Why does everyone have a problem with using brute force to crack passwords?

Well somebody decided to create the algorithm in javascript and when I insert the hash in any online data base it comes out just as I inserted with the script I found online. I’ll pm it to you because I’ve been working on a level for the site to where somebody would have to use this script to create their own attack to break a very complicated password that wouldn’t be on any database. The result would have to brute force unless somebody wishes to try and reverse engineer the hash which would be impossible in my opinion because the hash is created from multiple checksums. I know my algorithms.

These are unsalted hashes and the topic is why are people so against brute force as a method and argue that it will screw your system up when it rarely fails me on a shitty day using a shitty system. I’ll share my code to you in a pm and a script because, as I said, it is for a level.

Brute force never worked for me. I think you should have a good text file with lots of passwords in order for the brute force to work.

Hi MaxLockhart, received the javascript and will have a look through it tomorrow after I get back from work as I will need to call it a night now. It is 2.34am where I am and I need my sleep to get up at 6.30am for work. So night all have a good one! :) :) :) Happy Hacking!!!

@tlotr you’re thinking of a dictionary attack. A Brute Force attack requires you to attack using every possible string of characters until you finally get the password correct as for a dictionary attack in never really promising in my opinion. Usually because my targets tend to have stronger passwords. For example a dictionary/word attack would never work for any of my passwords. If your target uses a good password that has upper, lowercase, numbers, and special characters or even extended ascii characters you’ll never acquire it unless you have that exact string in your file. But in a brute force attack you could run every combination of characters until you reach that range. I mean you could use a software like crunch to generate the output of every possible string to the ‘x’ amount of characters from a⁰ - z⁰ to a^‘x’ - z^‘x’ and including special and extended characters into a text file. But a brute force attack would genarate the exact output and save space on your drive as well. The output of a file that big would take a good chunk of space.

Question though, are you using a software or your own stuff?

And okay @ANONRA :)

MaxLockhart: I had used the software hydra in BT. It was just a test on a machine in my network. I downloaded some text files which had passwords and then used that with hydra but it didn’t worked and also it takes a lot of time if the text file is very long.

@MaxLockhart: Let the philosophy and the knowledge about brute-force attack aside, how will you roll out that level on HackThis!! website? I mean, this website surely can’t take the attacks from many users for a long time. :/

Good point @freewind1012 but it’s Javascript so the attack would have to be done via client-side. Kind of like the coding levels in a way.

So we have to code something to brute-force attack a level, right? How does that level look like? There are several options:
[list]
[] A level with a briefing and a link (Pastebin, MediaFire…) for users to download source. Then they can start coding in their computers and submit the right password.
[] A level like Coding Level 2 with a piece of info (which will be changed after every attempt) and JavaScript code to check the right password.
[*] A level like Real Level 3 with HTML/CSS/JavaScript code to check the right password.
[/list]

Yes pretty much. I mean there will be people of course who use software to brute force but the idea of it is to make your own script. I’m currently making my own script to brute force the hash just to make sure it will work this way. Kind of like coding level 2. Didn’t think of randomly generating the hash. That should be added in for sure.

Not to mention the hash has to be random enough to not be vulnerable to a dictionary attack

Just gotta wait for feed from @flabbyrabbit and I’ll submit the code.

Not sure what kind of challenge it should be though? Coding or real?

IMO, a Real Level is better but make sure that it won’t look like Real Level 3.