Dictionary

Attack
 DICTIONARY ATTACK

A Dictionary attack is one of the ways through which the

attackers try to gain access to the keys of the reign. Bad actors
take advantage of people using common dictionary words as
their passwords.
A study has proved that the majority of people like to reuse
their passwords or use common phrases that are relatively
easy to remember.
Dictionary Attack Using Burp Suite Tool:
Burpsuite is indeed a great tool for testing vulnerabilities in
web applications.
We are here using its free version which has limited
capabilities.
 DICTIONARY ATTACK

Intercepting the Login Request

STEP- 1

To capture the HTTP request, try entering the username and

password on the login form of Bee-Box. [With the Intercept ON]
Once you hit the login button, Burp Suite will intercept the
request and then forward the request or turn it off.
Now, right-click on the request and send it to the intruder.

Intruder
STEP- 2
Once on your Intruder Tab, you will see the IP, and the port you
want to attack gets to fill in automatically.
In case, if you did not make the request (as in step 1), you can
manually put the information here under the “target” tab.
Cyber Writes DICTIONARY ATTACK

Now turn to the “position” tab. This is the same request (or
information of raw packet) that you made before.
The highlights here are the “potential injection” points marked
by the BurpSuite.

Here we know the username and just wanted to get through

the password.
For now, other things like sessions IDs or security level or login
are not required. Hit the “clear” as shown.
Cyber Writes DICTIONARY ATTACK

As only one parameter needs to be replaced, select the “Sniper”

attack. Sniper attack uses only one payload set and replaces all
the marked positions one by one.
If you are trying both for the username and password, then
select “Cluster Bomb”.

In here, I am manually adding the words, I want to test against

the parameter password. And then hit “Start Attack”.
In the “result” window, you will notice that one word has
different values for “length” and “status”. All others will have the
same as the base request.
 DICTIONARY ATTACK

How To Protect Yourself Against

Dictionary
Attack:
Dictionary or brute force attacks are not only
limited to online attacks, but also offline
attacks. Some of the steps below are helpful
for falling for these attacks:

1. Locking account after a maximum number

of authentication attempts is reached.
2. Using multi-factor authentication to log in
to your account.
3. Insert special characters in your passwords
and an extra syllable to guard it against the
Dictionary attack. (eg. P@$$$word).
4. Use a longer password with special
characters and avoid reusing them. Use
haveibeenpwned to look if your credentials
have ever been leaked.

These are some of the steps, but not limited to these, which can
strengthen the protection against these attacks.