PART 2 - The top 12 Password-Cracking Techniques used by Hackers

  

Some of the most common, and most effective, methods for stealing passwords  : PART 2

1. Dictionary attack :

2. Mask attack :

3. Rainbow table attack : 

4. Network analysers :

1. Dictionary attack :

                        A dictionary attack is a method of breaking into a password-protected computer or server by systematically entering every word in a dictionary as a password. A dictionary attack can also be used in an attempt to find the key necessary to decrypt an encrypted message or document.

Dictionary attacks work because many computer users and businesses insist on using ordinary words as passwords. Dictionary attacks are rarely successful against systems that employ multiple-word phrases, and unsuccessful against systems that employ random combinations of uppercase and lowercase letters mixed up with numerals. In those systems, the brute-force method of attack (in which every possible combination of characters and spaces is tried up to a certain maximum length) can sometimes be effective, although this approach can take a long time to produce results.

2. Mask attack :

                            Mask attacks are similar to brute-force attacks given they try all combinations from a set of characters. With brute-force attacks, all possible characters that exist are tried. Mask attacks are more specific as the set of characters you try is reduced based on information you know.

For example, if you know the last character in a password is a number, you can configure your mask to only try numbers at the end. Using traditional brute-force attacks, you would still be forced to try characters that are not numbers.

This matters because the total combination of characters to exhaust with a masking attack is smaller.

For example, if we take the following password:

Mask101

It has a length of 7 characters and for each one, it could be upper-case (26 potential characters), lower-case (26 potential characters), a symbol (33 potential characters) or a number (10 potential characters), we’d have to try a total number of 95^7 (69,833,728,698,375) combinations.

Now suppose we know the last three characters are numbers.  This would drastically reduce the potential keyspace as no passwords with any letter or symbol in the last three spaces would need to be tried.

Of course you need to make sure your information on the password is correct, otherwise your mask may not generate the password. Using masking you can also create masks to exploit password habits. For example, a common habit is for passwords to start with a capital if at least one is required.

         

3. Rainbow table attack : 

                        A rainbow table attack is a type of hacking wherein the perpetrator tries to use a rainbow hash table to crack the passwords stored in a database system. A rainbow table is a hash function used in cryptography for storing important data such as passwords in a database. Sensitive data are hashed twice (or more times) with the same or with different keys in order to avoid rainbow table attacks.

                   

4. Network analysers :

                            Network analysers are tools that allow hackers to monitor and intercept data packets sent over a network and lift the plain text passwords contained within.

Such an attack requires the use of malware or physical access to a network switch, but it can prove highly effective. It doesn’t rely on exploiting a system vulnerability or network bug, and as such is applicable to most internal networks. It’s also common to use network analysers as part of the first phase of an attack, followed up with brute force attacks.