www.infosecinstitute.com Open in urlscan Pro
2606:4700:4400::6812:259a  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Skip to content
 * 708.689.0131
 * Contact us
 * Partners
 * Login

 * 
 * Training
   Go to the "Certificates"
   All Cybersecurity Training
   
   --------------------------------------------------------------------------------
   
   Live Boot Camps
   
   Infosec Boot Camps offer live, instructor-led cybersecurity and IT
   certification training in-person or online.
   
   View All Schedules Learn More
   
   --------------------------------------------------------------------------------
   
   Learning Paths
   
   Infosec Skills provides on-demand cybersecurity training mapped to skill or
   role paths for any level.
   
   View Pricing Learn More
   
   --------------------------------------------------------------------------------
   
   Self-Paced Training
   
   Infosec Self-Paced Training accommodates your schedule with
   instructor-guided, on-demand training.
   
   Contact Us Learn More
   
   --------------------------------------------------------------------------------
   
   Immersive Boot Camps
   
   Infosec Immersive Boot Camps kickstart cybersecurity careers with tailored
   training over 24 weeks.
   
   View Program Learn More
   
   --------------------------------------------------------------------------------
   
   Learning Paths
   
   Infosec Skills provides on-demand cybersecurity training mapped to skill or
   role paths for any level.
   
   View Pricing Learn More
   
   --------------------------------------------------------------------------------
   
   Training by Role
   
   --------------------------------------------------------------------------------
   
    * Cloud Security Engineer
    * Cybersecurity Beginner
    * Digital Forensics Analyst
    * OT Security Practitioner
    * Information Risk Analyst
    * Penetration Tester
   
    * Privacy Manager
    * Secure Coder
    * Security Architect
    * Security Engineer
    * Security Manager
    * SOC Analyst
   
   Award-winning training you can trust
   
   --------------------------------------------------------------------------------
   
    * 
    * 
    * 
    * 

 * Certifications
   Go to the "Security Awareness"
   Cybersecurity Certifications View All Certifications
   
   --------------------------------------------------------------------------------
   
   Most Popular Certifications
    * CompTIA Security+
    * ISC2 CISSP®
    * ISACA CISM
    * PMI Project Management Professional (PMP)
    * Cisco CCNA Associate & CyberOps Associate
   
   --------------------------------------------------------------------------------
   
   CompTIA
    * CompTIA A+
    * CompTIA Network+
    * CompTIA Security+
    * CompTIA CySA+
    * CompTIA PenTest+
    * CompTIA CASP+
    * CompTIA Linux+
   
   --------------------------------------------------------------------------------
   
   ISC2
    * ISC2 CISSP®
    * ISC2 ICCSP®
    * ISC2 CGRC®
    * ISC2 CSSLP®
    * ISC2 ISSEP®
   
   --------------------------------------------------------------------------------
   
   ISACA
    * ISACA CISM
    * ISACA CISA
    * ISACA CRISC
    * ISACA CGEIT
   
   --------------------------------------------------------------------------------
   
   Other Certifications
    * Ethical Hacking Dual Certification (CEH & PenTest+)
    * Infosec RHCSA
    * Cyber Threat Hunting
    * Microsoft Azure Dual Certification
    * Certified CMMC Professional (CCP)
    * AWS Certified DevOps Engineer
   
   View All Certifications
 * Security Awareness
   Go to the "Solutions"
   
   --------------------------------------------------------------------------------
   
   Empower employees with knowledge and skills to stay cyber secure at work and
   home with 2,000+ security awareness resources.
   
   View Pricing Learn More
   Security Awareness Training
    * Prebuilt training plans
    * PhishNotify
    * Threat quarantine
    * Phishing simulator
    * Reporting and assessments
    * Integrations and automation
    * Global administration
    * Program management
   
   Demo Now Browse Featured Training
 * Solutions
   Go to the "Resources"
   Enterprise Solutions
   
   --------------------------------------------------------------------------------
   
    * Businesses and industries
      
      Security education to the right people from IT and security staff to the
      C-suite and every employee.
      
       * Security and IT teams
       * Government and contractors
       * Manufacturing
       * Higher education
       * MSPs and resellers
      
      --------------------------------------------------------------------------------
   
    * Technical training and certifications
      
      Skills and certifications your team should get next with training mapped
      to NIST and NICE Frameworks.
      
       * Subscription learning
       * EdAssist Solutions Client discounts
       * Affirm financing
       * Training vouchers
       * SmartPay
      
      --------------------------------------------------------------------------------
   
    * Compliance
      
      Flexible, scalable training solutions that add value to your client
      services portfolio and reduce business risk.
      
