Brute Force vs. Dictionary Attacks

Tuesday, August 03, 2010

Bryan Miller

F8f122d50eba11c3af5607575b277bc6

It is often said that “Necessity is the mother of invention”.  Well, for this article I should say that “Aggravation is the father of this article”. 

I wish I could say this article discusses a new cutting-edge technique or a really nifty new tool.  It doesn’t.  It’s a simple article with a simple message regarding the difference between a brute force attack and a dictionary attack. 

Why the need for such an article? 

Well, to be honest, it’s because I often read about tools and techniques that describe using dictionary files as a “brute force” attack vector.  Since when is a dictionary attack the same as a brute force attack? 

By definition, brute force typically implies trying all possible combinations of whatever entity with which you are working.  The item could be cryptographic keys when attacking AES, the millions of possible combinations of an SSH password or the 4-way handshake for WPA2. 

Even the largest dictionary files contain a small percentage of the total possible combination of letters given any arbitrary size of N-characters.   I spent some time yesterday trying to find a tool to perform brute force attacks on SNMP community strings. 

The first two tools I downloaded claimed to perform brute force attacks.  After downloading, compiling and reading the documentation I found that both required dictionary files as input.  The ability to try all combinations of letters, numbers and special characters didn’t exist. 

Instead, you were forced to hope that the community string was found in an existing dictionary file.  With everyone writing articles about how the best password takes the first letter of each word of some arbitrary string, it’s very unlikely that these passwords would ever be found in any dictionary.

Yes, I know there are tools that perform real brute force attacks.  And yes, there are tools that perform dictionary based attacks.  There are even some tools that allow the option of either. 

The moral of this story is to understand the difference, especially when you’re writing tools and advertising them to people who may know the difference. 

If your tool requires a dictionary file, please don’t advertise that it performs brute force attacks, unless you’re providing one very, very large dictionary file.

Possibly Related Articles:
21714
Vulnerabilities
Attack Vulnerabilities
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.