CAPEC-112: Brute Force

Description
In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.
Extended Description

Examples of secrets can include, but are not limited to, passwords, encryption keys, database lookup keys, and initial values to one-way functions. The key factor in this attack is the attackers' ability to explore the possible secret space rapidly. This, in turn, is a function of the size of the secret space and the computational power the attacker is able to bring to bear on the problem. If the attacker has modest resources and the secret space is large, the challenge facing the attacker is intractable. Assuming a finite secret space, a brute force attack will eventually succeed. The defender must rely on making sure that the time and resources necessary to do so will exceed the value of the information.

Severity :

High

Possibility :

Type :

Meta
Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-20: Encryption Brute Forcing Encryption Brute Forcing CAPEC-49: Password Brute Forcing Password Brute Forcing
Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • The attacker must be able to determine when they have successfully guessed the secret. As such, one-time pads are immune to this type of attack since there is no way to determine when a guess is correct.
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Low The attack simply requires basic scripting ability to automate the exploration of the search space. More sophisticated attackers may be able to use more advanced methods to reduce the search space and increase the speed with which the secret is located.
Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

ATTACK | Brute Force WASC | Brute Force OWASP Attacks | Brute force attack
Resources required

None: No specialized resources are required to execute this type of attack. Ultimately, the speed with which an attacker discovers a secret is directly proportional to the computational resources the attacker has at their disposal. This attack method is resource expensive: having large amounts of computational power do not guarantee timely success, but having only minimal resources makes the problem intractable against all but the weakest secret selection procedures.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-326: Inadequate Encryption Strength

CWE-330: Use of Insufficiently Random Values

CWE-521: Weak Password Requirements

Visit http://capec.mitre.org/ for more details.