Brute Force Hacking: Does It Exist?

[Iantiger]

Many a time we have all seen the posts on here: "I was hacked". 99% of these hackings were the fault of the player for downloading some third party program, or clicking an untrusted link, thus installing a keylogger or trojan on their computer. However once in a while, a person may be dead-set on denying that they did either of these things, claiming the hacking was done by "brute force", or in other words, there is nothing they could have done to prevent the hack.

 

 

 

However, surely if brute force exists, Zezima, and other such highly recognised players would be the main target, and thus you would think Zezima would have been hacked countless times.

 

 

 

What are your opinions/thoughts?

 

 

 

~Ian

[Punc]

I'm pretty sure there are people that can brute force hack, I so don't think they'll waste their time hacking RuneScape account when you can hack IRL bank account or something similar...

[Hypnotic_tapeworm]

well it is possable... but would be very hard to pull off, first off they would need to know the players i.p adress and jagex stores them (i think) so they would need to hack the jagex server or main computer or whatever they would use, then find a players i.p address and then hack them.... but as you said they would go for the more well known players accounts

 

 

 

i cant go into much more detail as i dont know how the jagex system works. but it is possable just very unlikely

 

 

 

more often its people who've just been stupid but are too stupid to admit it, i mean the ammount of people ive seen fall for the "look you cant type your password look *******" just makes me laugh

[Mordendravid]

Yes it's definitely possible. There's 2 widely recognised methods that could be employed:

 

 

 

1) Password generators - multiple login attempts under a single user name with a program entering either a pre-defined list, or generating a password on each attempt. The simple solution to this sort of access attempt is the "get your password wrong x times and account is locked" approach. I'm fairly sure that even if Jagex don't actively employ this restriction they will have monitors on their login servers looking for similar activity - it's fairly old school now.

 

 

 

2) Server side hacking - this would require accessing Jagex's servers, again probably the login servers would be targeted as account details will be stored there in order to validate login attempts. However, this sort of approach means attempting to go round security implemented by a team of experts - even if you get past the multiple firewalls and onto one of the servers you would still need to unencrypt the information held on there. Even default triple-des security is not easy to unencrypt without the access key, let alone any additional encryption algorithms that are undoubtedly used.

 

 

 

All in all if someone's got these sorts of skills they're unlikely to target a MMORPG when there are so many real life targets that would get greater kudos and/or financial gain.

 

 

 

Therefore my suspicions are that 99.999% of actual hacking is through keyloggers and trojans. Though even these examples are rare in comparison to people simply sharing their password with a friend/writing it down somewhere obvious or using a password which is ridiculously easy to guess.

 

 

 

I would also suggest that (as per Jagex's rules) people avoid using any illegal 3rd party clients to access the game - you're providing all your details to someone that you've never met and risking a ban from the game to boot.

 

 

 

Just my $0.02

 

 

 

EDIT: PS I have not listed a number of other potential hacking approaches simply 2 that are very well known. The reason for this should be obvious.

[Hypnotic_tapeworm]

All in all if someone's got these sorts of skills they're unlikely to target a MMORPG when there are so many real life targets that would get greater kudos and/or financial gain

 

 

 

Exactly!

[Duke_Freedom]

2 * 26 (alphabet capital + lower case) + 10 (0..9) = 62 characters

 

 

 

Let's say a password of 8 characters..

 

 

 

62^8 ~ 2 * 10^14

 

 

 

Let's say one trial takes 1 second :lol:.

 

 

 

2*10^14 / (3600 * 24 * 365) = 1.6 million years on average.

 

 

 

Nope, noone is getting brute force hacked in this game.

 

 

 

Fine, you use only 5 characters?! Still takes over 6 years on average to brute-force hack you then, and that is if we could try once every second(!), which we obviously cannot... The stuff that simple mathematics can enlighten us about is just incredible. ;)

 

 

 

However, what may cause people to get hacked while "they didn't install anything" (sorry, but I honestly doubt 99% of those cases) is that they have a too predictable password or a word in the dictionary.

[Hypnotic_tapeworm]

However, what may cause people to get hacked while "they didn't install anything" (sorry, but I honestly doubt 99% of those cases) is that they have a too predictable password or a word in the dictionary.

 

 

 

or maybe they did download something without realising(sp) and dont run anti virus/spyware programs so dont realise they have a ton of key loggers or trojans lol

[swampjedi]

Sure brute forcing exists, but not here. Dictionary attacks sure, but not brute force.

