I regularly see a small misunderstanding:
people who think of password lists when they think of bruteforcing.
That's why this share/tutorial/whatever
I don't know if this is necessary, but it's better to have too much tutwarn than too little
[tutwarn]
What is Bruteforcing
Bruteforcing is not real hacking, and it is also quite outdated these days.
A Dictionary Attack is often referred to as “brute force”.
However, this is not entirely correct as the details work completely differently.
The basis is approximately the same, but the operation is different.
A brute force is, as the name suggests, an attack with brute force.
With a brute force attack you grab a scope and go through all the combinations.
However, this gives a lot of attempts that you have to go through.
Below in the spoilers are a number of examples with the maximum number of attempts that must be made.
Calculate the number of attempts as follows:
combinations = scopelenght^characters
Assuming you do an OFFLINE crack (so you have a hash or something and try to crack it on your own PC), with oclHashcat and an AMD HD7970 against an MD5 hash with scope [0-9,az,AZ] you get this nice formula:
H = 815650000 # het aantal pogingen dat je GPU kan in 1 seconde
A = 218340105584896 # het maximum aantal pogingen
Ts = A/H
So
Ts = 267,688.47616612 # Tijd in seconden
Tm = 4,461.47460276867 # Tijd in minuten
Th = 74.3579100461445 # Tijd in uren
Td = 3.09824625192269 # Tijd in dagen
So you spend roughly 3 days on an MD5 hash. (time may differ depending on the length of the source - i.e. the password - and your GPU)
And we all know how fast MD5 can be cracked.
Nowadays (hopefully) no one uses MD5 like that for password hashing, for example.
Due to the large number of attempts that need to be made, bruteforcing is not recommended for an ONLINE attack. (e.g. a Facebook account)
A “simple” patch is to limit the number of login attempts per account/source.
Now that we know what true bruteforcing is, let's look at what most people see under “bruteforce”: the Dictionary Attack
What is a Dictionary Attack?
A Dictionary Attack uses a list of words (the Dictionary).
Dictionary Attacks are quite simple and fast, but there is a major disadvantage:
the “patch” for it is extremely simple to apply: just generate a unique password cough lastpass cough
Since many people often use the same passwords as:
ninja
password1234
12345678
Dictionaries can therefore be made, which can also be found quite easily (just google: “top 1000 most used passwords”)
I mainly see it among noobs and at Capture-The-Flag competitions.
However, they are mainly “luck based” because you have to be lucky that the user had exactly a password that appeared in your list.
Dictionary attacks are mainly “effective” for ONLINE attacks (against, for example, a Facebook account)
Epilogue
I hope you were able to learn something from this.
people who think of password lists when they think of bruteforcing.
That's why this share/tutorial/whatever
I don't know if this is necessary, but it's better to have too much tutwarn than too little
[tutwarn]
What is Bruteforcing
Bruteforcing is not real hacking, and it is also quite outdated these days.
A Dictionary Attack is often referred to as “brute force”.
However, this is not entirely correct as the details work completely differently.
The basis is approximately the same, but the operation is different.
A brute force is, as the name suggests, an attack with brute force.
With a brute force attack you grab a scope and go through all the combinations.
However, this gives a lot of attempts that you have to go through.
Below in the spoilers are a number of examples with the maximum number of attempts that must be made.
Calculate the number of attempts as follows:
combinations = scopelenght^characters
Here you see an example of a bruteforce under the scope [az] with a length of 8:
aaaaaaaa
aaaaaaab
aaaaaaac
aaaaaaad
aaaaaaae
....
aaaaaaaz
aaaaaaba
aaaaaabb
this gives us the following calculation:
p = 26^8
so the maximum number of attempts is:
208,827,064,576
aaaaaaaa
aaaaaaab
aaaaaaac
aaaaaaad
aaaaaaae
....
aaaaaaaz
aaaaaaba
aaaaaabb
this gives us the following calculation:
p = 26^8
so the maximum number of attempts is:
208,827,064,576
Here you see an example of a bruteforce under the scope [aZ] with a length of 8:
aaaaaaaa
aaaaaaab
aaaaaaac
aaaaaaad
aaaaaaae
....
aaaaaaaz
aaaaaaaA
aaaaaaaB
aaaaaaaC
aaaaaaaD
aaaaaaaE
....
aaaaaaaZ
aaaaaaba
aaaaaabb
aaaaaabc
....
aaaaaabz
aaaaaabA
aaaaaabB
aaaaaabC
....
