So on an online gaming forum that I sometimes read,
occasionally, someone writes on the forums that they've been "hacked", when really, they fell for a fake "Gimme your account info, and you'll get X amount of in-game money".
However, in a thread I read today, someone claimed that they got hacked because someone only knew their email for the account. My mind raised a question "was it a brute force?"
Meanwhile, the game's developers say that hacking the password is "Impossible". But from what I've learned so far, nothing is truly un-hackable.
So it brings me to my main question:
How do brute force attack programs/password-cracking programs (John the Ripper, Cain&Abel, THCHydra) work?
and do brute force attacks work on all types of logins? (I'm not asking this to try it, but rather because out of curiosity)
Thanks
3 Responses
To hack something remotely you'll want to use Hydra, it can hack lots of different protocol and also http forms (which means the gaming website login). Now if the website has implemented anti-bruteforce conventions (like after 10 tries it blocks the ip, or after each failed attempt you must wait 10 seconds) then it makes it a lot more difficult, almost impossible.
What is more likely is that once they had his email they bruteforced a website that didn't have those security measure in place and since people use the same password for everything he then got into his gaming account. Or maybe he just got social engineered like the rest of them through a phising email.
The key thing to remember is that they is always more than 1 way in and a hacker jobs is to find those different access points and exploit them
Cheers,
washu
The way brute force attack programs work is by sending many automatic requests to the login server each with a different set of characters set by the user until one logs in. for example if the English alphabet was the character set and the password was four letters than the brute force program would try:
aaaa
aaab
aaac
...
aaba
aabb
...
zzz
and eventually it would hit the right password.
Other brute force attacks do it locally by hashing the different passwords and then comparing them to the hash provided untill a match is found for example if the hash is (3963a2ba65ac8eb1c6e2140460031925) then the program would try:
74b87337454200d4d33f80c4663dc5e5
4c189b020ceb022e0ecc42482802e2b8
3963a2ba65ac8eb1c6e2140460031925 <---
However, this attack is only useful if you have the users hash which would be obtained by hacking the webstie which for a big company would take lots of time and skill.
Hope this helped
-Joe
already trying brute force and dictionary attack,but hydra just give me a wrong password even when im already put the right one on the wordlist
soo sad :/ many dissapointment
Share Your Thoughts