[Bubsa]

Sure brute forcing exists, but not here. Dictionary attacks sure, but not brute force.

 

 

 

Beaten to it. I think this was what you were getting at Ian.

[ixfd64]

I don't think RuneScape passwords are case-sensitive, though. They should be, in my opinion.

[Duke_Freedom]

Sure brute forcing exists, but not here. Dictionary attacks sure, but not brute force.

 

 

 

Beaten to it. I think this was what you were getting at Ian.

 

 

 

Still, if you get hacked as a result of a dictionary attack (which will still take a significant time period, but more realistic then brute-force, unless Jagex has a system in place which blocks ip's after x wrong passwords) that just means you were too careless in making a secure password in the first place...

 

 

 

But since it are usually not extremely high leveled players / rich who got 'hacked', I don't think they were a victim of dictionary attacks either.

 

 

 

I don't think RuneScape passwords are case-sensitive, though. They should be, in my opinion.

 

 

 

Hm your right - and yeah they should be, was surprised to see they aren't.. :?

[Bubsa]

Sure brute forcing exists, but not here. Dictionary attacks sure, but not brute force.

 

 

 

Beaten to it. I think this was what you were getting at Ian.

 

 

 

Still, if you get hacked as a result of a dictionary attack (which will still take a significant time period, but more realistic then brute-force, unless Jagex has a system in place which blocks ip's after x wrong passwords) that just means you were too careless in making a secure password in the first place...

 

 

 

I agree wholeheartedly. I think that highlights the importance of alpha-numeric passwords.

[petey]

Let's say one trial takes 1 second

 

 

 

2*10^14 / (3600 * 24 * 365) = 1.6 million years on average.

 

 

 

usually a dictionary attack uses about 5-12 thousand variations a second...sorry to correct you duke :?

[lankyman1]

yeh that guy is right lol.. it doesnt take 1.6 million years haha thats just stupid..

 

 

 

it can be done in days and brute force hacking is possible. But why would you want to hack a game where you get pixels.. lol. i'm sure those hackers have better things to get.. like adult website passwords.. stuff that has a use.

[Duke_Freedom]

yeh that guy is right lol.. it doesnt take 1.6 million years haha thats just stupid..

 

 

 

I'm glad you have no idea what you are talking about and prove that by calling me stupid.. Thanks.

 

 

 

usually a dictionary attack uses about 5-12 thousand variations a second...sorry to correct you duke

 

 

 

Well if you try filling in your username and a wrong password and then check how long it takes before you get a reply from the server that says that the password is incorrect, you'll see that it takes much longer then a second.

 

 

 

But if you use a bit more advanced techniques you're right that you may be able to circumvent that though, no idea about that. It doesn't really matter that much anyway... If it takes 5-12 thousand variations a second brute-forcing is still not feasible.

[nvw08]

yeh that guy is right lol.. it doesnt take 1.6 million years haha thats just stupid..

 

 

 

it can be done in days and brute force hacking is possible. But why would you want to hack a game where you get pixels.. lol. i'm sure those hackers have better things to get.. like adult website passwords.. stuff that has a use.

 

 

 

Since your so uber smart can you tell me how you can brute force attack someone in days? If your talking about dictionary attacks that's different... I personally believe Duke Freedom seeing as he has probably been playing a lot longer then you as well as being very knowledgeable about the game so untill you can tell me how to do it in a few days I'm goin with 1.6 million years as the leingth for a standard brute force attack :wink:

[Ball_of_Pain_Reborn]

Let's say one trial takes 1 second

 

 

 

2*10^14 / (3600 * 24 * 365) = 1.6 million years on average.

 

 

 

usually a dictionary attack uses about 5-12 thousand variations a second...sorry to correct you duke :?

 

Hmm, I was thinking about that and I doupt it would be possible 'cus the runescape login isn't standard because you cannot simply tab your way into the field and press enter. You would have to set up an auto clicker to move between the 2 thingys and that would be pretty hard.

[dwarfie76]

But if you use a bit more advanced techniques you're right that you may be able to circumvent that though, no idea about that. It doesn't really matter that much anyway... If it takes 5-12 thousand variations a second brute-forcing is still not feasible.

