It can run attacks based on the login name itself, a wordlist and variations (called "rules") and, last resort, a brute force.
Here are a few rules I usually add:
# Try with 2 prefixing digits
l ^[0-9]^[0-9]
# Try prefixing with possessives
l A0"My"
l A0"Your"
l A0"His"
l A0"Her"
l A0"Our"
l A0"Their"
# Try with 1, 2, 3 and 4 digits at the end, and the same with punctuation
l $[0-9]
l $[0-9]$[0-9]
l $[0-9]$[0-9]$[0-9]
l $[0-9]$[0-9]$[0-9]$[0-9]
l $[0-9]$[(){},?;.:/=+<>%$*-_]
l $[0-9]$[0-9]$[(){},?;.:/=+<>%$*-_]
l $[0-9]$[0-9]$[0-9]$[(){},?;.:/=+<>%$*-_]
l $[0-9]$[0-9]$[0-9]$[0-9]$[(){},?;.:/=+<>%$*-_]
# Try with 1 or 2 digits and 2 punctuations symbols
l $[0-9]$[(){},?;.:/=+<>%$*-_]$[(){},?;.:/=+<>%$*-_]
l $[0-9]$[0-9]$[(){},?;.:/=+<>%$*-_]$[(){},?;.:/=+<>%$*-_]
If you have your own killer rules, feel free to drop the URL in the comment section.
No comments:
Post a Comment