Types of password attack and how it's work

 how it's work

The typical process followed by a password cracker includes these 

four steps:

Steal passwords by some nefarious means. That password is 

encrypted before it is stored using a hash. Hashes are mathematical 

functions that transform an input of arbitrary length into an 

encrypted fixed-length output.

Choose a cracking method, such as a brute-force or dictionary 

attack, and choose a cracking tool.

Prepare password hashes for cracking programs. This is done by 

providing an input to the hash function to create a hash that can be 

authenticated.

Run the cracking tool.

A password cracker may also be able to identify encrypted 

passwords. After retrieving the password from the computer's 

memory, the program may be able to decrypt it. Or, using the same 

algorithm as the system program, the password cracker creates an 

encrypted version of the password that matches the original.

password attack

1. Brute force attack

A brute force password attack is essentially a guessing game where the hacker tries various password combinations using the hacking software until they are able to crack the code. These hackers hope that their victims either reuse a password that has already been compromised or use a common phrase such as "12345".

 

2. Credential Stuffing

Credential stuffing is also a type of brute force attack that uses stolen credentials to break into your online accounts and profiles. In addition to using spyware and other types of malware to get what they want, the dark web often contains lists of compromised passwords for cybercriminals to use for their devious schemes. . Hackers can use these lists to carry out their credential stuffing schemes and exploit your data.

 
3. Social Engineering

Cyber thieves have a variety of skills - one of which is creating trustworthy websites. Password hackers create what are known as social engineering websites that they design to look like legitimate login pages. These cyber criminals send you to a fake login field that will not give you access to your account. It only records the information you type, giving cyber criminals exactly what they want.,

 

4. Dictionary Attack

Another sibling of the brute force attack family is the dictionary attack. These cyber attacks play on our habit of using single-word phrases as our passwords. The hacker can use automated password-guessing software to try each word in a dictionary as your password to see if they have any luck.

More advanced dictionary attacks Hackers develop a list of keywords specific to your life, such as birth dates, siblings/pet names, and/or past street names.

 

5. Keylogger Attack

A keylogger is spyware that is used to track and record what you type on your keyboard. Despite being legal to use, based on logic, hackers take advantage of this software by intentionally infecting vulnerable devices and recording private information without their knowledge.

 

6. Data Leak or Password Spray Attack

Password spraying is when a hacker uses a large number of stolen passwords – sometimes in the millions – on a small number of online accounts to see if they can gain access. Hackers use advanced automated password-guessing software that limits the number of attempts that can be made on an account. This prevents them from triggering security alerts and continues to try under the radar.

 

7.phishing

Password phishing attacks often come in the form of emails or text messages, diverting your attention to an urgent matter. The hacker may combine these messages with a link to a strategically designed social engineering website designed to trick you into logging into their profile. These websites will record the credentials you type in, giving an attacker direct access to your real account.

 

8. Man-in-the-middle attack

A man-in-the-middle attack uses phishing messages to pose as a legitimate business in order to accomplish the following goals:

Use malicious attachments to install spyware and record passwords

Embed links to social engineering websites to trick people into compromising their credentials

 

9. Traffic Interception

Traffic interception is also a type of man-in-the-middle attack. This is when password crackers eavesdrop on network activity to capture passwords and other types of sensitive information. There are several ways cyber criminals do this, one of which is to monitor unsecured Wi-Fi connections. But they can also use a tactic called SSL hijacking – when a cyber criminal intercepts the connection between a target and the legitimate site they are on and records any information shared between the two.

 

10. Shoulder surfing

Being aware of your physical surroundings is just as important as spotting suspicious activity online. One way hackers get passwords is by looking over people's shoulders in public as they type. People often focus on entering their password only to find that a nosy neighbor is looking out for them.

Read More

Password Cracking And Best Cracking Tools

 

How Password Cracking Works:

The typical process followed by a password cracker includes these four steps:

Steal passwords by some nefarious means. That password is encrypted before it is stored using a hash. Hashes are mathematical functions that transform an input of arbitrary length into an encrypted fixed-length output.

Choose a cracking method, such as a brute-force or dictionary attack, and choose a cracking tool.

Prepare password hashes for cracking programs. This is done by providing an input to the hash function to create a hash that can be authenticated.

Run the cracking tool.

