# Practical 16: Brute Force Lab Python

## Overview

This practical exercise is designed to show you how to perform brute force attacks using Python. You will learn how to implement a basic brute force attack on a simple password system. This session will take about 1 hour to complete.

## Task

### Part 1: Introduction to Brute Force Attacks (10 minutes)

1. **What is a Brute Force Attack?**
   - A brute force attack is a trial-and-error method used to decode encrypted data such as passwords or Data Encryption Standard (DES) keys.
   - In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data.

2. **Basic Concepts:**
   - **Password Hashing:** A method to securely store passwords by converting them into fixed-size strings of characters, which are typically much shorter than the original password.
   - **Dictionary Attack:** A type of brute force attack where the attacker uses a predefined list of potential passwords (a dictionary).

### Part 2: Implementing a Simple Brute Force Attack (20 minutes)

1. **Set Up a Simple Password System:**

In [None]:
import hashlib


# Hashing a password using SHA-256
def hash_password(password):
    return hashlib.sha256(password.encode()).hexdigest()


# Example password hash (password is 'password123')
password_hash = hash_password("password123")

In [None]:
import itertools
import string


def brute_force_attack(hash_to_crack, max_length=4):
    characters = string.ascii_lowercase + string.digits
    for length in range(1, max_length + 1):
        for guess in itertools.product(characters, repeat=length):
            guess = "".join(guess)
            guess_hash = hash_password(guess)
            if guess_hash == hash_to_crack:
                return guess
    return None

3. **Example Usage:**
   - Perform a brute force attack to crack the password.

In [None]:
max_length = 4
cracked_password = brute_force_attack(password_hash, max_length)
print(f"Cracked Password: {cracked_password}")

### Part 3: Dictionary Attack (20 minutes)

1. **Set Up a Dictionary of Common Passwords:**

In [None]:
common_passwords = [
    "123456",
    "password",
    "123456789",
    "12345678",
    "12345",
    "1234567",
    "password1",
    "1234",
]

2. **Implementing the Dictionary Attack:**
   - Write a function to perform a dictionary attack using the list of common passwords.



In [None]:
def dictionary_attack(hash_to_crack, dictionary):
    for guess in dictionary:
        guess_hash = hash_password(guess)
        if guess_hash == hash_to_crack:
            return guess
    return None

3. **Example Usage:**
   - Perform a dictionary attack to crack the password.

In [None]:
cracked_password = dictionary_attack(password_hash, common_passwords)
print(f"Cracked Password (Dictionary Attack): {cracked_password}")

### Part 4: Exercises (10 minutes)

1. **Exercise 1: Enhance Brute Force Attack**
   - TODO: Modify the `brute_force_attack` function to handle uppercase letters and special characters.


In [None]:
# TODO: Solve Exercise 1

2. **Exercise 2: Implement a Reverse Brute Force Attack**
   - TODO: Write a function to perform a reverse brute force attack where you start with a known hash and try to find a matching password from a large dataset.


In [None]:
# TODO: Solve Exercise 2

3. **Exercise 3: Time Complexity Analysis**
   - TODO: Measure the time complexity of both the brute force and dictionary attacks by calculating the time taken to crack different passwords of varying lengths.


In [None]:
# TODO: Solve Exercise 3

4. **Exercise 4: Securing Passwords**
   - TODO: Research and implement techniques to secure passwords against brute force attacks (e.g., salting, key stretching).


In [None]:
# TODO: Solve Exercise 4

## Summary

- You have learned about brute force attacks and how they work.
- You have implemented a basic brute force attack and a dictionary attack in Python.
- You have explored different methods to enhance and analyze brute force attacks.
- You have researched techniques to secure passwords against brute force attacks.