We are br00t! This simple concept is not unlike any other distributed computing appliance. Clients access br00t via a webpage, which can be disguised as just about any other webpage. However, the server host has instructions to provide every additional client who accesses br00t with tasks aimed at brute-force attacking a specified target's password. Complex, hashed, and "secure" passwords wither away in the face of multiple clients' machines helping crack the code, an unbeknownst to the users themselves.

These instructions are hidden away in the server's code, though the packet transactions of the clients' machine can be revealed through a tool like Chrome Developer Tools. For the average joe, this attack can remain stealthy, lightweight, and potentially harmful, as the processing power--and blame-- is distributed amongst all who access a particular website.

It's unknown how common an attack of this nature may be, as few security researchers take this approach and the individuals who may use a similar attack are not security researchers. Additionally, this attack shares many characteristics with a botnet, though it maintains its presence purely from client-side accesses to a webpage rather than a penetration from an external server or machine.

Stack: full-stack nodejs app, running express package, base64 math package, and utilizing ngrok to create a distributed tunneling network.

Share this project: