Remote Exploitation
◾
167
and is the recommended approach for penetration tests. The only downside is that if the password
is not available in the list, the attack won’t be successful. We have already discussed some tools
that can be used to gather password lists from victim’s website in the “Information Gathering
Techniques” chapter (Chapter 3). So what we learned in that chapter will start to make sense now.
Hybrid Attacks
Hybrid brute force attacks are a combination of both traditional brute force attack and dictionary-
based attack. The idea behind a hybrid attack is that it will apply a brute force attack on the dic-
tionary list. An example of this type of attack is the following:
A university has set up a password policy where the password is their “first name” followed by
their date of birth. For example, my first name is “Rafay” and my date of birth is February 5, 1993;
therefore, my password would be “Rafay521993.” In this case, neither traditional brute force nor
dictionary attack would be effective, but the hybrid attack would be.
Dostları ilə paylaş: 
