Understanding Brute Force Attacks and Dictionary Attacks with CUPP [With Code Output Screenshots]

Understanding Brute Force Attacks and Dictionary Attacks with CUPP [With Code Output Screenshots]

Understanding cyber security in depth is not only the responsibility of security specialists but also every developer and the user posting their information online. While earlier, the true treasure was termed gold, silver, and diamonds, in today’s era, the true gem is information. Suppose one goes to extraordinary lengths to protect one’s materialistic assets. In that case, it becomes incredibly vital also to put multi-layers of protection when it comes to our passwords, data, and online presence. This article aims to educate the users on the most basic form of cyber attacks, like brute force attacks which enable hackers to gather the users’ passwords and gain access to their personal information. Readers are encouraged to take note of the best practices mentioned here to protect themselves from such attacks.

Brute Force Attacks

Brute force attacks are vital in determining encryption keys or information about a user’s location and login and even accessing the location of a website that is masked. It uses the trial-and-error methodology to figure this information out. As the name suggests, while performing a brute force attack, a hacker will try to apply every possible permutation and combination to determine the accurate answer to the information he is trying to access. Brute force attacks are carried out with the help of prior information that the hackers collect about the user.

While brute force attacks are quite tedious to perform, they are still being used to this day due to various reasons. If you are visiting a website that is showing you different animes, you must have noticed that every time you click on the video to pause it or play it, you are redirected toward an advertisement page which becomes the source of revenue for the application you are viewing the content at. The same principle is applied in brute force attacks; websites can be spammed with adverts, and users have no choice but to interact with them to gain access to the content they need to view, which generates money for the hackers in return. In addition to this, you must have also noticed some websites where you are asked to download anti-virus software, and there is a pop-up on the website saying, “Your device XYZ is at risk; secure it now.” What essentially happens here is the hackers are trying to get spyware or virus installed into your local machines to access your information and track your online activity to utilize it for their benefit.

When you are thinking of “stealing information,” the first and foremost most sensitive information that comes into your head is financial data. Financial data involves banking information, tax information, and credentials to money management applications which essentially break down into your personal money vault being broken into. The hackers can directly interact with your money or sell this information to fraudsters and other criminals. While on a personal level, such data is sensitive, on a corporate level, the data breaches become more generalized and can range from anything from the personal data of the employees to information that can affect the stock prices of the company in the market, thereby causing the organization to incur heavy losses.

Hackers also try to download software and pieces of code into your machines which makes your device super vulnerable to brute force attacks and gives access to the hackers in an easy manner. Hacking doesn’t always mean obtaining information, and it can also lead to cyber vandalism wherein a particular website can be targeted to display obscene and irrelevant content to tarnish the reputation of a well-performing product or a celebrity’s website and even their social media.

Common Brute Force Techniques

  1. Simple Brute Force Attacks – Hackers try to rationally guess your login information without using any software applications or other technologies. These can reveal incredibly basic PINs and passwords like “guest12345”.
  2. Dictionary Attacks – A hacker selects a target and tests potential passwords against that username in a conventional attack. These are referred to as dictionary attacks. The most fundamental tool used in brute force attacks is the dictionary attack. Though not necessarily brute force assaults in and of themselves, these are frequently utilized as a crucial part of password cracking. Some hackers utilize special word dictionaries or run through unabridged dictionaries to add special characters and numerals to words, although this kind of sequential assault is laborious.
  3. Hybrid Brute Force Attacks – These hackers try to break in by combining physical methods with their intellectual deductions. Typically, a hybrid assault combines brute force and dictionary attacks. These techniques are used to crack password combinations that combine well-known words with random symbols. Examples of this kind of brute force assault include passwords like NewYork1993 or Spike1234.
  4. Reverse Brute Force Attacks – A reverse brute force attack, as the name suggests, reverses the attack method by beginning with a well-known password. Once they locate a match, hackers look through millions of usernames. Many of these crooks start with online password leaks, thanks to past data breaches.
  5. Credential Sniffing – A hacker will test a username and password combination on numerous websites to see if they have one that works for one of them. Users are the only targets of an attack like this because it has been shown that they reuse login information across numerous websites.