       * DoD 8570/8140
       * Security awareness

 * Resources
   Go to the "About Us"
   Popular resources
   
   
   --------------------------------------------------------------------------------
   
    * Webinars Webinars
      * Certifications
      * Security awareness
      * Phishing
      * Professional development
      
      --------------------------------------------------------------------------------
   
    * Cyber Work Podcast Cyber Work Podcast
      * Career series
      * Quick tips
      * Live events
      
      --------------------------------------------------------------------------------
   
   Popular resources
    * Webinars
      * CompTIA Security+: Everything you need to know about the SY0-701 update
      * Cyber Work Live: Ethical hacking careers vs. cinema
      * Infosec IQ demo: Cybersecurity for every employee
      * How ChatGPT and AI are changing cybersecurity forever
      
      --------------------------------------------------------------------------------
   
    * Cyber Work Podcast Cyber Work Podcast
      * Cyber Work Live: Ethical hacking careers vs. cinema
      * What does a security architect do?
      * What does a security engineer do?
      * What does a SOC analyst do?
   
   --------------------------------------------------------------------------------
   
   Free tools and downloads
   Free tools and downloads
   
   --------------------------------------------------------------------------------
   
    * Phishing Risk Test
    * Security Awareness Training Plans
    * Skill Development and Certification Course Catalog
    * Cybersecurity Interview Tips
    * Case studies
   
   --------------------------------------------------------------------------------
   
   Featured Webinar
 * About Us
   Go to the "Search"
   We are the leader in cybersecurity training
   
   --------------------------------------------------------------------------------
   
   We help IT and security professionals advance their careers with skills
   development and certifications while empowering all employees with security
   awareness and phishing training to stay cyber safe at work and home.
   
   Learn More
    * Leadership
    * Careers
    * Partners
    * Events
    * Alliances
    * Community
    * Scholarship
    * Awards
   
   Contact Us
 * 
 * Book a Meeting
 * Award-winning training you can trust
   
   --------------------------------------------------------------------------------
   
    * 
    * 
    * 
    * 


 * Resource Center
 * Hacking
 * Popular tools for brute-force attacks [updated for 2020]

Hacking


POPULAR TOOLS FOR BRUTE-FORCE ATTACKS [UPDATED FOR 2020]

September 24, 2020 by
Pavitra Shankdhar

The brute force attack is still one of the most popular password-cracking
methods. Nevertheless, it is not just for password cracking. Brute force attacks
can also be used to discover hidden pages and content in a web application. This
attack is basically “a hit and try” until you succeed. This attack sometimes
takes longer, but its success rate is higher. 

In this article, I will try to explain brute force attacks and popular tools
used in different scenarios for performing brute force attacks to get desired
results.



What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has
12 free training plans to help you hit your goals. Get your free copy now.
Get Your Plan






WHAT IS A BRUTE FORCE ATTACK?



A brute force attack when an attacker uses a set of predefined values to attack
a target and analyze the response until he succeeds. Success depends on the set
of predefined values. If it is larger, it will take more time, but there is a
better probability of success. 

The most common and easiest to understand example of the brute force attack is
the dictionary attack to crack passwords. In this, the attacker uses a password
dictionary that contains millions of words that can be used as a password. The
attacker tries these passwords one by one for authentication. If this dictionary
contains the correct password, the attacker will succeed.

In a traditional brute force attack, the attacker just tries the combination of
letters and numbers to generate a password sequentially. However, this
traditional technique will take longer when the password is long enough. These
attacks can take several minutes to several hours or several years, depending on
the system used and length of password.

To prevent password cracking from brute force attacks, one should always use
long and complex passwords. This makes it hard for attackers to guess the
password, and brute force attacks will take too much time. Account lockout is
another way to prevent the attacker from performing brute force attacks on web
applications. However, for offline software, things are not as easy to secure.

Similarly, for discovering hidden pages, the attacker tries to guess the name of
the page, sends requests and sees the response. If the page does not exist, it
will show a 404 response; on a success, the response will be 200. In this way,
it can find hidden pages on any website.

Brute force is also used to crack the hash and guess a password from a given
hash. In this, the hash is generated from random passwords and then this hash is
matched with a target hash until the attacker finds the correct one. Therefore,
the higher the type of encryption (64-bit, 128-bit or 256-bit encryption) used
to encrypt the password, the longer it can take to break.




