It is often said that “Necessity is the mother of invention”. Well, for this article I should say that “Aggravation is the father of this article”.
I wish I could say this article discusses a new cutting-edge technique or a really nifty new tool. It doesn’t. It’s a simple article with a simple message regarding the difference between a brute force attack and a dictionary attack.
Why the need for such an article?
Well, to be honest, it’s because I often read about tools and techniques that describe using dictionary files as a “brute force” attack vector. Since when is a dictionary attack the same as a brute force attack?
By definition, brute force typically implies trying all possible combinations of whatever entity with which you are working. The item could be cryptographic keys when attacking AES, the millions of possible combinations of an SSH password or the 4-way handshake for WPA2.
Even the largest dictionary files contain a small percentage of the total possible combination of letters given any arbitrary size of N-characters. I spent some time yesterday trying to find a tool to perform brute force attacks on SNMP community strings.
The first two tools I downloaded claimed to perform brute force attacks. After downloading, compiling and reading the documentation I found that both required dictionary files as input. The ability to try all combinations of letters, numbers and special characters didn’t exist.
Instead, you were forced to hope that the community string was found in an existing dictionary file. With everyone writing articles about how the best password takes the first letter of each word of some arbitrary string, it’s very unlikely that these passwords would ever be found in any dictionary.
Yes, I know there are tools that perform real brute force attacks. And yes, there are tools that perform dictionary based attacks. There are even some tools that allow the option of either.
The moral of this story is to understand the difference, especially when you’re writing tools and advertising them to people who may know the difference.
If your tool requires a dictionary file, please don’t advertise that it performs brute force attacks, unless you’re providing one very, very large dictionary file.