How do Brute Force Attacking Tools Work?

Automated tools prove helpful while orchestrating brute-force attacks. The fundamental concept of brute force attacks is to guess passwords. Doing the same is possible by generating every possible permutation and combination of a password and then checking if it is correct. These words can be dictionary words or not. Protocols must also be kept in mind while creating a brute force attacking tool as the checking mechanism or if the password is correct or not has to be done through the same protocols. Users make the mistake of keeping very weak passwords thinking about who will attack them however this is a major vulnerability that the hackers exploit while sniffing for possible entries where they can perform breaches. If users keep strong passwords, vault them and use leetspeak while keeping a password, it will become harder for brute force attacks to exploit vulnerabilities. Rainbow tables are a boon for running brute force attacks, and hackers don’t have to get into computational details as often and can refer to these tables to get pre-processed data which makes the attack faster and easier.

Dictionary Attacks

With a dictionary attack, an attacker can theoretically use every word in a dictionary as a password for a password-protected system in order to get access to it. This method of assault uses a Brute Force Attack.

The dictionary may include terms from an English dictionary and a leaked list of frequently used passwords. When combined with substituting common characters with numbers, the dictionary can occasionally be very efficient and quick.

The dictionary assault differs from a brute force attack in that only the words with the greatest chances of success are examined; this takes less time than brute force. In brute force, all potential key permutations are checked.

CUPP (Common User Passwords Profiler)

The CUPP software is a very interesting tool that makes performing brute force attacks very easy. It is a python script that has been designed to make the most common method of authentication on web applications (usernames and passwords) very easy to crack if the personal information of the user is available.

CUPP can be installed from here. This contains the cupp.py file, which contains the code to come up with common passwords for users. Given below are the steps you can follow to run CUPP on a macOS machine. Similar steps can be followed for Linux machines as well.

Step One: Navigate to the folder where cupp-master is stored. Use the ls command to see the contents of the folder. Here you will find the cupp.py file.

step one
Step One

Step Two: Run python cupp.py or ./cupp.py

step two
Step Two

Step Three: Run the CUPP interface by doing python cupp.py -i or ./cupp.py -i Answer the questions the interface gives.

step three
Step Three

Step Four: Open the file generated by CUPP.

Part of Text File generated by CUPP with possible passwords
Part of Text File generated by CUPP with possible passwords

This is the list of possible password combinations that CUPP has generated for you based on the information you provided on the victim.


It is your responsibility to keep your data safe and secure. Not only your data but your network also needs protection. Make sure you are using username and password combinations that are hard to crack and do not involve any personal information and/or any easy details. If it is easy for you to remember, it will definitely be easy for the hacker to guess if they know about your personal life, which in most cases, they do before making you a target. Deleted accounts are better than unmaintained and unmonitored accounts; when you are not looking over any online account of yours, it will likely be subjected to an attack, and information you haven’t ever thought will be used against you will be used, which will ultimately result in data breaches.

To prevent yourself from being caught up in a dictionary attack, make sure you are not using dictionary words directly, and even if you are, make sure that there is a random mixup of lower case, upper case, numbers, digits, and symbols. Longer passwords are tougher to crack. Recall your learnings with the permutations and combinations chapter in mathematics in high school, if there are 26 possibilities for a space and there are two characters are supposed to be guessed, there are 26*26 permutations, and if there are ten characters, the number goes up to 26^10, and if there are 20 characters, it becomes 26^20 which increases the need of computational power and time as well which is not readily available therefore your devices are made more secure. It cannot be stressed enough that you need to change your passwords regularly in order to prevent yourself from these attacks.

Read more about learning paths at codedamn here.

Happy Learning!

Sharing is caring

Did you like what Pooja Gera wrote? Thank them for their work by sharing it on social media.


No comments so far