REVERSE BRUTE FORCE ATTACK



A reverse brute force attack is another term that is associated with password
cracking. It takes a reverse approach in password cracking. In this, the
attacker tries one password against multiple usernames. Imagine if you know a
password but do not have any idea of the usernames. In this case, you can try
the same password and guess the different usernames until you find the working
combination.

Now, you know that a brute-forcing attack is mainly used for password cracking.
You can use it in any software, any website or any protocol which does not block
requests after a few invalid trials. In this post, I am going to add a few brute
force password-cracking tools for different protocols.




POPULAR TOOLS FOR BRUTE FORCE ATTACKS






AIRCRACK-NG



I am sure you already know about the Aircrack-ng tool. This is a popular brute
force wifi password cracking tool available for free. I also mentioned this tool
in our older post on most popular password-cracking tools. This tool comes with
WEP/WPA/WPA2-PSK cracker and analysis tools to perform attacks on Wi-Fi 802.11.
Aircrack-ng can be used for any NIC which supports raw monitoring mode.

It basically performs dictionary attacks against a wireless network to guess the
password. As you already know, the success of the attack depends on the
dictionary of passwords. The better and more effective the password dictionary
is, the more likely it is that it will crack the password.

It is available for Windows and Linux platforms. It has also been ported to run
on iOS and Android platforms. You can try it on given platforms to see how this
tool can be used for brute force wifi password cracking.

Download Aircrack-ng here.




JOHN THE RIPPER



John the Ripper is another awesome tool that does not need any introduction. It
has been a favorite choice for performing brute force attacks for a long time.
This free password-cracking software was initially developed for Unix systems.
Later, developers released it for various other platforms. Now, it supports
fifteen different platforms including Unix, Windows, DOS, BeOS and OpenVMS. 

You can use this either to identify weak passwords or to crack passwords for
breaking authentication.

This tool is very popular and combines various password-cracking features. It
can automatically detect the type of hashing used in a password. Therefore, you
can also run it against encrypted password storage.

Basically, it can perform brute force attacks with all possible passwords by
combining text and numbers. However, you can also use it with a dictionary of
passwords to perform dictionary attacks.

Download John the Ripper here.




RAINBOW CRACK



Rainbow Crack is also a popular brute-forcing tool used for password cracking.
It generates rainbow tables for using while performing the attack. In this way,
it is different from other conventional brute-forcing tools. Rainbow tables are
pre-computed. It helps in reducing the time in performing the attack.

The good thing is that there are various organizations which have already
published the pre-computer rainbow tables for all internet users. To save time,
you can download those rainbow tables and use them in your attacks.

This tool is still in active development. It is available for both Windows and
Linux and supports all latest versions of these platforms.

Download Rainbow Crack and read more about this tool here.




L0PHTCRACK



L0phtCrack is known for its ability to crack Windows passwords. It uses
dictionary attacks, brute force attacks, hybrid attacks and rainbow tables. The
most notable features of L0phtcrack are scheduling, hash extraction from 64-bit
Windows versions, multiprocessor algorithms and network monitoring and decoding.
If you want to crack the password of a Windows system, you can try this tool.

Download L0phtCrack here.




OPHCRACK



Ophcrack is another brute-forcing tool specially used for cracking Windows
passwords. It cracks Windows passwords by using LM hashes through rainbow
tables. It is a free and open-source tool. 

In most cases, it can crack a Windows password in a few minutes. By default,
Ophcrack comes with rainbow tables to crack passwords of less than 14 characters
which contain only alphanumeric characters. Other rainbow tables are also
available to download.

Ophcrack is also available as LiveCD.

Download Ophcrack here.




HASHCAT



Hashcat claims to be the fastest CPU-based password cracking tool. It is free
and comes for Linux, Windows and Mac OS platforms. Hashcat supports various
hashing algorithms including LM Hashes, MD4, MD5, SHA-family, Unix Crypt
formats, MySQL and Cisco PIX. It supports various attacks including brute force
attacks, combinator attacks, dictionary attacks, fingerprint attacks, hybrid
attacks, mask attacks, permutation attack, rule-based attacks, table-lookup
attacks and toggle-case attacks.

Download Hashcat here.




DAVEGROHL



DaveGrohl is a popular brute-forcing tool for Mac OS X. It supports all
available versions of Mac OS X. This tool supports both dictionary attacks and
incremental attacks. It also has a distributed mode that lets you perform
attacks from multiple computers to attack on the same password hash. 

This tool is now open-source and you can download the source code.

