⚑ BRUTE FORCE
[ MITRE ATT&CK T1110 / T1110.001 / T1110.003 - Brute Force ]

BRUTE FORCE ATTACK Exhaustive Credential Enumeration - Every Combination Until One Breaks

Brute force attacks systematically generate and test every possible password combination - or work through curated wordlists of likely guesses - until the correct credential is found. From a 4-digit PIN crackable in milliseconds to a properly hashed 16-character passphrase requiring longer than the universe's age, the math of keyspace is the only real defense.

⚠ AN 8-CHARACTER LOWERCASE PASSWORD IS CRACKABLE IN UNDER 30 MINUTES WITH MODERN GPUS
MD5 Hashes/Second
200B
A single RTX 4090 GPU can test 200 billion MD5 password hashes per second - the keyspace of 8-char lowercase exhausted in 25 minutes
Accounts With Weak Passwords
30%
Roughly 30% of breached passwords are cracked within 60 seconds using standard wordlists - weak or common passwords dominate
Bcrypt Hashes/Second
184
The same RTX 4090 can only test 184 bcrypt hashes/second - proper password hashing reduces cracking speed by a billion-fold
RockYou Wordlist
14.3M
The RockYou wordlist of 14.3 million real leaked passwords cracks 60–70% of weak password hashes in minutes when used for dictionary attacks
01

Live Attack Simulator

Online Brute Force in Progress
Simulated live attack against a login form - showing systematic enumeration of password candidates across three attack modes.
Current Attempt
password
Attack Metrics
Attempted
0
Remaining
14.3M
Progress
0.0%
Attempts / Second-
Wordlist: RockYou 202114,344,391 words
Rules Appliedbest64 (77 mutations)
βœ“ TARGET FOUND: TargetCorp2024!
2,847,291 attempts Β· 3h 12m
02

Attack Variants

πŸ“–
Dictionary Attack
T1110 - Wordlist-Based
The most common and effective first-pass method. A curated wordlist of millions of real-world leaked passwords - RockYou, COMB, custom lists - is tested against the target. Covers 60–70% of weak accounts in minutes, long before brute force is needed.
Speed: 14.3M words in <1 min (offline)
πŸ”’
Pure Brute Force
T1110.001 - Exhaustive Enumeration
Generates every possible combination of characters up to a specified length - starting with a, b, c... aa, ab... through the entire character set. Guaranteed to find the password eventually; time required grows exponentially with length. Impractical above 10+ chars with modern algorithms.
8-char lowercase: ~25 min (RTX 4090, MD5)
πŸ”€
Hybrid Attack
T1110.001 - Wordlist + Rules/Mutations
Combines dictionary words with rule-based mutations: appending years, substituting letters (a→@, e→3), prepending/appending digits and symbols, capitalizing first letter. Cracks predictable human patterns like P@ssword2024! that pure brute force would take years to reach.
Rule coverage: ~85% of common corporate passwords
🌈
Rainbow Table Attack
T1110 - Pre-computed Hash Lookup
Pre-computes hash values for millions of passwords and stores them in lookup tables. Cracking becomes a table lookup (microseconds) rather than computation. Defeated entirely by password salting - a unique salt per password makes rainbow tables unusable since the precomputed hashes won't match salted hashes.
Lookup time: Microseconds if table exists
πŸ’§
Password Spraying
T1110.003 - Low-and-Slow Lockout Evasion
Instead of many passwords against one account (which triggers lockout), tries one or a few common passwords (Winter2024!, Welcome1) against thousands of accounts simultaneously. Each account sees only 1–2 failed attempts - staying below lockout thresholds while testing the full user population.
Lockout evasion: 1 attempt per account per hour
🧠
Credential Stuffing (Hybrid)
T1110.004 - Breach Replay
A specialised form where actual stolen credential pairs from other breaches are tested - exploiting password reuse. Not guessing passwords from scratch but replaying known working pairs. Highest success rates of any brute force variant because the tested passwords were real and working at some point.
Success rate: 0.5–2% vs ~0.001% pure brute
03

