Exam CISSP topic 1 question 134 discussion

Comon, guys, using of word list IS NOT A BRUTEFORCE. Brutforce is trying EVERY possible value. OSG: "A dictionary attack is an attempt to discover passwords by using every possible password in a predefined database or list of common or expected passwords." It makes B a dictionary attack. And question says "bruteforce". It's A.

Its A. testing the hash. In an actual security event, the hacker is going to pull the hash either from some random config file, use mimikatz or something that dumps SAM, or unshadow to merge your /etc/passwd and /etc/shadow and get a hash to crack there. They could also use responder to grab the hash, etc.etc. tons of ways to get the hash and then run every possible wordlist they have at it on their own time, either with a string of GPUs on hashcat or some cloud service that does the same thing x 1000. Trust me its A. Next best answer is B, but not as good as A. You're also not testing the lockout control, you're testing password strength.

Answer D: Conduct an online password attack until the account being used is locked. By testing a real account online until you get in or it locks, you test the security control. • Dictionary – attacker uses a precompiled list of words, phrases, or compromised passwords (a "dictionary") to attempt to gain access. • Bruteforce - involve systematically trying every possible combination of characters until the correct one is found • Rainbow Table - a precomputed table for caching the outputs of a cryptographic hash function, usually for cracking password hashes. Passwords are typically stored not in plain text form, but as hash values. Unlike a brute-force attack, which works by calculating the hash function of every string present with them, calculating their hash value and then compare it with the one in the computer, at every step

Both A and B are violent attacks, but the goal is to test password strength, and using only B to test password strength is too one-sided. When testing password strength, priority should be given to testing cases where the password length is short and the password type is few, before it is the turn to test whether it can be brute force cracked using commonly used words.

The correct answer is A. Conduct an offline attack on the hashed password information. Brute-forcing passwords involves systematically trying all possible combinations of characters until the correct password is found. In the case of offline attacks, the attacker has access to the hashed password information and can attempt to crack it using various techniques, such as dictionary attacks or using precomputed tables (rainbow tables). By obtaining the hashed password, the attacker can perform multiple attempts without directly interacting with the target system.

In my mind, A shall be a rainbow attach and B is a dictionary attack. i didnt see good option here and i choose D. This method involves attempting to log in to an account repeatedly with various passwords until the account is locked out.

A. Conducting an offline attack on the hashed password information is the best method for brute forcing passwords. This method involves obtaining a copy of the hashed password data and using specialized tools to perform a dictionary, rule-based, or pure brute force attack. This method is effective because it allows for a large number of password guesses to be made quickly and without alerting the system being attacked or triggering account lockout mechanisms. It also reduces the risk of detection and IP blocking by the target system. However, it is important to note that offline password cracking is illegal in some jurisdictions and organizations.

With enough time, attackers can discover any hashed password using an offline brute-force attack. However, longer passwords result in sufficiently longer times, making it infeasible for attackers to crack them.

It is truly blowing my mind that people studying for CISSP are choosing "B". That is a dictionary attack, not bruteforce.

A There are two modifications that attackers can make to enhance the effectiveness of a brute-force attack: Rainbow tables provide precomputed values for cryptographic hashes. These are commonly used for cracking passwords storedon a system in hashed form.

A password strength tester gauges how long it might hypothetically take to crack your password by testing the password against a set of known criteria–such as length, randomness, and complexity.

The main difference between a brute force attack and a rainbow table attack is that there is precomputed data involved with a rainbow table when trying to crack passwords whereas there is no precomputed data when a brute force is to be performed. B is rainbow table

A and B would be correct. The point is online and offline. B doesn't mention about offline so if we perform brute forcing online then the user may be locked.

A. This is an offline brute-force attack. Official study guide P705

So easy. Answer is A

Answer is A - b talks about word. If it says something like "combination of words, numbers and characters" then may be B.

Both A and B are similar. Hashed attack means there is no dictionary, and the attack software will use all sorts of permutations and hash algorithms to get a match with the actual hashed. This is literally a brute force attack. dictionary attack is much milder attack method. Instead of all permutation, dictionary attack use the most common possible permutation and try. The answer should be A as it is literally trying every possible value and permutation - run the hash and see if it matches the original.