Brute forcing
Method | Description | Example | Best Used When... |
---|---|---|---|
Simple Brute Force |
Systematically tries all possible combinations of characters within a defined character set and length range. | Trying all combinations of lowercase letters from 'a' to 'z' for passwords of length 4 to 6. | No prior information about the password is available, and computational resources are abundant. |
Dictionary Attack |
Uses a pre-compiled list of common words, phrases, and passwords. | Trying passwords from a list like 'rockyou.txt' against a login form. | The target will likely use a weak or easily guessable password based on common patterns. |
Hybrid Attack |
Combines elements of simple brute force and dictionary attacks, often appending or prepending characters to dictionary words. | Adding numbers or special characters to the end of words from a dictionary list. | The target might use a slightly modified version of a common password. |
Credential Stuffing |
Leverages leaked credentials from one service to attempt access to other services, assuming users reuse passwords. | Using a list of usernames and passwords leaked from a data breach to try logging into various online accounts. | A large set of leaked credentials is available, and the target is suspected of reusing passwords across multiple services. |
Password Spraying |
Attempts a small set of commonly used passwords against a large number of usernames. | Trying passwords like 'password123' or 'qwerty' against all usernames in an organization. | Account lockout policies are in place, and the attacker aims to avoid detection by spreading attempts across multiple accounts. |
Rainbow Table Attack |
Uses pre-computed tables of password hashes to reverse hashes and recover plaintext passwords quickly. | Pre-computing hashes for all possible passwords of a certain length and character set, then comparing captured hashes against the table to find matches. | A large number of password hashes need to be cracked, and storage space for the rainbow tables is available. |
Reverse Brute Force |
Targets a single password against multiple usernames, often used in conjunction with credential stuffing attacks. | Using a leaked password from one service to try logging into multiple accounts with different usernames. | A strong suspicion exists that a particular password is being reused across multiple accounts. |
Distributed Brute Force |
Distributes the brute forcing workload across multiple computers or devices to accelerate the process. | Using a cluster of computers to perform a brute-force attack significantly increases the number of combinations that can be tried per second. | The target password or key is highly complex, and a single machine lacks the computational power to crack it within a reasonable timeframe. |
See Default Credentials Cheat Sheet
Dictionaries of common admin usernames: https://github.com/danielmiessler/SecLists/blob/master/Usernames/top-usernames-shortlist.txt
Password Length | Character Set | Possible Combinations |
---|---|---|
Short and Simple |
6 | Lowercase letters (a-z) |
Longer but Still Simple |
8 | Lowercase letters (a-z) |
Adding Complexity |
8 | Lowercase and uppercase letters (a-z, A-Z) |
Maximum Complexity |
12 | Lowercase and uppercase letters, numbers, and symbols |
Wordlist | Description | Typical Use | Source |
---|---|---|---|
rockyou.txt |
A popular password wordlist containing millions of passwords leaked from the RockYou breach. | Commonly used for password brute force attacks. | RockYou breach dataset |
top-usernames-shortlist.txt |
A concise list of the most common usernames. | Suitable for quick brute force username attempts. | SecLists |
xato-net-10-million-usernames.txt |
A more extensive list of 10 million usernames. | Used for thorough username brute forcing. | SecLists |
2023-200_most_used_passwords.txt |
A list of the 200 most commonly used passwords as of 2023. | Effective for targeting commonly reused passwords. | SecLists |
Default-Credentials/default-passwords.txt |
A list of default usernames and passwords commonly used in routers, software, and other devices. | Ideal for trying default credentials. | |
darkweb2017-top10000.txt | https://github.com/danielmiessler/SecLists/blob/master/Passwords/darkweb2017-top10000.txt |
Using grep to filter out dictionaries based on password policies. For instance we have the following policies for passwords:
- Minimum length: 8 characters
- Must include:
- At least one uppercase letter
- At least one lowercase letter
- At least one number
Filtering minimum length of 8 characters:
At least one uppercase letter:
At least one lowercase letter.
At least one numerical digit
Or in one step:
Created: January 19, 2025 22:33:25