What Is Password Cracking? – When we think about password cracking we think we really hack the password of that person yes it is right. In the real world, we actually recover the password from that specific computer system.
The Password cracking term is a bit different from other terms and very interested.
Password cracking techniques are used to recover passwords from the data that have stored in or transmitted by computer systems.
Attackers use password-cracking techniques to gain unauthorized access to the vulnerable system.
Most of the password cracking techniques are successful due to weak or easily guessable passwords.
Password cracking may use to recover the forgot password of any user to help him/her to recover the password.
Types Of Password Attacks
The attacker need not possess the technical knowledge to crack the password, hence known as a non-technical attack.
This types of attacks involve the following terms:
Shoulder surfing is the technique that we need to do when we are in contact with that person, Basically, we guess the password by seeing their hands moving or his/her shoulder movements.
Social Engineering is one of the best concepts in the non-technical attacks. Social Engineering is to collect more and more information about the target to get or guess the password by direct contact or indirectly.
In the dumpster diving technique we try to collect info about passwords through the dump of that person’s office or from home. Sometimes it really works too good.
Active Online Attack :-
A Dictionary file is loaded into the cracking application that runs against user accounts.
Brute Forcing Attack
The program tries every combination of characters until the password is broken.
This attack is used when the attacker gets some information about the password.
The attacker crates a list of all possible passwords from the information collected through social engineering or any other way and tries them manually on the victim’s machine to crack the passwords.
- Find a valid user.
- Create a list of possible passwords.
- Rank passwords from high probability to low.
- Key in each password, until the correct password is discovered.
The attacker installs Trojan/Spyware/Keylogger on the victim’s machine to collect the victim’s user names and passwords.
Trojan/Spyware/Keylogger runs in the background and sends back all user credentials to the attacker.
Hash Injection Attack
A hash injection attack allows an attacker to inject a compromised hash into a local session and use the hash to validate network resources.
The attacker finds and extracts a logged on domain admin account hash.
The attacker uses the extracted hash to log on to the domain controller.
Passive Online Attacks
Attackers run packet sniffer tools on the local area network (LAN) to access and record the raw network traffic.
The captured data may include sensitive information such as passwords (FTP, login sessions, etc.) and emails.
Sniffed credentials are used to gain unauthorized access to the target system.
Man-in-the-Middle and Replay Attack
- Gain access to the communication channels:- In a MITM attack, the attacker acquires access to the communication channels between victim and server to extract the information.
- Use Sniffer:- In a replay attack, packets and authentication tokens are captured using a sniffer. After the relevant into is extracted, the tokens are placed back on the network to gain access.
A default password is a password supplied by the manufacturer with new equipment (switches, hubs, routers) that is password protected.
Attackers use default passwords in the list of words or dictionary that they use to perform password guessing attack.
Online tools to search Default Password
Rainbow Table Attack
A rainbow table is a precomputed table that contains word lists like dictionary files and brute force lists and their hash values.
Capture the hash of passwords and compare them with the precomputed hash table. If a match is found then the password is cracked.
It is easy to recover passwords by comparing captured password hashesh to the precomputed tables.