Brute Force Attack v/s Dictionary Attack

Password Cracking is basically getting unauthorized access to a victim account using different methods from which two are discussed below. There are many other ways of getting credentials the most used one is phishing attack. Below we discuss two types of cracking attacks.

Brute-Force Attack 

It’s a type of attack in which the attacker tries to do a trial-and-error attack on victim machine with either a predefined wordlist or create his own wordlist using crunch in which words might not make sense. 

This kind of attack is most often used in cracking of WEP/WPA/WPA2 cracking. The probability of getting password via Brute-Force attack is low. Also, if the attacker uses the same trick against a website, it might not work as the website may have a maximum attempt rule. 

The tools that can be used for brute forcing are:
  • aircrack-ng: used for WiFi password. Command - aircrack-ng -w (wordlist File) -b (MAC of the network) xyz.cap(cap file or the handshake file)
  • hyrda: used in web apps, SSH, FTP, etc. Command - hydra -l(for single username)/-L(wordlist of usernames) -p/-P(single/list of password) <target-url> <module-name(post/get)> <parameters>

Dictionary Attack

In a dictionary attack the wordlist is created using some basic information of the target like name, DOB, etc. In case of website CeWL is the best tool as it searches the website for the keywords of the length that is specified and collect those names in a file and store is as a wordlist. 

The dictionary attack is similar to brute-force as in both wordlist is used but the words used in dictionary attack are meaningful words just like in dictionaries.  

One that can be used is rockyou.txt which is available in “/usr/share/wordlist” 

CeWL command - cewl -m 5(min_length of word) -w (name of file in which words should be stored) “URL”
These are the most commonly used tool and there are many more like Medusa, Ncrack, Wpscan, etc.
We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

No comments:

Post a Comment