Offline Hash Cracking

What Attackers Actually Crack
When a database is breached, passwords are stored as hashes. The algorithm used determines how long cracking takes - weak hashing functions are cracked billions of times faster than purpose-built password hashing.
MD5 - Cracked in: Milliseconds (offline, RTX 4090)
Algorithm: MD5 (NEVER use for passwords)
5f4dcc3b5aa765d61d8327deb882cf99
PLAINTEXT: password - cracked instantly from rainbow table
SHA-1 - Cracked in: Seconds (offline)
Algorithm: SHA-1 (deprecated - not for passwords)
cbfdac6008f9cab4083784cbd1874f76618d2a97
PLAINTEXT: password123 - 12B attempts/sec on GPU
NTLM - Cracked in: Minutes (Windows auth hash)
Algorithm: NTLM (Windows - still widely deployed)
8846f7eaee8fb117ad06bdd830b7586c
PLAINTEXT: P@ssw0rd - 200B/sec cracking rate
bcrypt (cost=12) - Cracked in: Years
Algorithm: bcrypt - designed for passwords βœ“
$2b$12$LQv3c1yqBWVHxkd0LHAkCOYz6TtxMQJqhN8/LcdYmd0a
Only 184 hashes/sec - 8-char lowercase takes 26 YEARS
Hashcat - Offline Cracking
Hashcat is the industry-standard GPU-accelerated password cracker, used by both attackers and penetration testers to audit password hash security.
Hashes Loaded
847,291
Cracked (MD5)
0
Speed (H/s)
198.4B
GPU: RTX 4090
Γ—8 rig
hashcat - dictionary + rules
$ hashcat -m 0 -a 0 hashes.txt rockyou.txt
-r /usr/share/hashcat/rules/best64.rule
# -m 0 = MD5 -a 0 = dictionary mode
 
Session........: hashcat
Status.........: Running
Speed.#1.......: 198.4 GH/s (GPU cluster)
Recovered......: 0/847291 (0.00%)
 
5f4dcc3b5aa765d61d8327deb882cf99:password
cbfdac6008f9cab40:password123
04

Attack Flow Diagram

OFFLINE HASH CRACKING PATH πŸ’Ύ BREACH DB Stolen hashes CRACK ⚑ HASHCAT GPU cluster 198B/s Dictionary + Rules πŸ“– WORDLIST RockYou Β· Custom ONLINE BRUTE FORCE PATH πŸ•΅οΈ ATTACKER Hydra / Burp / script ATTEMPT 🌐 LOGIN FORM POST /auth/login no lockout configured πŸ”“ VALID CREDENTIAL username + password confirmed attack objective achieved LOGIN 🏒 TARGET SYSTEM Full account access πŸ“€ DATA EXFIL Sensitive records stolen πŸ”€ LATERAL MOVE Password reuse on other systems PASSWORD SPRAY PATH - 1 PASS Γ— MANY ACCOUNTS SPRAY: 1 PASS Γ— 10k ACCOUNTS β‘  ATTACKER β‘‘ ENUMERATE β‘’ CRACK β‘£ ACCESS β‘€ IMPACT
05

Step-by-Step Walkthrough

Phase 01 - Pre-Attack Intelligence

RECONNAISSANCE

🎯
OBJECTIVE
Map target auth surface - find weak points before attacking

Before a single password attempt is made, the attacker profiles the target system's authentication mechanisms: lockout thresholds, CAPTCHA presence, MFA enforcement, rate-limiting behavior, and username enumeration vulnerabilities. This reconnaissance determines which attack variant is viable and prevents wasted time on protected systems.

  • Check if login returns different responses for valid vs invalid usernames - confirms valid account list
  • Test 5 rapid bad password attempts - determine if account lockout is enabled and after how many tries
  • Check for CAPTCHA presence - is it on first attempt or only after N failures?
  • Enumerate valid usernames via "forgot password" flow - confirms which accounts exist before brute forcing
  • Identify lockout reset window - if lockout is 15 min, spray at 14-min intervals to never trigger lockout
bash - auth surface recon
# Test username enumeration - valid vs invalid
$ curl -s -o /dev/null -w "%{http_code}"
-d "user@corp.com&pass=wrong"
https://corp-login.example.com/auth
401 ← "Invalid password" (user exists!)
 