Download DaveGrohl here.




NCRACK



Ncrack is also a popular password-cracking tool for cracking network
authentications. It supports various protocols including RDP, SSH, HTTP(S), SMB,
POP3(S), VNC, FTP and Telnet. It can perform different attacks including
brute-forcing attacks. It supports various platforms including Linux, BSD,
Windows and Mac OS X.

Download Ncrack here.




THC HYDRA



THC Hydra is known for its ability to crack passwords of network authentications
by performing brute force attacks. It performs dictionary attacks against more
than 30 protocols including Telnet, FTP, HTTP, HTTPS, SMB and more. It is
available for various platforms including Linux, Windows/Cygwin, Solaris 11,
FreeBSD 8.1, OpenBSD, OSX and QNX/Blackberry.

Download THC Hydra here.



What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has
12 free training plans to help you hit your goals. Get your free copy now.
Get Your Plan






CONCLUSION



These are a few popular brute-forcing tools for password cracking. There are
various other tools are also available which perform brute force on different
kinds of authentication. If I just give an example of a few small tools, you
will see most of the PDF-cracking and ZIP-cracking tools use the same brute
force methods to perform attacks and crack passwords. There are many such tools
available for free or paid.

Brute-forcing is the best password-cracking method. The success of the attack
depends on various factors. However, factors that affect most are password
length and combination of characters, letters and special characters. This is
why when we talk about strong passwords, we usually suggest that users have long
passwords with a combination of lower-case letters, capital letters, numbers and
special characters. It does not make brute-forcing impossible but it does make
it difficult. Therefore, it will take a longer time to reach to the password by
brute-forcing. 

Almost all hash-cracking algorithms use the brute force to hit and try. This
attack is best when you have offline access to data. In that case, it makes it
easy to crack and takes less time.

Brute force password cracking is also very important in computer security. It is
used to check the weak passwords used in the system, network or application.

The best way to prevent brute force attacks is to limit invalid logins. In this
way, attacks can only hit and try passwords only for limited times. This is why
web-based services start showing captchas if you hit the wrong passwords three
times or they will block your IP address.

Posted: September 24, 2020
Pavitra Shankdhar
View Profile

Pavitra Shandkhdhar is an engineering graduate and a security researcher. His
area of interest is web penetration testing. He likes to find vulnerabilities in
websites and playing computer games in his free time. He is currently a
researcher with InfoSec Institute.



  Enroll in an Ethical Hacking Boot Camp and earn two of the industry’s most
respected certifications — guaranteed.

 * CEH exam voucher
 * PenTest+ exam voucher
 * Exam Pass Guarantee
 * Live online hacking training

View Pricing

In this Series

 * Popular tools for brute-force attacks [updated for 2020]
 * The rise of ethical hacking: Protecting businesses in 2024
 * How to crack a password: Demo and video walkthrough
 * Inside Equifax's massive breach: Demo of the exploit
 * Wi-Fi password hack: WPA and WPA2 examples and video walkthrough
 * How to hack mobile communications via Unisoc baseband vulnerability
 * How to build a hook syscall detector
 * Top tools for password-spraying attacks in active directory networks
 * NPK: Free tool to crack password hashes with AWS
 * Tutorial: How to exfiltrate or execute files in compromised machines with DNS
 * Top 19 tools for hardware hacking with Kali Linux
 * 20 popular wireless hacking tools [updated 2021]
 * 13 popular wireless hacking tools [updated 2021]
 * Man-in-the-middle attack: Real-life example and video walkthrough [Updated
   2021]
 * Decrypting SSL/TLS traffic with Wireshark [updated 2021]
 * Dumping a complete database using SQL injection [updated 2021]
 * Hacking clients with WPAD (web proxy auto-discovery) protocol [updated 2021]
 * Hacking communities in the deep web [updated 2021]
 * How to hack Android devices using the StageFright vulnerability [updated
   2021]
 * Hashcat tutorial for beginners [updated 2021]
 * How to hack a phone charger
 * What is a side-channel attack?
 * Copy-paste compromises
 * Hacking Microsoft teams vulnerabilities: A step-by-step guide
 * PDF file format: Basic structure [updated 2020]
 * 10 most popular password cracking tools [updated 2020]
 * Top 7 cybersecurity books for ethical hackers in 2020
 * How quickly can hackers find exposed data online? Faster than you think …
 * Hacking the Tor network: Follow up [updated 2020]
 * Podcast/webinar recap: What's new in ethical hacking?
 * Ethical hacking: TCP/IP for hackers
 * Ethical hacking: SNMP recon
 * How hackers check to see if your website is hackable
 * Ethical hacking: Stealthy network recon techniques
 * Getting started in Red Teaming
 * Ethical hacking: IoT hacking tools
 * Ethical hacking: BYOD vulnerabilities
 * Ethical hacking: Wireless hacking with Kismet
 * Ethical hacking: How to hack a web server
 * Ethical hacking: Top 6 techniques for attacking two-factor authentication
 * Ethical hacking: Port interrogation tools and techniques
 * Ethical hacking: Top 10 browser extensions for hacking
 * Ethical hacking: Social engineering basics
 * Ethical hacking: Breaking windows passwords
 * Ethical hacking: Basic malware analysis tools
 * Ethical hacking: How to crack long passwords
 * Ethical hacking: Passive information gathering with Maltego
 * Ethical hacking: Log tampering 101
 * Ethical hacking: What is vulnerability identification?
 * Ethical hacking: Breaking cryptography (for hackers)
 * Ethical hacking: Attacking routers

