Example 1 Β· Offline Brute Force β What the Attacker Actually Does
Understanding offline brute force requires separating the attack into two distinct events: acquiring the hash file and then cracking it. The second event happens entirely on the attacker's hardware.
Step 1 β Acquiring the hash file:
The attacker exploits a SQL injection vulnerability in a web application and extracts the users table. The result is a file containing lines like:
alice | 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
bob | 8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92
carol | ef92b778bafe771e89245b89ecbc08a44a4e166c06659911881f383d4473e94f
These are SHA-256 hashes. The original passwords are not present β but the hash file is now in the attacker's possession. No authentication system was involved in this step beyond the initial SQL injection.
Step 2 β Beginning the brute force:
The attacker runs a cracking tool against alice's hash offline. The tool iterates through candidate passwords, hashes each one, and compares the result:
Try: "aaaaa" β hash β a9993e364706816aba3e25717850c26c9cd0d89d β stored hash
Try: "aaaab" β hash β [different hash] β stored hash
...
Try: "password" β hash β 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 = stored hash β
[CRACKED] alice : password
The word "password" matched alice's stored SHA-256 hash. No login was ever attempted. The victim's authentication system generated no log entry for this cracking operation. Alice's account credentials are now in the attacker's hands.
Why the algorithm matters:
If the application used bcrypt instead of SHA-256, each hash comparison would take approximately 100 milliseconds of intentionally expensive computation. Against SHA-256, a single GPU can evaluate roughly 10 billion hashes per second β making "password" trivially discoverable. Against bcrypt (cost factor 12), the same GPU evaluates approximately 20,000 hashes per second. The word "password" would still be found quickly β but longer, less common passwords become computationally infeasible to find within any reasonable timeframe.
The no-lockout advantage:
Because the attacker is computing hashes locally, alice's account never receives a single failed login attempt. Her account is not locked. She receives no notification. The security team sees no authentication alerts. The entire cracking campaign is invisible to the victim organization until the attacker uses the recovered credentials to log in.
Example 2 Β· Password Spraying β A Corporate Directory Attack
A practical scenario showing why spraying succeeds where traditional brute force would immediately trigger lockouts.
The target:
A company's VPN portal accepts Active Directory credentials. The company has 800 employee accounts. Account lockout is configured at 5 failed attempts. The attacker has harvested usernames from the company's LinkedIn page and public email directory β a list of 800 email addresses in the format firstname.lastname@company.com.
Why traditional brute force fails here:
If the attacker targeted alice.johnson@company.com with a wordlist, the 5th incorrect password would lock Alice's account. The attack would generate a clear security alert: one account, five rapid failures. The attack is stopped and detected within seconds.
The spraying approach:
Pass 1 β password "123456":
alice.johnson β fail (1/5 attempts used)
bob.smith β fail (1/5 attempts used)
carol.white β fail (1/5 attempts used)
... Γ 800 accounts
david.chen β SUCCESS β VPN access granted
[Result: 799 accounts each show 1 failed attempt. david.chen is logged in.]
[Security alert threshold: 5 consecutive failures on one account. Not triggered.]
What the security logs show:
The authentication logs show 799 single failed login attempts spread across 799 different accounts over the span of 30 minutes. There is no concentration of failures on any one account. Standard brute force detection looks for repeated failures against the same account β this pattern does not match. Unless the security team has specific tooling to detect horizontal login failure patterns (many accounts, one password), the attack goes undetected.
The HSTS defense analogy from Ch52:
Spraying evades account lockout the same way SSL stripping evades HTTPS β it exploits the fact that the defense was designed for a different attack pattern. Account lockout stops repeated attempts against one account; spraying never exceeds the threshold on any single account. The appropriate counter-control is MFA: even knowing david.chen's password of "123456" is useless if VPN authentication also requires a TOTP code from his phone.
Example 3 Β· Plaintext Storage β The Instant Breach
The contrast between a plaintext breach and a hashed credential breach illustrates exactly why hashing is mandatory.
Scenario A β Plaintext storage (critical):
An attacker gains read access to a poorly secured backup of a web application database. The users table contains:
user_id | username | password | email
1 | alice | Sunflower2019 | alice@example.com
2 | bob | qwerty123 | bob@example.com
3 | carol | ilovemydog | carol@example.com
The attacker now has 100% of all credentials in immediately usable form. No computation required. Total time from file access to credential possession: seconds. Every user who reused this password on any other service is also compromised.