# Test lockout policy - 10 rapid bad attempts
$ for i in {1..10}; do curl ... -d "user@corp.com&pass=test$i"; done
401 401 401 401 401 401 401 401 401 401
[!] No lockout after 10 attempts - VULNERABLE
Phase 02 - Wordlist Preparation

BUILDING THE ATTACK LIST

πŸ“–
STRATEGY
Target-specific wordlist + mutation rules

A generic wordlist cracks generic passwords. A skilled attacker builds a <em>target-customized</em> wordlist by gathering every piece of public information about the organization and its employees - company name, products, location, team names, sports teams in the area, and prior leaked passwords from the company's own employees - then applies mutation rules that reflect human password patterns.

  • Scrape company website for: company name, product names, founding year, city, slogans
  • LinkedIn scrape: employee first names, last names, roles - common pattern FirstName+Year!
  • Check HIBP for prior breaches of the company - what passwords did their employees use before?
  • Add seasonal variations: current year, season, holidays - people change passwords predictably
  • Apply Hashcat rules: leet substitutions, append !1 123 2024, capitalize first letter, common suffixes
cewl + hashcat rules - custom wordlist
# CeWL - spider site and extract keywords
$ cewl https://targetcorp.com -d 3 -m 5 -w site_words.txt
[+] 2,847 unique words extracted
 
# Combine with RockYou + custom terms
$ cat rockyou.txt site_words.txt corp_names.txt | sort -u > master.txt
[+] 15,221,847 candidates in master.txt
 
Sample rule output from "targetcorp":
Targetcorp Targetcorp! TargetCorp2024
T@rgetcorp targetcorp1 T@rg3tc0rp!
[+] 15M words Γ— best64 rules = 980M candidates
Phase 03 - Tool Configuration

HYDRA & BURP SETUP

πŸ› οΈ
TOOLS
THC-Hydra (online) Β· Hashcat (offline) Β· Burp Suite

Online brute force attacks target live login endpoints - Hydra and Burp Suite's Intruder handle HTTP, SSH, FTP, and hundreds of other protocols. Configuration defines the target URL, POST parameters, success/failure detection strings, thread count, and proxy settings for evasion. Hydra can attack 50+ simultaneous services in a single command.

  • Configure target URL, login parameters, and success string - what appears in the response when login works
  • Set thread count (16–64 for online attacks) - higher causes lockouts and detection; slower is stealthier
  • Load proxy list for IP rotation - each thread can use a different source IP
  • Burp Suite Intruder: use "Sniper" mode for one variable (password), "Pitchfork" for user+pass from lists
  • Estimate time: 15M candidates Γ· 100 attempts/min = ~104 days - or use GPU cracking offline instead
hydra - online brute force configuration
# THC-Hydra - HTTP POST form brute force
$ hydra -l admin@corp.com
-P /wordlists/master.txt
-t 4 -s 443 -V
corp-login.example.com
https-post-form
"/auth/login:user=^USER^&pass=^PASS^:Invalid"
 
Hydra v9.5 starting - 4 tasks, 15.2M passwords
[ATTEMPT] login: admin@corp.com - pass: password
[ATTEMPT] login: admin@corp.com - pass: TargetCorp2024!
Phase 04 - Campaign Execution

THE BRUTE FORCE RUN

πŸ”¨
STATUS
Active - 4 threads, no lockout detected

The attack runs autonomously, methodically working through the wordlist. Each failure narrows the remaining keyspace. For online attacks, the critical constraint is rate - too fast triggers lockout or rate-limiting alerts; too slow takes days. The attacker balances speed against detection, often using low thread counts and proxy rotation to stay under the threshold of any alerting system.

