL

Parses form Pick a form ID elements from and parameters provided website

Generates password Password as combination and output auto login

Figure 3.1 Block Diagram

3.4 Tools and Platforms

This project is developed on Java with various embedded libraries. For this purpose, we have used Netbeans IDE 8.2. Important libraries and api’s are JSoup and HTMLUnit.

3.4.1 Important libraries  Jsoup

Used JSoup version is 1.10.2. Jsoup is a Java library for working with real-world HTML. It provides a very convenient API for extracting and manipulating data, using the best of DOM, CSS, and jquery-like methods. Jsoup implements the WHATWG HTML5 specification, and parses HTML to the same DOM as modern browsers do scrape and parse HTML from a URL, file, or string find and extract data, using DOM traversal or CSS selectors manipulate the HTML elements, attributes, and text clean user-submitted content against a safe white-list, to prevent XSS attacks output tidy HTML jsoup is designed to deal with all varieties of HTML found in the wild; from pristine and validating, to invalid tag-soup; jsoup will create a sensible parse tree.[1]

 HTMLUnit

Used HTMLUnit version is 2.23. HtmlUnit is a "GUI-Less browser for Java programs". It models HTML documents and provides an API that allows you to invoke pages, fill out forms, click links, etc... just like we do in your "normal" browser. It has fairly good JavaScript support (which is constantly improving) and is able to work even with quite complex AJAX libraries, simulating Chrome, Firefox or Internet Explorer depending on the configuration used. It is typically used for testing purposes or to retrieve information from web sites.

3.4.2 Tools  Netbeans IDE 8.2

NetBeans is a software development platform written in Java. The NetBeans Platform allows applications to be developed from a set of modular software components called modules. Applications based on the NetBeans Platform, including the NetBeans integrated development environment (IDE), can be extended by third party developers. NetBeans is cross-platform and runs on Microsoft Windows, Mac OS X, Linux, Solaris and other platforms supporting a compatible JVM.

 JDK 1.8

The Java Development Kit (JDK) is an implementation of either one of the Java Platform, Standard Edition; Java Platform, Enterprise Edition or Java Platform, Micro Edition platforms released by Oracle Corporation in the form of a binary product aimed at Java developers on Solaris, Linux, Mac OS X or Windows. The JDK includes a private JVM and a few other resources to finish the development of a Java Application.

RESULTS AND DISCUSSION 4.1 Overview From this project, we have obtained our expected results so far. With continuous hit and trial methods, whenever a right password is generated it displays password to the user. But patience is the most. It might take a longer time to generate a right password. User interface is so simple and easy to understand. Websites with less number of forms are quite easy to parse and further brute force.

When user runs the tool, a user interface is displayed where he can enter url.

Figure 4.1

After the desired url is provided, tool starts to parse the form elements available in website. With the successful parsing, the form elements are displayed for the user in next frame. That frame is not editable. Hence it is only for the viewing purpose and to find out the login form id.

Figure 4.2

Figure 4.3

After the successful parsing, user now picks a login form id and parameters like uppercase, lowercase, numbers, special characters and maximum length of password. With necessary parameters, tool will now generate a combinations of possible passwords. Such generated password are now used for login process in a automated way.

When tool finds a password, user get display of password and other information like total server hit and total time taken.

Figure 4.4

Such information can be saved in text format if user desires to save the result.

4.2 Testing

We have carried out tests being based on several test cases. Test cases we followed are:

Performance testing

 Testing under localhost  Testing under interconnection

4.2.1 Testing under localhost

Most testing are carried out under localhost due to unavailable of good internet connection every time. In the previous days, we have developed different websites as college projects and for clients as well. So we first target to test them as they are available in our localhost.

At initial phase, for testing purpose we used :

Uppercase = ABCD

Lowercase = abcdu

Numbers = 0123

Special Characters = #$*.@

With above available parameters, it generates following results:

Condition 1: When password length is 3 and one parameter,

Total server hit = 59 times within 4 seconds

Total time taken = 4 seconds

Condition 2: When password length is 3 and two parameters,

Total server hit = 539 times within 10 seconds

Total time taken = 10 seconds

Condition 3: When password length is 3 and three parameters,

Total server hit = 1819 times within 21 seconds

Total time taken = 21 seconds

Condition 4: When password length is 3 and four parameters,

Total server hit = 6079 times within 1 minute and 6 seconds

Total time taken = 1 minute and 6 seconds

But when password length is increased from 3 to 4, then even with two parameters passed, it takes almost 55 seconds and within 55 seconds server is hit 4856 times. From above observations, we can conclude that with increase in single parameter time complexity increases exponentially. Likewise, if length of password is increased, then time complexity increases so high in an exponential manner.

