Skip to content

Brute forcing

Method Description Example Best Used When...
Simple Brute Force Systematically tries all possible combinations of characters within a defined character set and length range. Trying all combinations of lowercase letters from 'a' to 'z' for passwords of length 4 to 6. No prior information about the password is available, and computational resources are abundant.
Dictionary Attack Uses a pre-compiled list of common words, phrases, and passwords. Trying passwords from a list like 'rockyou.txt' against a login form. The target will likely use a weak or easily guessable password based on common patterns.
Hybrid Attack Combines elements of simple brute force and dictionary attacks, often appending or prepending characters to dictionary words. Adding numbers or special characters to the end of words from a dictionary list. The target might use a slightly modified version of a common password.
Credential Stuffing Leverages leaked credentials from one service to attempt access to other services, assuming users reuse passwords. Using a list of usernames and passwords leaked from a data breach to try logging into various online accounts. A large set of leaked credentials is available, and the target is suspected of reusing passwords across multiple services.
Password Spraying Attempts a small set of commonly used passwords against a large number of usernames. Trying passwords like 'password123' or 'qwerty' against all usernames in an organization. Account lockout policies are in place, and the attacker aims to avoid detection by spreading attempts across multiple accounts.
Rainbow Table Attack Uses pre-computed tables of password hashes to reverse hashes and recover plaintext passwords quickly. Pre-computing hashes for all possible passwords of a certain length and character set, then comparing captured hashes against the table to find matches. A large number of password hashes need to be cracked, and storage space for the rainbow tables is available.
Reverse Brute Force Targets a single password against multiple usernames, often used in conjunction with credential stuffing attacks. Using a leaked password from one service to try logging into multiple accounts with different usernames. A strong suspicion exists that a particular password is being reused across multiple accounts.
Distributed Brute Force Distributes the brute forcing workload across multiple computers or devices to accelerate the process. Using a cluster of computers to perform a brute-force attack significantly increases the number of combinations that can be tried per second. The target password or key is highly complex, and a single machine lacks the computational power to crack it within a reasonable timeframe.

See Default Credentials Cheat Sheet

 creds search mysql  

Dictionaries of common admin usernames: https://github.com/danielmiessler/SecLists/blob/master/Usernames/top-usernames-shortlist.txt

Password Length Character Set Possible Combinations
Short and Simple 6 Lowercase letters (a-z)
Longer but Still Simple 8 Lowercase letters (a-z)
Adding Complexity 8 Lowercase and uppercase letters (a-z, A-Z)
Maximum Complexity 12 Lowercase and uppercase letters, numbers, and symbols
Wordlist Description Typical Use Source
rockyou.txt A popular password wordlist containing millions of passwords leaked from the RockYou breach. Commonly used for password brute force attacks. RockYou breach dataset
top-usernames-shortlist.txt A concise list of the most common usernames. Suitable for quick brute force username attempts. SecLists
xato-net-10-million-usernames.txt A more extensive list of 10 million usernames. Used for thorough username brute forcing. SecLists
2023-200_most_used_passwords.txt A list of the 200 most commonly used passwords as of 2023. Effective for targeting commonly reused passwords. SecLists
Default-Credentials/default-passwords.txt A list of default usernames and passwords commonly used in routers, software, and other devices. Ideal for trying default credentials.
darkweb2017-top10000.txt https://github.com/danielmiessler/SecLists/blob/master/Passwords/darkweb2017-top10000.txt

Using grep to filter out dictionaries based on password policies. For instance we have the following policies for passwords:

  • Minimum length: 8 characters
  • Must include:
    • At least one uppercase letter
    • At least one lowercase letter
    • At least one number

Filtering minimum length of 8 characters:

grep -E '^.{8,}$' dicionary.txt > dictionary-minlength.txt

At least one uppercase letter:

grep -E '[A-Z]' dictionary-minlength.txt > dictionary-minlength-uppercase.txt

At least one lowercase letter.

grep -E '[a-z]' dictionary-minlength-uppercase.txt > dictionary-minlength-uppercase-lowercase.txt

At least one numerical digit

grep -E '[0-9]' dictionary-minlength-uppercase-lowercase.txt > dictionary-minlength-uppercase-lowercase-number.txt

Or in one step:

grep -E '^.{6,}$' dictionary.txt | grep -E '[A-Z]' | grep -E '[a-z]' | grep -E '[0-9]' | grep -E '([!@#$%^&*].*){2,}' > dictionary-filtered.txt
Last update: 1 month ago2025-01-21
Created: January 19, 2025 22:33:25