  • Dictionary phase first: 14.3M most common passwords, expected to yield 60–70% of weak accounts
  • Hybrid phase: wordlist + rules generates 980M candidates covering corporate password patterns
  • Pure brute force fallback: systematic character enumeration for accounts that survive dictionary phase
  • Per-IP rate: 1 attempt/sec per thread - 4 threads Γ— 60 sec = 240 attempts/min per source IP
  • Proxy rotation every 200 attempts - each IP stays below automated detection thresholds
hydra - live output
[ATTEMPT] ... pass: welcome1
[ATTEMPT] ... pass: monkey
[ATTEMPT] ... pass: Summer2024!
[ATTEMPT] ... pass: TargetCorp2024!
 
[443][https-post-form] host: corp-login.example.com
login: admin@corp.com
password: TargetCorp2024!
1 of 1 target successfully completed
[DATA] 2,847,291 tries, 1 found
Phase 05 - Lockout Evasion

PASSWORD SPRAYING

πŸ’§
TACTIC
1 password Γ— many accounts - stay under lockout radar

When a target has account lockout policies, traditional brute force is self-defeating - too many attempts and the account locks. Password spraying inverts the approach: pick the 5 most likely passwords for a corporate environment and try them against every user account, staying below the lockout threshold for each individual account while still testing the entire population.

  • Choose 1–3 high-probability candidates: Winter2024!, Welcome1, CompanyName1!
  • Enumerate user list from LinkedIn, email format guessing, or OSINT tools like Hunter.io
  • Set spray interval to respect lockout window - if lockout is 5 fails/30min, spray at 1/30min per account
  • Even a 1% hit rate on 10,000 users = 100 compromised accounts from 3 password guesses total
  • Particularly devastating against Microsoft 365 - Entra ID Smart Lockout triggers per-IP, not per-account
MSOLSpray - Azure AD password spray
# Import user list + single spray password
PS> Invoke-MSOLSpray
-UserList users_10k.txt
-Password "Winter2024!"
-Delay 30
-Domain targetcorp.com
 
[*] Spraying 10,247 accounts
[*] 1 attempt per account - 30s delay
(below 5-attempt lockout threshold)
[HIT] j.smith@targetcorp.com Winter2024!
[*] Done. 89 hits from 10,247 accounts (0.87%)
Phase 06 - Offline Hash Cracking

GPU-ACCELERATED CRACKING

⚑
SPEED
198 billion MD5 hashes per second (RTX 4090 Γ—8)

After a database breach, the attacker has the hashed passwords locally - no rate limits, no lockouts, no network constraints. Hashcat leverages the parallel processing power of GPU arrays, testing hundreds of billions of hash candidates per second. The algorithm the target used for hashing determines everything: MD5 is shattered in hours, bcrypt survives for decades.

  • Obtain breached password hashes from database dump - could be MD5, SHA-1, bcrypt, NTLM, argon2
  • Identify hash type: length and format reveal algorithm - MD5=32 hex chars, bcrypt starts with $2b$
  • Run dictionary mode first (fastest): RockYou + best64 rules cracks 70–80% of weak hashes in minutes
  • Run hybrid mode: wordlist + mask rules catches corporate pattern passwords in hours
  • Run pure brute force as final pass: exhaustive enumeration for survivors - viable only for MD5/SHA/NTLM
hashcat - full attack chain
# Phase 1: Dictionary + rules (fastest)
$ hashcat -m 1000 -a 0 ntlm_hashes.txt
rockyou.txt -r best64.rule --status
Recovered: 641,847/847,291 (75.76%) - 4 min
 
# Phase 2: Hybrid - wordlist + mask
$ hashcat -m 1000 -a 6 remain.txt
wordlist.txt "?d?d?d?d" --loopback
Recovered: 121,447/205,444 (59.1%) - 47 min
 
# Phase 3: Pure brute
$ hashcat -m 1000 -a 3 remain2.txt "?a?a?a?a?a?a?a?a"
Speed: 198.4 GH/s - ETA: 18m (8-char lower)
Final total: 795,294/847,291 cracked (93.9%)
Phase 07 - Detection & Response

DETECTING BRUTE FORCE

πŸ”
KEY SIGNAL
Failed login spikes Β· Same-user multi-fail Β· Spray patterns

Traditional brute force leaves an unmistakable trail in authentication logs - a single account accumulating hundreds of failed login attempts. Password spraying is subtler, detectable only by looking at the population-wide failure rate rather than any individual account. Both leave patterns that SIEM rules and behavioral analytics can surface reliably.