Scenario B β Properly hashed storage (significant, but not instant):
The same attacker gains the same read access to a properly designed database:
user_id | username | password_hash | salt
1 | alice | $2b$12$KIXkDzZxn8n.RFhm... | [unique salt]
2 | bob | $2b$12$aBcD8eF3gH7iJkLm... | [unique salt]
3 | carol | $2b$12$nOpQ9rSt2uVwXyZa... | [unique salt]
The hash values are meaningless without cracking. Each account has a unique salt, so a hash-matching table cannot be used. The attacker must run a brute force campaign against each hash individually using bcrypt β at 20,000 attempts per second, a strong password may never be cracked within a useful timeframe. Alice's "Sunflower2019" might still be found eventually if the attacker runs a targeted wordlist, but "carol" with a randomly generated 20-character password will not be cracked in any practical timeframe.
The lesson for the exam:
The difference between plaintext and hashed storage is not a difference in degree β it is a difference in kind. Plaintext: immediate, total compromise. Hashed (strong algorithm + salt): the attacker has work to do, and strong passwords may never be recovered. The remediation for plaintext storage is not "add better passwords" β it is "fix the storage mechanism."
Exam Scenario 1 Β· Attack Classification
Scenario: A security analyst reviews three incident reports: (A) An employee's credentials were captured from a legacy application database β the credentials were stored as the original typed passwords with no transformation. (B) A monitoring system detects that over the past hour, 600 unique employee accounts each received one failed VPN login attempt using the password "123456." (C) A penetration tester obtained a copy of the Windows SAM database and is running hash computation tools locally to recover passwords.
Question: Identify the attack type in each case and the primary remediation.
Answer:
(A) Plaintext password storage exposure. The credentials were accessible with no cracking effort β this is not an attack technique but a fundamental storage vulnerability. Remediation: replace the application with one that hashes passwords; force all users to reset passwords immediately; assume all credentials are compromised.
(B) Password spraying. The pattern β one attempt per account, same password across many accounts β is the defining signature of spraying. The lockout threshold was never approached on any individual account. Remediation: MFA on the VPN portal; block the common-password list at account creation; deploy monitoring that alerts on this horizontal failure pattern.
(C) Offline brute force attack. The tester has the hash file and is computing hashes locally β no interaction with the live authentication system, no lockout risk. Remediation: store Windows credentials using a strong algorithm with appropriate protection (in a real environment: Credential Guard, protected users group); ensure MFA is required for remote access so that a cracked password alone is insufficient.
Exam Scenario 2 Β· Defense Mapping
Scenario: An organization implements the following controls: (1) all user passwords are hashed using bcrypt before database storage; (2) each password hash is generated with a unique per-user random salt; (3) after three failed login attempts, the account is locked for 15 minutes; (4) all remote access requires a password plus a time-based one-time code from an authenticator app. Identify which specific attack each control addresses.
Answer:
(1) bcrypt hashing: Addresses offline brute force. bcrypt is intentionally slow β it increases per-attempt computation time from microseconds (SHA-256) to ~50 milliseconds, making GPU-scale cracking impractical for strong passwords. Does not help against plaintext access (but prevents plaintext storage from being the flaw).
(2) Per-user salting: Addresses rainbow table attacks (a class of offline attack using precomputed hash tables). With unique salts, identical passwords produce different hashes β each account must be cracked individually, and precomputed tables are useless. Salting complements bcrypt; bcrypt already includes internal salting but explicit salting makes this property explicit.
(3) Account lockout after 3 attempts: Addresses online brute force. Each account can receive at most 3 attempts per 15-minute window, making systematic password guessing against a single account infeasible. Does not address password spraying (which uses only 1β3 attempts per account) or offline attacks (which never touch the authentication system).
(4) MFA (password + TOTP): Addresses password spraying, online brute force, AND offline brute force. Even if an attacker correctly guesses or cracks the password, authentication fails without the TOTP code. MFA is the only control that remains effective against all three attack types simultaneously β it renders the password alone insufficient regardless of how it was obtained.