Related Bootcamps
 * Ethical Hacking Dual Certification Boot Camp (CEH and PenTest+)
 * Advanced Ethical Hacking Training Boot Camp
 * Cloud Penetration Testing Training Boot Camp
 * Mobile and Web Application Penetration Testing Training Boot Camp

GET CERTIFIED AND ADVANCE YOUR CAREER

 * Exam Pass Guarantee
 * Live instruction
 * CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!

View Certifications

Hacking

The rise of ethical hacking: Protecting businesses in 2024



December 21, 2023

Jeff Peters

Hacking

How to crack a password: Demo and video walkthrough



December 26, 2022

Bianca Gonzalez

Hacking

Inside Equifax's massive breach: Demo of the exploit



December 19, 2022

Bianca Gonzalez

Hacking

Wi-Fi password hack: WPA and WPA2 examples and video walkthrough



November 02, 2022

Bianca Gonzalez
 * 
 * 
 * 
 * 
 * 

Products

 * Infosec IQ
   
   Security awareness, culture & phishing simulator

 * Infosec Skills
   
   Hands-on skill development & boot camps

Resources

 * Cyber Work
 * Blog
 * Events & webcasts

Company

 * Contact us
 * About Infosec
 * Careers
 * Newsroom
 * Partners

Newsletter

Get the latest news, updates and offers straight to your inbox.

Thanks! You're signed up.



Infosec, part of Cengage Group — ©2023 Infosec Institute, Inc.

 * Trademarks
 * Privacy

We use cookies to personalize content, customize ads and analyze traffic on our
site. Privacy policy

Manage Options Accept



PRIVACY PREFERENCE CENTER




 * YOUR PRIVACY


 * STRICTLY NECESSARY COOKIES


 * FUNCTIONAL COOKIES


 * PERFORMANCE COOKIES


 * ONLINE BEHAVIOR ADVERTISING

YOUR PRIVACY

When you visit websites, they may store or retrieve information on your browser
in the form of cookies. This information might be about your preferences or your
device and is mostly used to make the site work as you expect it to. The
information does not usually directly identify you, but it can give you a more
personalized web experience. Because we respect your privacy, you can choose not
to allow some types of cookies. However, blocking some types of cookies may
impact your experience of the site and the services we are able to offer.
Infosec, a Cengage Group company.
More information

STRICTLY NECESSARY COOKIES

Always Active

These cookies are necessary for the website to function and cannot be switched
off. They are usually only set in response to actions made by you such as
setting your privacy preferences, logging in or filling in forms. You can set
your browser to block or alert you about these cookies, but some parts of the
site will not work as a result. These cookies do not store any personally
identifiable information.

FUNCTIONAL COOKIES

Functional Cookies Inactive


These cookies enable the website to provide enhanced functionality and
personalization. They may be set by us or by third-party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.

PERFORMANCE COOKIES

Performance Cookies Inactive


These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. All information these cookies collect is
aggregated and therefore anonymous. If you do not allow these cookies we will
not know when you have visited our site, and will not be able to monitor its
performance.

ONLINE BEHAVIOR ADVERTISING

Online Behavior Advertising Inactive


These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant ads on other sites. They do not store directly personal information,
but are based on uniquely identifying your browser and internet device. If you
do not allow these cookies, you will experience less targeted advertising.

Back Button


BACK

Filter Button
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label

Clear
checkbox label label
Apply Cancel
Confirm My Choices
Allow All