  • Per-account alert: >5 failed logins within 5 minutes - lockout or alert immediately
  • Population alert: global login failure rate exceeds 10% - indicates spraying across user population
  • Geographic anomaly: login attempts from unexpected countries or known datacenter/VPN IPs
  • Timing pattern: attempts arriving at perfectly regular intervals - a bot, not a human typo
  • Username enumeration: many "user not found" responses from a single IP - attacker mapping accounts
SIEM - brute force + spray detection
// Brute force - per-account threshold
index=auth action=login result=failure
| stats count by user, src_ip, _time
| where count > 5 AND _time span=5m
ALERT: admin@corp.com - 2,847 fails/5min
 
// Password spray - population-wide
index=auth action=login
| stats dc(user) as targets,
count(eval(result="fail")) as fails by _time span=30m
| where targets > 100
ALERT: 1 IP testing 10,247 accounts - SPRAY
[!] Auto-block: src IP 185.220.x.x - WAF rule
STEP 1 OF 7
06

Password Keyspace & Crack Time Reference

Time to crack using RTX 4090 GPU - MD5 hashing (200B/s) vs bcrypt cost=12 (184/s)
Length Character Set Keyspace MD5 (200B/s) bcrypt/12 (184/s) Entropy Verdict
4 Digits only (PIN) 10,000 < 1 millisecond 54 ms
INSTANT
6 Lowercase only 308,915,776 1.5 ms 19.7 days
INSTANT
8 Lowercase only 208,827,064,576 1.04 sec 36 years
CRITICAL
8 Mixed case + digits 218,340,105,584,896 18 minutes 38,000 years
HIGH RISK
10 Lowercase + digits 3.76 trillion 5.2 hours 646M years
MODERATE
12 Mixed + digits + symbols 19,770,609,664 trillion 3.6 years 3.4 Γ— 10Β²ΒΉ years
SAFE (MD5)
16 Full printable ASCII (95) 4.4 Γ— 10Β³ΒΉ 6.9 Γ— 10¹⁸ years Longer than universe
SAFE
4 Random words (passphrase) ~7,776⁴ = 3.6 trillion 4.9 hours 635M years
SAFE + MEMORABLE
07

Detection Signals

CRITICAL
Per-Account Failure Spike
Single account accumulating many failed login attempts in a short window - the clearest signal of targeted brute force. Alert and lock after 5–10 failures within 5 minutes. Distinguish from genuine forgotten-password attempts by checking source IP history.
ALERT: same user >5 fails/5min ACTION: lock + email user
CRITICAL
Global Failure Rate Spike
Population-wide authentication failure rate climbs from baseline 2–3% to 20–80%. Individual accounts may only see 1–2 attempts (spray pattern), but the aggregate signal is unmistakable. Requires measuring failure rate across all accounts, not per-account monitoring alone.
ALERT: global fail_rate >10% for 5 min sustained window
HIGH
Regular Timing Intervals
Bot-generated login attempts arrive at mathematically regular intervals - every N seconds precisely. Human typing has random variance of Β±200–500ms. A source IP with 1 attempt every exactly 30.00 seconds across 10,000 users is not a human - it's a spray tool respecting lockout windows.
ALERT: attempt_interval std_dev < 100ms across >50 attempts
HIGH
Username Enumeration Pattern
High rate of "user not found" responses from a single IP or small IP range - attacker probing which usernames exist before committing to the brute force. Should be rate-limited and return the same response for both valid and invalid users to prevent enumeration.
ALERT: dc(user_not_found) >50 from single IP in 10min
MEDIUM
Sequential Password Patterns
Captured login attempts show sequential password patterns in the POST bodies - password, password1, password2... or alphabetically ordered dictionary words. Only visible if the authentication endpoint logs request bodies - requires application-layer logging, not just access logs.
MEDIUM
Known Brute Force Tool Headers
Hydra, Medusa, and other tools leave fingerprints: default User-Agent strings like Mozilla/4.0 (Hydra), characteristic header ordering, missing optional HTTP headers that real browsers always include. WAF rules and bot detection platforms maintain signatures for common attack tool fingerprints.
08

