# Brute-Force

A brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. We may use brute-force techniques to gain access to accounts when passwords are unknown (online) or when password hashes are obtained (offline).

Although this section is entitled "Brute-Force", there are various types of password attack, which we will be concentrating on:

* **Brute-force attacks**: every possibility for a given character set and a given length (i.e. `aaa`, `aab`, `aac`, ...) is sent to the target service or hashed and compared against the target hash.
* **Dictionary attacks**: every word of a given list (a.k.a. dictionary) is sent to the target service or hashed and compared against the target hash.
* **Rainbow table attacks**: use pre-computed lookup tables to crack password hashes. These tables store a mapping between the hash of a password, and the correct password for that hash. The hash values are indexed so that it is possible to quickly search the database for a given hash. Note that this attack cannot work if the hashed value is salted.

{% content-ref url="brute-force/online-attacking-services" %}
[online-attacking-services](https://red.infiltr8.io/redteam/credentials/passwd/brute-force/online-attacking-services)
{% endcontent-ref %}

{% content-ref url="brute-force/offline-password-cracking" %}
[offline-password-cracking](https://red.infiltr8.io/redteam/credentials/passwd/brute-force/offline-password-cracking)
{% endcontent-ref %}