PART 3 - The top 12 Password-Cracking Techniques used by Hackers

Posted by on

   

Some of the most common, and most effective, methods for stealing passwords  : PART 3


1. Spidering :

2. Offline cracking :

3. Shoulder surfing

4. Guess


1. Spidering :

                        A web crawler (also known as a web spider or web robot) is a program or automated script which browses the World Wide Web in a methodical, automated manner.

This process is called Web crawling or spidering.

Many legitimate sites, in particular search engines, use spidering as a means of providing up-to-date data.

Web crawlers are mainly used to create a copy of all the visited pages for later processing by a search engine, that will index the downloaded pages to provide fast searches.

Crawlers can also be used for automating maintenance tasks on a Web site, such as checking links or validating HTML code.

Also, crawlers can be used to gather specific types of information from Web pages, such as harvesting e-mail addresses (usually for spam).



2. Offline cracking :



                            The main advantage of offline cracking is the speed! Passwords can much faster be cracked with several methods. Further, it's also recommended to crack all local user accounts even is the attacker has already administrative privileges. Perhaps there are other systems around like a domain controller, a database or fileserver where some cracked passwords matches.

It's not possible to prevent offline attacks by restricting the security policies. If the the SAM (Security Account Manager) could once read out, it's over...

In terms of advantages, the difference between offline and online password attacks is huge. In an offline password attack, the attacker is never actually attempting to login to the application server. This means it is invisible to the security team and logs. This also means that common protections such as account lockouts will not work. This is because the attacker is going to take it offline, find the password, and then only one correct attempt will be registered by the application.



3. Shoulder surfing : 

                        Shoulder surfing occurs when someone watches over your shoulder to nab valuable information such as your password, ATM PIN, or credit card number, as you key it into an electronic device. When the snoop uses your information for financial gain, the activity becomes identity theft.

In this article, you’ll learn how shoulder surfers manage to steal information. You’ll also get tips on how to help keep yourself from becoming a victim.

Here are three other ways shoulder surfers might strike:

  1. You’re at the airport, seated in a packed terminal awaiting your flight. Your kid calls you about something she wants to buy online. Mistake: You read to her your credit card number aloud.
  2. You kick back at a cafĂ© for a cup of coffee and to pay your bills. You share a table, take a seat, and open your laptop. You log in to your bank with your user name and password and click on Bill Pay. Mistake: You’ve put key information in plain view.
  3. It’s your first day at work. You take your place in a sea of cubicles. You dive into your “paperwork,” signing up for employee benefits at your computer. You enter all sorts of personal information—your name, address, Social Security number, bank account, phone number. Mistake: Half a dozen coworkers can see what you’re doing.


4. Guess :



                            Password guessing is an online technique that involves attempting to authenticate a particular user to the system. As we will learn in the next section: Password cracking refers to an offline technique in which the attacker has gained access to the password hashes or database. Note that most web-based attacks on passwords are of the password guessing variety, so web applications should be designed with this in mind from a detective and preventive standpoint.

Password guessing may be detected by monitoring the failed login system logs. Clipping levels are used to differentiate between malicious attacks and normal users accidentally mistyping their passwords. Clipping levels define a minimum reporting threshold level. Using the password guessing example, a clipping level might be established such that the audit system only alerts if failed authentication occurs more frequently than five times in an hour for a particular user. Clipping levels can help to differentiate the attacks from noise, however they can also cause false negatives if the attackers can glean the threshold beneath which they must operate.



THANKYOU-







Location: India

Comments

Post a Comment