Defensive Countermeasures

πŸ”‘
Multi-Factor Authentication
The single most effective control - even if the attacker correctly guesses the password, a second factor (TOTP, push notification, FIDO2 hardware key) blocks authentication. Phishing-resistant FIDO2/passkeys are ideal: no OTP to steal, cryptographically bound to domain, and eliminates the password attack surface entirely.
Priority: FIDO2 passkeys Fallback: TOTP authenticator app Avoid: SMS OTP (SIM swap risk)
πŸ”’
Account Lockout + Alerting
Lock accounts after 5–10 failed attempts within a defined window. More importantly, alert the account owner on lockout - users who didn't trigger the lockout themselves know they're being targeted. Use progressive delays rather than hard lockouts to reduce denial-of-service risk from deliberate lockout attacks.
Threshold: 5 fails / 5min Lockout: 15 min + email alert Reset: verify via email link
🌑️
Adaptive Rate Limiting
Rate limiting must extend beyond single IP - credential stuffing and spray attacks use thousands of IPs. Rate limit per account across all IPs, per-ASN, and per-device fingerprint. Use sliding window counters, not fixed windows, to prevent burst attacks at reset boundaries. Enforce CAPTCHA at lower thresholds than lockout.
πŸ§‚
Strong Password Hashing (bcrypt/Argon2)
Use bcrypt (costβ‰₯12), Argon2id, or scrypt for all password storage. These algorithms are intentionally slow - making offline cracking 10⁹ times harder than MD5. If your database is breached, bcrypt-hashed passwords survive GPU cracking indefinitely. Never use MD5, SHA-1, SHA-256 alone, or unsalted hashes for passwords.
bcrypt: cost=12 (min) Argon2id: m=65536, t=3, p=4 NEVER: MD5, SHA-1, unsalted
πŸ“
Password Length & Complexity Policy
Enforce minimum 12-character passwords. Every additional character multiplies the keyspace exponentially. Prioritize length over complexity requirements - a 25-character passphrase is far stronger than a 6-character complex password. Check against known-breached passwords at registration and on every login via HIBP.
Min length: 12 chars Max length: 128+ (allow passphrases) Check HIBP at registration
πŸ€–
CAPTCHA & Bot Detection
Deploy behavioural bot detection (Cloudflare Turnstile, reCAPTCHA v3) that scores requests invisibly. Enforce visible CAPTCHA after 2–3 failed attempts per account. Bot detection systems analyze mouse movement, keystroke timing, TLS fingerprints, and browser environment to distinguish humans from automation tools.
πŸ‘οΈ
Username Enumeration Prevention
Return identical response bodies, headers, and timing for both "user not found" and "wrong password" scenarios. Use constant-time comparison for credential validation. Add artificial delay to responses to prevent timing attacks. Attackers who cannot enumerate valid usernames must brute force the username space too - exponentially harder.
# Always return same message: "Incorrect email or password" # Never: "User not found"
πŸ—ΊοΈ
Impossible Travel & Geofencing
Flag or block logins from geographic locations inconsistent with user behavior: a user who always logs in from Chicago suddenly attempting login from a datacenter in Russia triggers step-up MFA or block. Geofencing can restrict access to expected countries. Proxy/VPN/Tor exit node IP reputation lists help flag suspicious sources.
πŸ“Š
Spray-Specific Monitoring
Implement aggregate login analytics that detect the spray signature: many users seeing exactly 1–2 failed attempts from the same source, within a narrow time window, all with the same User-Agent or request fingerprint. Standard per-account monitoring misses spraying entirely - only population-wide analysis catches it reliably.
Monitor: dc(targeted_users) per source IP per 30min ALERT if >100 users targeted