The objective for password cracking is to obtain the hash of the users password. Obviously, if the intruder can get the raw password, that’s better for them and doesn’t require cracking.
If there hash can be obtained, then the objective becomes to match it. Since most passwords are stored in a one-way hash, you basically take a known value, run it though the hash, and compare the result with the hash. If they match, then the known value is the password (or at least one that has a hash overlap with the correct password (which is good enough).
Brute forcing the password prompt generally doesn’t work because of lockouts on password attempts at the page, and you’re correct on that, so it’s not a valid way to attack the system for the password.
The objective for password cracking is to obtain the hash of the users password. Obviously, if the intruder can get the raw password, that’s better for them and doesn’t require cracking.
If there hash can be obtained, then the objective becomes to match it. Since most passwords are stored in a one-way hash, you basically take a known value, run it though the hash, and compare the result with the hash. If they match, then the known value is the password (or at least one that has a hash overlap with the correct password (which is good enough).
Brute forcing the password prompt generally doesn’t work because of lockouts on password attempts at the page, and you’re correct on that, so it’s not a valid way to attack the system for the password.