Brute Force/ Dictionary Attack

A Dictionary Attack tries to guess passwords with the help of lists. The goal is to use a list of known passwords to guess an unknown password. This method is useful whenever it can be assumed that passwords with reasonable character combinations are used.

A Brute Force Attack does not depend on a wordlist of common passwords, but it works by trying all possible character combinations for the length we specified. For example, if we specify the password's length as 4, it would test all keys from aaaa to zzzz, literally brute forcing all characters to find a working password.

---

Methods of Brute Force Attacks

There are many methodologies to carry a Login Brute Force attacks:

Attack	Description
Online Brute Force Attack	Attacking a live application over the network, like HTTP, HTTPs, SSH, FTP, and others
Offline Brute Force Attack	Also known as Offline Password Cracking, where you attempt to crack a hash of an encrypted password.
Reverse Brute Force Attack	Also known as username brute-forcing, where you try a single common password with a list of usernames on a certain service.
Hybrid Brute Force Attack	Attacking a user by creating a customized password wordlist, built using known intelligence about the user or the service.

Here is a small list of files that can contain hashed passwords:

Windows	Linux
unattend.xml	shadow
sysprep.inf	shadow.bak
SAM	password