A password cracker may also be able to identify encrypted passwords. After retrieving the password from the computer's memory, the program may be able to decrypt it. Or, using the same algorithm as the system program, the password cracker creates an encrypted version of the password that matches the original.

Best Password Cracking Tools:

1.) John the Ripper

John the Ripper is a good choice for a password cracking tool, mainly because of its open-source nature and support for a variety of platforms. The open-source nature means that the code is available to the public, so users do not have to worry about the legality of the software and the potential malware of malicious programs that may be deeply integrated into the software.

Link :https://www.openwall.com/john/

2.) hashcut

Known as the world's first and only in-kernel rules engine, Hashcat is another password cracking tool that can help recover various passwords, such as those used for WiFi, documents, and other file types. Is. Multiple platforms and operating systems are supported such as Windows, Linux and macOS for desktop. There's also mobile support for Android, iOS, and Windows Mobile.

Link: https://hashcat.net/hashcat/

3.) Medusa

Medusa is an online password-cracking tool that supports protocols such as HTTP, SSH, FTP, CVS, AFP, POP3, Telnet, and more. The software works as a login brute-forcer; Multiple credentials are inputted using as many protocols as possible to arrive at the correct password.

Link: https://www.kali.org/tools/medusa/

4.) THC Hydra

THC Hydra has seen many comparisons to Medusa as a password cracker, but there are notable differences between the two software. Like Medusa, THC Hydra is also an online password cracking tool that uses brute-force password guessing method. One important difference is that THC Hydra can be installed on Windows, macOS, Linux, FreeBSD, and Solaris, notably more platforms than Medusa supports. In addition to the brute-force method, THC Hydra can also use a dictionary attack using an external wordlist.

Link :https://www.kali.org/tools/hydra/

5.) WFuzz

WFuzz is another brute-force password-cracking tool, much like Medusa and THC Hydra. Another feature of the program is searching for hidden resources such as servlets, directories and scripts. The tool also supports multiple injection types with multiple dictionaries.

Link: https://www.kali.org/tools/wfuzz/

6. Brutus

Brutus can recover passwords and usernames from websites, operating systems, and other applications. True to its name, Brutus uses a brute-force dictionary attack to retrieve passwords.

 

7.) Rainbow Crack

RainbowCrack is another password cracker tool that uses Rainbow Table Attack to decipher passwords in hash form. The main technique used is a time-memory trade-off technique that can be accelerated with multiple GPUs. Users can use RainbowCrack to generate rainbow tables to use in the password cracking process or download pre-existing rainbow tables from the Internet.

Link : http://project-rainbowcrack.com/

8.) L0phtCrack

L0phtCrack is an open-source password cracking tool that can be used to crack Windows passwords. The main techniques used by L0phtCrack are dictionary attacks and brute-force attacks, which allows the program to generate and guess passwords.

9.) Ofcrack

OphCrack is a free, open-source password cracker that uses a rainbow table attack to decipher passwords. Specifically, the program cracks LM and NTLM hashes. LM hashes are for Windows XP and earlier operating systems, while NTLM hashes are for Windows Vista and later Windows operating systems.

10.) aircrack-ng

Aircrack-ng is a good alternative for cracking WiFi passwords, allowing users to crack passwords that use the WEP or WPA/WPA2 PSK standards. For techniques, Aircrack-ng uses a dictionary attack with several supported algorithms including PTW and FMS.

Link : https://www.aircrack-ng.org/

11.) Crackstation

Unlike most entries on the list, CrackStation does not have a standalone program installed on the computer. rather, crackus sed on any operating system, even on mobile.

Link : https://crackstation.net/

12.) Cain and Abel

Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort. It covers some security aspects/weaknesses present in protocol's standards, authentication methods and caching mechanisms; Its main purpose is the simplified recovery of passwords and credentials from various sources, however it also ships some "non-standard" utilities for Microsoft Windows users.

Link: https://web.archive.org/web/20190603235413/http://www.oxid.it/cain.html

13.) HackBrowserData

It is an open-source tool that could help you decrypt data (password|bookmark|cookie|history|creditcard|download|localStorage|extension) from the browser. It supports the most popular browsers on the market and runs on Windows, macOS and Linux.

Note: This post is only for educational purpose, stay safe, stay ethical.

Read More