Brute-force attack

 

<< Click to Display Table of Contents >>

Navigation:  System and Data Recovery Programs > Proactive Password Auditor > How to work with the program > Password cracking >

Brute-force attack

 

If you have completed the dictionary attack, but some passwords have not been recovered, you may want to follow up with a brute-force attack. In this attack, the program tries to guess the password by trying every single combination of characters until the password is found. For example, the program might follow a sequence like this:

 

"aaaaaaaa"

"aaaaaaab"

"aaaaaaac" ...

 

Obviously, this method will take time: for an eight-character alpha password there are 200 Billion combinations to be checked. With modern computers, this sort of attack doesn't take as long as you may think.

 

The brute force attack is the slowest method, but can often be successful with short and simple passwords.

 

Character set

 

Select characters used in the password. You can choose from all Latin letters (note the Character case option described below), all digits, all special symbols and the space, or all printable (includes all of the above). The special characters are:

 

!@#$%^&*()_+-=<>,./?[]{}~:;`'|"\

 

Alternatively, you can define your own character set (charset). Mark the "Custom charset" checkbox and click "Define". In the input window, enter all characters of the password range; for example: the bottom keyboard row ("zxcv...") is defined as "zxcvbnm,./" (or in caps: "ZXCVBNM<>?"). You can also define both of these: "zxcvbnm,./ZXCVBNM<>?". In addition, you can load and save custom character sets, or combine them using the "Insert" button.

 

Start from password

 

When you start a new brute-force attack, this field should be empty (if it is not, clear it). If you decide to stop the attack, the program will automatically fill this field with the last password tested, and you will be able to resume the attack from the same point. It is NOT recommended to edit this field manually.

 

Characters case

 

You can select from Lowercase (to try lowercase letters only), Uppercase (uppercase letters, respectively) or Both cases (to use both). Please note that this option is applicable to NTLM attack only, because NT passwords are not case-sensitive.

 

Password mask

 

This option is available for the Mask attack only. With this attack you cannot select the password to start from (see above).

 

If you know the password pattern, you can specify the mask to decrease the total number of passwords to be verified. At the moment, you can set the mask only for fixed-length passwords.

 

For example, you know that the password contains 8 characters, starts with 'x', and ends with '99'; the other symbols are small or capital letters. So, the mask to be set is "x?????99", and the character set has to be set to All caps and All small. With these options, the total number of passwords tested will be the same as if you were working with 5-character passwords that don't contain digits; it is much less than if the length were set to 8 and the All Printable option were selected. In the above example, the '?' characters indicate the unknown symbols.

 

If you know that the password contains an occurrence of the mask character '?', you can choose a different mask character to avoid having one character, '?', represent both an unknown pattern position and a known character.  In this case, you could change the mask symbol from '?' to, for example, '#' or '*', and use a mask pattern of "x######?" (for mask symbol '#') or "x******?" (for mask symbol '*').

 

Password length

 

This is one of the most important options affecting the length of the attack. Usually, you can check all 4-character (and shorter) passwords in a few minutes; for longer passwords, exponentially more time will be required.

 

If the minimum and maximum lengths are not the same, the program tries the shorter passwords first. For example, if you set minimum=3 and maximum=7, the program will start from 3-character passwords, then try 4-character ones and so on – up to 7. While the program is running, it shows the current password length, as well as the current password, average speed, elapsed and remaining time, and total and processed number of passwords (Program status).  All of this information is related only to the current length, except average speed and elapsed time, which are global.

 

The maximum password length allowed in the program is 14. Longer passwords cannot be recovered in a reasonable time. Please also note that if you run the LM attack (i.e., the attack on LM password hashes, see About Windows passwords for details) and select the maximum length greater than 7, the program will check the 7-character LM password chunks individually.  This means the "real" maximum password length for this attack is still 7; for example, if you select the minimum password length as 3 and the maximum of 12, the program will try 3..7 character passwords for the first half, and 1..5 character passwords for the second half.