Password Cracking – Part 7 – Hybrid

What is a hybrid attack?
A hybrid attack is a mixture of both a dictionary and brute force attack. That means that like a dictionary attack, you would provide a wordlist of passwords and a brute-force attack would be applied to each possible password in that list.
A hybrid attack is like the beginning of an MMORPG where you choose your character design. Your figure stays the same but you have the choice to change your clothes, hair and color until you have the look you want, a badass Schwarzeneggar or a medieval hooker.
On my first day as a freshman in high school, I was given a username and password for the school’s computer network. Everyone’s password was set to the first initial of their first name, their last name and birth date. So if my name was Bob Sagat and I was born on May 22, 2010, my password would be “bsagat052210”. This wasn’t a great way to distribute passwords, but we did have to change it after we first logged in. Can you see why a hybrid would be an effective attack in this case? What I could have easily down was get a list of every freshman student in the school and apply a brute force attack to the end of each name. The rule would look something like this:
(first initial of first name)(last name)([0-9] [0-9] [0-9] [0-9] [0-9] [0-9]) In this case, a hybrid attack would have enabled me to crack every single student’s password within a few minutes.
When should I use a hybrid attack?
Use a hybrid attack whenever you have an idea of how a password is formatted. For example, if you dump a database of password hashes from a website, and after trying a dictionary attack against it you are left with many uncracked passwords, then take a look at the password requirements for that website. Many websites require a password to be made a certain way. For example it may require a password to have at least two numbers and a special character. Knowing how people like to make things as easy as possible for themselves, you can safely guess that many people used exactly two numbers and one special character. Armed with this knowledge you can go back to your dictionary file and apply a brute force attack to it (making it a hybrid attack), trying the following combinations:
([0-9] | SC) ([0-9] | SC) ([0-9] | SC) (password) or
(password) ([0-9] | SC) ([0-9] | SC) ([0-9] | SC) Where SC = Special Character (ex. !,@,#,$) and (| = or).

Password Cracking – Part 6 – Brute Force

What is a brute force attack?
A brute force attack is a password attack where every possible combination in a range of characters is generated and used against the password hash.
For those visual learners, a brute force attack is presented pretty well with a Rubik’s Cube. The brute force attack would be the act of your hand turning the cubes in every possible direction to create different combinations until finally the Rubik’s Cube is solved and you have matching colors, the password.
When selecting a range of characters to use for a brute force attack, you have a few options. Below are the ones available in the popular cracking program, Brutus.

• Numerical – Use any numbers from 0-9
• Lowercase Alpha – The lowercase alphabet
• Uppercase Alpha – The uppercase alphabet
• Mixed Alpha – Both lowercase and uppercase
• Alphanumeric – The lowercase and uppercase alphabet plus digits 0-9
• Full Keyspace – Everything above including all the special characters on your keyboard.
• Custom Range – If you have an idea of the characters included in the password(s) you can create
  a custom list of characters to use.

Each range option yields a different amount of possible password combinations. Let’s look at how many combinations there are for a password of 0-6 characters in length.

• Numerical – 1,111,110 Passwords
• Lowercase Alpha – 321,272,406 Passwords
• Uppercase Alpha – 321,272,406 Passwords (obviously the same because it’s the same amount of
  characters)
• Mixed Alpha – 20,158,268,676 Passwords
• Alphanumeric – 57,731,386,986 Passwords
• Full Keyspace – 697,287,735,690 Passwords

For a six character password, we are hitting over 697 Billion combinations for the full keyspace! And by just adding one more character to the password making it 0-7, the number of combinations jumps to 65,545,047,154,955, that’s over 65 Trillion! As you can see, it makes a big difference having an idea of what types of characters are being used in the password(s) and how long it is.
Calculating Number of Combinations
You now have an idea of how the number of combinations can grow with the addition of a new character or an extra character in the password, but how are these numbers calculated? Simple.
If you are doing a Numerical attack on a 6 character long password, that means there are 10 possible different characters (0-9) that you can use. So the equation to calculate the number of different combinations is:

# of different possible characters^{password length} So the expression for our example would be:

10⁶ Which, once calculated, comes out to 1,000,000 combinations?
Wait! Didn’t I state that there are 1,111,110 possible combinations for the same character set before? Yes, but it was for passwords that consisted of 0 to 6 characters long, not just 6. If you don’t get what I mean, look at it this way. When I’m looking for all the possible combinations of a password that is of length 0 to 6, I need to account for the combinations of all the 6 character length combinations, 5 character combinations, 4 character combinations and so on. If you were doing it out, this is what it would look like:

10⁶ + 10⁵ + 10⁴ + 10³ + 10² + 10¹ = 1111110 This would get pretty tedious if you had to do it manually for long numbers, so here’s a simple C script I put together that does it out for you:
#include
#include main(){
int n = 10; // number of possible characters
int a = 6; // length of the password
unsigned long long int x = 0; // this will hold the answer, its set to unsigned long long int so that the variable x can
// hold the largest possible number
while (a >= 1){ // keep going until a is 1
x+= pow(n,a); //take n to the power of a and add it to x
a--; //subtract 1 from a
} //do it again until a is lower than 1
printf("The number of possible combinations is %lld.\n",x); //finally print the answer
}
Backwards Brute Force Attack
A backwards Brute Force attack is a brute force attack against usernames. So instead of using the brute force attack to create and try a bunch of password combinations, you will be most likely be using one password and using the brute force attack to generate all possible usernames in a range of characters, trying that password(s) against it.
When should you use a Brute Force attack?
Only use a brute force attack when a Dictionary and all other options fail. A brute force attack takes a lot of resources and a lot of time to perform. Depending on how big the password is, the range of characters being used and the resources available, a brute force attack can take years to fully complete as you’ll see later on.