- Recovering passwords from the transmitted or stored data on computer systems.
- See also Password cracking techniques | Web server threats and attacks
- Do not require the attacker to have any technical knowledge about cracking passwords.
- Dumpster diving
- Looking for notes or anything that can help in cracking the password.
- Shoulder surfing
- Observing the target while they type in their passwords
- E.G. looking at their keyboard or screen
- Social engineering
- Interacting with the target to trick them into revealing their passwords.
- Require the attacker to communicate with the target machine in order to crack the password.
- E.g. trying to login with username password combination on an online login page.
- ❗ Limitations
- Network communication to server over internet takes long time
- There are rate limits e.g. get locked after 5 minutes, then 10 then 15
- If server becomes suspicious that it's a bot then it might shut you off directly
- Offline attack can perform millions/billions a second
- Online attack, e.g. every 5 seconds, if you fail 5 times you might get locked out.
- 📝 Dictionary = file containing list of passwords
- Steps
- Load a dictionary file into a password cracking program.
- The program checks the passwords against user accounts.
- Helps to test against
- Default passwords
- Common / weak passwords
- Leaks downloaded from internet
- ❗ Limitations
- Can get too big
- No guarantee to find the password
- See also Dictionary attacks | Cryptanalysis
- Running every combination of characters until the password is cracked.
- Slowest technique (can take years) but comprehensive.
- 💡 Should be used in combination with rule-based attack to increase the speed.
- See also Brute force attack | Cryptanalysis
- 📝 Dictionary attack + brute force attack
- Taking a dictionary and expanding it with guesses using brute-force.
- It prepends, appends or substitutes characters in words.
- E.g. using
hashcat
- Say an
example.dict
contains:password
andhello
... -a 6 example.dict ?d?d
would generate frompassword00
andhello00
topassword99
andhello99
- Say an
- Used when the attacker has some information about the password
- such as the length, if there are any digits, and similar.
- Attacker combines several other attacks to crack the password.
- E.g. brute force, dictionary, and syllable attack.
- Can e.g. record people, or use other non-electronic attacks to get some portions of the password to build rules.
- Guess passwords either by humans or by automated tools using dictionaries
- Requires the attacker to manually attempt to log into the target's machine.
- E.g.
- Find the target's username
- Create a password dictionary list
- 💡 Good to add default passwords from manufacturers.
- Sort the passwords by the probability
- Try each password
- Installed in target machine to get the target's passwords and usernames.
- They run in the background and sometimes are difficult to detect.
- Trojans
- Design to collect information or harm the system.
- Allow attackers to remotely access the machine and perform malicious activities.
- Spyware are designed to collect secret information.
- Keyloggers to send key strokes to the attacker.
- Attack on systems that use hash functions for the user authentication.
- Steps:
- Retrieve the hashes which are stored in a databases
- Find the hash that belongs to the user
- Use that hash to create an authenticated session.
- LLMNR = Link Local Multicast Name Resolution
- NBT-NS = NetBIOS Name Service
- Two main Windows OS elements that perform host name resolution.
- Vulnerability
- When DNS fails to resolve name queries, the host sends a UDP broadcast message to other hosts asking them to authenticate themselves
- Allows an attacker to listen for such broadcast messages and tricks the host into establishing a connection.
- Once the connection is established, the host sends its username and NTLMv2 hash, which the attacker can attempt to crack and in such a way discover the password.
- Grabbing data in-transit e.g. a key, password hash
- Without communicating with the target machine.
- Attacker
- Monitors the communication channel
- Records the traffic data
- Uses the data to break into the system.
- Attackers sniff credentials by capturing packets that are being transmitted
- During the packet transmission, attackers
- capture packets
- extract sensitive information such as passwords and emails
- uses them to gain access to the target system.
- Attacker gains access to the communication channel between the target and server.
- Attacker then extracts information and data they need to gain unauthorized access.
- Involves using a sniffer to capture packets and authentication tokens.
- Need access to raw network data using e.g.
- Network tap to physically copy everything that goes through in network.
- Man in the middle attack using e.g. ARP poisoning.
- Malware on victims computer
- Attacker replay information using e.g. extracted authentication token or hashed password.
- Countermeasure
- Using Session ID for each user session on server side
- Expire session ID in short time intervals so replay attack cannot use same session ID
- Cracking efforts on a separate system
- Attacker never attempts to login to the application server that can be logged.
- ❗ Does not mean disconnected from internet.
- Usually the attacker tries to guess a password from a hash dump.
- E.g. SAM file on Windows or
/etc/shadow
on Linux.
- E.g. SAM file on Windows or
- Uses the power of machines across the network to decrypt passwords.
- Used for recovering passwords from hashes
- DNA manager is installed on a central location
- Coordinates the attack by allocating portions of the key search to machines which are on the network.
- 📝 Use password salting
- The longer the random string, the harder it becomes to break or crack the password
- Generates different hashes for the same password
- Protects against rainbow tables as it would cause the table to include salts making it much bigger.
- Use key stretching to derive stronger passwords to use in encryption.
- 📝 Linux hashed passwords lies in
/etc/shadow/
so you can attack on that. - Linux usually use SHA512, you can find method in
/etc/login.defs
- In older systems password information was stored in
/etc/passwd
, now it holds only user account information.