 

 

 

The way a lot of people are getting compromised is using the same password ingame that they use on forum sites like this one. It's a reasonably trivial exercise to extract a user's password hash from a phpBB forum using SQL injection techniques. Once you have that you can crack the hash at your leisure. There are 32 digits in an MD5 algorithm meaning that for each character there are only 512 possible guesses. Tackling the MD5 one character at a time is far more efficient than trying to brute force the password. Once you have the MD5 key you can then crack any password hash you manage to get your hands on pretty easily.

[Unrealist]

Let's say one trial takes 1 second

 

 

 

2*10^14 / (3600 * 24 * 365) = 1.6 million years on average.

 

 

 

usually a dictionary attack uses about 5-12 thousand variations a second...sorry to correct you duke :?

 

Hmm, I was thinking about that and I doupt it would be possible 'cus the runescape login isn't standard because you cannot simply tab your way into the field and press enter. You would have to set up an auto clicker to move between the 2 thingys and that would be pretty hard.

 

 

 

Actually, pressing the enter button can move you between username and password. Mine can, at any rate.

[Taito2004]

It wouldn't happen on Jagex's side.. Jagex is a multi million buisness whhich could be shut down in an instant if they allowed someone to get hacked.

 

 

 

The data protection act states that all infomation stored about someone must be kept safe under penalty of law, and if someone were to hack their servers this makes this infomation no longer safe.. the company would be either fined millions (thus probable putting them outta business) or shut down completly.

[X-Arcade-X]

I guess I'm the first one to state that the applet won't let you log-in for 60 seconds after 7 invalid attempts. :lol:

 

 

 

It's all about what you call "brute-forcing". I can go and enter

 

 

 

Username: Zezima

 

Password: tweedledumtweedledee

 

 

 

And if that doesn't work,

 

 

 

Username: Zezima

 

Password: tweedledumtweedledoo

 

 

 

And if that doesn't work, I'll give up. But hey, it could. Would you call 2 tries a brute-force or a random attempt?

[lakiisdebest]

well u coud instal keyloggers on library computers or on school.

 

just to get an rs/hotmail/habbo (nvm) or so.

 

and yea... i have lost my rs acc becouse my comp was broken and there was an drop party and well i wanted to go just for fun (first drop and then go pking) and so i have lost my lvl 98 member acc

 

(witch i later saw back at one of the acc being banned ^^)

[dwarfie76]

I guess I'm the first one to state that the applet won't let you log-in for 60 seconds after 7 invalid attempts. :lol:

 

 

 

Although if you were to attempt a brute force attack, you wouldn't use the applet, rather write a script which mimics the HTTP request that the applet sends to the server.

[zaquierming]

2 * 26 (alphabet capital + lower case) + 10 (0..9) = 62 characters

 

 

 

Let's say a password of 8 characters..

 

 

 

62^8 ~ 2 * 10^14

 

 

 

Let's say one trial takes 1 second :lol:.

 

 

 

2*10^14 / (3600 * 24 * 365) = 1.6 million years on average.

 

 

 

Nope, noone is getting brute force hacked in this game.

 

 

 

Fine, you use only 5 characters?! Still takes over 6 years on average to brute-force hack you then, and that is if we could try once every second(!), which we obviously cannot... The stuff that simple mathematics can enlighten us about is just incredible. ;)

 

 

 

However, what may cause people to get hacked while "they didn't install anything" (sorry, but I honestly doubt 99% of those cases) is that they have a too predictable password or a word in the dictionary.

 

 

 

 

 

Even then, They would need to have the same password for, 6 years.

[gotsol]

2 * 26 (alphabet capital + lower case) + 10 (0..9) = 62 characters

 

 

 

Let's say a password of 8 characters..

 

 

 

62^8 ~ 2 * 10^14

 

 

 

Let's say one trial takes 1 second :lol:.

 

 

 

2*10^14 / (3600 * 24 * 365) = 1.6 million years on average.

 

 

 

Nope, noone is getting brute force hacked in this game.

 

 

 

Fine, you use only 5 characters?! Still takes over 6 years on average to brute-force hack you then, and that is if we could try once every second(!), which we obviously cannot... The stuff that simple mathematics can enlighten us about is just incredible. ;)

 

 

 

However, what may cause people to get hacked while "they didn't install anything" (sorry, but I honestly doubt 99% of those cases) is that they have a too predictable password or a word in the dictionary.

 

 

 

true but lets say the person has mmmm idk 10 computers much faster, but yes very rare