As localhost responds so quickly, the process is fast. But same complexity is not maintained when internet connection is provided and live websites and tested.

4.2.2 Testing under internet connection

As we know that internet connections are of different bandwidth, our tool reacts different in different bandwidth. If connection is of good bandwidth, then brute forcing is carried out in quite good way with lower time complexity. But if connection is not so good enough, then consequently time complexity becomes high and consumes lot of time even to brute password with smaller length.

4.2.3 System Requirements

With successful testing in different environment and system, we generally refer following system specifications in order to run the tool without any lag and problems.

Hardware specifications

Pentium 4 ( recommended i3)

RAM = 1GB (recommended 4 GB)

Graphics = 1GB (recommended 4 GB)

Software specifications

OS = Windows XP (recommended Windows 8)

4.3 Analysis of results

With the reference of various sites and used algorithm, we obtain quite different result in every observation. As we have mentioned before we have tested our tool in two different logics: localhost and internet. What we observed was about irregularity in time complexity. With increase in single parameter and length of the password, time complexity increase exponentially which makes the process tedious. Application that were developed in past days were also not so different than ours. Even they also consumes lots of time in acquiring accurate result as it is a hit and trial method.

Time complexity is comparatively higher but accuracy is highly maintained. Those sites which restricts the login after 3 login attempts failure are also vulnerable. We have bypassed such security for some sites which restricted 3 login attempts.

Within a second our application hits several thousands of times. So along with brute force attack, we have observed that our application is also useful to test whether a website can resist DOS attack (Denial of Service). DOS attack is a type of attack for web systems in which a server is hit millions of times within seconds which make server failure and system crashes. During the testing phase, what we have found that nowadays people are much aware about these types of attacks and most of them have used filters and security to resist these kinds of attack in their web systems.

So these days if we observe the security level of websites, brute force method consumes maximum times to get a right password which might be a tedious work. If users have patient and can deal with the time complexity, then our application can be a right choice for them to find out the password of admin panels and many more. But if users think it as a tedious task, then it can’t be a useful one. Moreover, in some cases, a user might have forgotten passwords to login their respective platforms. But he might have idea what his password would be. In such case, if proper parameters are provided, user can get his password.

Hence, we can say that brute force method and our application can be useful in some cases and can be useless in some cases. Requirements of users determine the usability of the application.

CONCLUSION AND RECOMMENDATION

5.1 Conclusion

As a whole, we can conclude that our project will be proved to be useful in accordance to current issues of security level in technology. The project is headed towards the promptness and accuracy so that anyone can understand in an easy way.

As far as possible the project is carried out with minor errors and problems. Hence the project is expected to show the good outcomes and performance. The easy coding will help the future developers to modify the project in any way they like as per their requirements. We have developed our system in a very flexuous way for further modifications.

5.2 Future Recommendation

With the applications of our tool, a tester can use it to check test whether a web system is vulnerable or not towards our tool. It can help them to figure out login vulnerabilities so that they can take further actions over it.

In our tool, a username is to be provided by user for now. So in coming days, username can also be brute forced so that user will have just to provide website only. Furthermore, a strong algorithm can be embedded in order to generate strong password with very less time complexity.

REFERENCES

1. ‘Attribute Retrieve, Retrieved from https://jsoup.org/cookbook/extracting- data/attributes-text-html 21 October 2016 2. ‘Brute Force Attack’, Retrieved from http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard- windows-password-in-6-hours/ 21 July 2016 3. ‘Brute Force Attack’, Retrieved from https://en.wikipedia.org/wiki/Brute- force_attack 21 July 2016 4. ‘Brute Force Search’, Retrieved from https://en.wikipedia.org/wiki/Brute- force_search#Basic_algorithm 06 August 2016 5. ‘Brute Force Attack’, Retrieved from http://www.howtogeek.com/166832/brute-force-attacks-explained-how-all- encryption-is-vulnerable/ 21 July 2016 6. ‘Brute Force Cracking’, Retrieved from http://searchsecurity.techtarget.com/definition/brute-force-cracking 21 July 2016 7. ‘Brute Force Attack’, Retrieved from https://www.techopedia.com/definition/18091/brute-force-attack 21 July 2016 8. ‘Hacking, Phishing and Malware’, Retrieved from http://www.liquidweb.com/blog/index.php/hacking-phishing-and-malware-oh- my/ 20 Nov 2016 9. ‘Phishing’, Retrieved from https://en.wikipedia.org/wiki/Phishing 20 Nov 2016 10. ‘SQL injection’, Retrieved from https://en.wikipedia.org/wiki/SQL_injection 20 Nov 2016 11. ‘Top ten password cracking techniques’, Retrieved from http://www.alphr.com/features/371158/top-ten-password-cracking-techniques 20 Nov 2016