Brute-force attack » Password Recovery Software » Proactive Password Auditor » Help

Brute-force attack


Previous  Top  Next

If you have completed a dictionary attack, but some passwords still have not been recovered, you have to follow up with a brute-force attack. In this attack, the program tries to guess the password by trying every single combination of characters until the password is found. For example, the program might follow a sequence like this:




"aaaaaaac" ...


until the password is found. Obviously, this method will take time: for an eight-character alpha password there are 200 Billion combinations to be checked. But with modern computers this sort of attack doesn't take as long as you might think.


The brute force attack is the slowest method of password attack, but can often be successful on short and simple passwords.


Character set


Instructs the program what characters have been used in the password. You can choose from all latin letters (note the Character case option described below), all digits, all special symbols and the space, or all printable (includes all of the above). The special characters are:




Alternatively, you can define your own character set (charset). Just mark the "Custom charset" checkbox and click on "Define". In the input window, enter all chars of the password range; for example: if you know that the password was entered in the bottom keyboard row ("zxcv..."), then the range should be "zxcvbnm,./" (or in caps: "ZXCVBNM<>?"). You can also define both of these: "zxcvbnm,./ZXCVBNM<>?". In addition, you can load and save custom charsets, or combine them using the "Insert" button.


Start from password


When you start the brute-force attack from scratch, this field should be empty (if it is not, please clear it). If you decide to stop the attack, the program will automatically fill this field with the last password it has tried, and so you will be able to resume the attack from the same point. It is NOT recommended to edit this field manually.


Characters case


You can select from Lowercase (to try lowercase letters only), Uppercase (uppercase letters, respectively) or Both cases (to use both). Please note that this option is applicable to NTLM attack only, because NT passwords are not case-sensitive.


Password mask


This option is available for Mask attack only, which is actually a variation of a Brute-force attack, but there are some differences.  In Mask  attack you cannot select the password to start from (see above).


If you already know some characters in the password, you can specify the mask to decrease the total number of passwords to be verified. At the moment, you can set the mask only for fixed-length passwords, but doing this can still help.


For example, you know that the password contains 8 characters, starts with 'x', and ends with '99'; the other symbols are small or capital letters. So, the mask to be set is "x?????99", and the charset has to be set to All caps and All small. With such options, the total number of the passwords that the program will try will be the same as if you're working with 5-character passwords which don't contain digits; it is much less than if the length were set to 8 and the All Printable option were selected. In the above example, the '?' chars indicate the unknown symbols.


If you know that the password contains an occurrence of the mask character '?', you can choose a different mask character to avoid having one character, '?', represent both an unknown pattern position and a known character.  In this case, you could change the mask symbol from '?' to, for example, '#' or '*', and use a mask pattern of "x######?" (for mask symbol '#') or "x******?" (for mask symbol '*').


Password length


This is one of the most important options affecting checking time. Usually, you can check all 4-character (and shorter) passwords in a few minutes; but for longer passwords, you have to have patience and/or some knowledge about the password (including the character set which has been used, or even better – the mask).


The minimum length cannot be set to a value greater than the maximum length, of course.


If the minimum and maximum lengths are not the same, the program tries the shorter passwords first. For example, if you set minimum=3 and maximum=7, the program will start from 3-character passwords, then try 4-character ones and so on – up to 7. While the program is running, it shows the current password length, as well as the current password, average speed, elapsed and remaining time, and total and processed number of passwords (Program status).  All of this information is related only to the current length, except average speed and elapsed time, which are global.


The maximum password length allowed in the program is 14 – longer passwords cannot be recovered in a reasonable time, anyway. Please also note that if you run LM attack (i.e., the attack on LM password hashes, see About Windows passwords for details) and select the maximum length greater than 7, the program will still check the 7-character LM password chunks individually.  This means the "real" maximum password length for this attack is still 7; for example, if you select minimum password length as 3 and maximum as 12, the program will try 3..7 character passwords for the first half, and 1..5 character passwords for the second half.

Get more information about Proactive Password Auditor
Get full version of Proactive Password Auditor

(c) 2009 ElcomSoft Co.Ltd.