ZZZZZZZZ
this gives us the following calculation:
p = 52^8
so the maximum number of attempts is:
53,459,728,531,456
aaaaaaaa
aaaaaaab
aaaaaaac
aaaaaaad
aaaaaaae
....
aaaaaaaz
aaaaaaaA
aaaaaaaB
aaaaaaaC
aaaaaaaD
aaaaaaaE
....
aaaaaaaZ
aaaaaaba
aaaaaabb
aaaaaabc
....
aaaaaabz
aaaaaabA
aaaaaabB
aaaaaabC
....
ZZZZZZZZ
this gives us the following calculation:
p = 52^8
so the maximum number of attempts is:
53,459,728,531,456
Here you see an example of a bruteforce under the scope [aZ] with a length of 8:
aaaaaaaa
aaaaaaab
aaaaaaac
aaaaaaad
aaaaaaae
....
aaaaaaaz
aaaaaaa0
aaaaaaa1
aaaaaaa2
aaaaaaa3
aaaaaaa4
....
aaaaaaa9
aaaaaaaA
aaaaaaaB
aaaaaaaC
....
aaaaaaaZ
aaaaaaba
aaaaaabb
aaaaaabc
....
ZZZZZZZZ
this gives us the following calculation:
p = 62^8
so the maximum number of attempts is:
218,340,105,584,896
aaaaaaaa
aaaaaaab
aaaaaaac
aaaaaaad
aaaaaaae
....
aaaaaaaz
aaaaaaa0
aaaaaaa1
aaaaaaa2
aaaaaaa3
aaaaaaa4
....
aaaaaaa9
aaaaaaaA
aaaaaaaB
aaaaaaaC
....
aaaaaaaZ
aaaaaaba
aaaaaabb
aaaaaabc
....
ZZZZZZZZ
this gives us the following calculation:
p = 62^8
so the maximum number of attempts is:
218,340,105,584,896
Assuming you do an OFFLINE crack (so you have a hash or something and try to crack it on your own PC), with oclHashcat and an AMD HD7970 against an MD5 hash with scope [0-9,az,AZ] you get this nice formula:
H = 815650000 # het aantal pogingen dat je GPU kan in 1 seconde
A = 218340105584896 # het maximum aantal pogingen
Ts = A/H
So
Ts = 267,688.47616612 # Tijd in seconden
Tm = 4,461.47460276867 # Tijd in minuten
Th = 74.3579100461445 # Tijd in uren
Td = 3.09824625192269 # Tijd in dagen
So you spend roughly 3 days on an MD5 hash. (time may differ depending on the length of the source - i.e. the password - and your GPU)
And we all know how fast MD5 can be cracked.
Nowadays (hopefully) no one uses MD5 like that for password hashing, for example.
Due to the large number of attempts that need to be made, bruteforcing is not recommended for an ONLINE attack. (e.g. a Facebook account)
A “simple” patch is to limit the number of login attempts per account/source.
Now that we know what true bruteforcing is, let's look at what most people see under “bruteforce”: the Dictionary Attack
What is a Dictionary Attack?
A Dictionary Attack uses a list of words (the Dictionary).
Dictionary Attacks are quite simple and fast, but there is a major disadvantage:
the “patch” for it is extremely simple to apply: just generate a unique password cough lastpass cough
Since many people often use the same passwords as:
ninja
password1234
12345678
Dictionaries can therefore be made, which can also be found quite easily (just google: “top 1000 most used passwords”)
I mainly see it among noobs and at Capture-The-Flag competitions.
However, they are mainly “luck based” because you have to be lucky that the user had exactly a password that appeared in your list.
Dictionary attacks are mainly “effective” for ONLINE attacks (against, for example, a Facebook account)
Epilogue
I hope you were able to learn something from this.
