A Brute-force attack is a technique(Procedure or Method) for obtaining or finding-out information by trying every key combination in an effort to find an unknown value and to try a large number of possible values by using an automated process.
This automated software is helpful to create/generate/produce a huge number of consecutive guesses as to the value of the needed(desired) data. Due to the number of possible combinations of symbols, numbers & letters, this attack can take too long time to complete(can take several hours, days, months, and even years to run). The higher the type of encryption used (64-bit, 128-bit or 256-bit encryption), the longer time it can take.
Using Session-ID To conduct Attack(Brute-Force)
There is a method known as Session/Credential Prediction to conduct Attack/hijacking or impersonating a web site user. Guessing/Assuming or Deducing is the unique value that discovers a specific session or user conduct the attack. Many web sites are designed to track and validate the user when interaction/communication is first established. Users must have to give their identity to the web site, by providing username/password (credentials) combination. Web sites will generate a unique "session ID" to identify the user session as authenticated. Upcoming communication between the user and the web site is tagged with the session ID as "proof" of the valid session. If an attacker is able predict or guess the session ID of another user, fraudulent activity is possible.
Proprietary Algorithms are used to generate session IDs by many web sites. These custom techniques may generate session IDs by simply increasing static numbers. Or there could be more difficult techniques/approach such as factoring in time and other computer specific variables.
In a Cookie/URL/Hidden-form-field where session-ID is stored. If an tracker can discover the algorithm used to generate the session ID, an attack can be set as follows:
attacker links to the web application and obtain/grab/get the current session ID.
attacker evaluates, or Hijack the next session ID.
attacker controls the present values in the hidden-form-field/cookie/URL and considers the identity(ID) of the next user.
Below are few steps which can be used as protection from Brute-force(hijacking) attacks:
1. By using the complex passwords.
2. Limiting the number of times a user can attempt to login.
3. Account of user should be temporarily locked who exceed the specified maximum number of login attempts.