What is a hybrid attack?
A hybrid attack is a mixture of both a dictionary and brute force attack. That means that like a dictionary attack, you would provide a wordlist of passwords and a brute-force attack would be applied to each possible password in that list.
A hybrid attack is like the beginning of an MMORP where you choose your character design. Your figure stays the same but you have the choice to change your clothes, hair and color until you have the look you want, a badass Schwarzeneggar or a medieval hooker.
On my first day as a freshman in high school, I was given a username and password for the school’s computer network. Everyone’s password was set to the first initial of their first name, their last name and birth date. So if my name was Bob Sagat and I was born on May 22, 2010, my password would be “bsagat052210”. This wasn’t a great way to distribute passwords, but we did have to change it after we first logged in. Can you see why a hybrid would be an effective attack in this case? What I could have easily down was get a list of every freshman student in the school and apply a brute force attack to the end of each name. The rule would look something like this:
(first initial of first name)(last name)([0-9] [0-9] [0-9] [0-9] [0-9] [0-9])
In this case, a hybrid attack would have enabled me to crack every single student’s password within a few minutes.
When should I use a hybrid attack?
Use a hybrid attack whenever you have an idea of how a password is formatted. For example, if you dump a database of password hashes from a website, and after trying a dictionary attack against it you are left with many uncracked passwords, then take a look at the password requirements for that website. Many websites require a password to be made a certain way. For example it may require a password to have at least two numbers and a special character. Knowing how people like to make things as easy as possible for themselves, you can safely guess that many people used exactly two numbers and one special character. Armed with this knowledge you can go back to your dictionary file and apply a brute force attack to it (making it a hybrid attack), trying the following combinations:
([0-9] | SC) ([0-9] | SC) ([0-9] | SC) (password)
(password) ([0-9] | SC) ([0-9] | SC) ([0-9] | SC)
Where SC = Special Character (ex. !,@,#,$) and (| = or) .