In this attack attacker try different password until one works. There are various sub techniques to perform the attack they can be classifying as.
Dictionary attack: A dictionary file is loaded into the cracking application that runs against user account Brute force attacks: Program tries every combinations of characters until the password is broken
Burp suite is good tool used to brute force complex web applications. It is developed by port swinger and free for home use. Let us start password cracking of demo web application by burp suite.
Prerequisites: Valid username, list of possible password, burp suite running properly on default port 8080.
Step 1: Start the browser and set the proxy address to localhost:8080
Step 2: Open the application page and go to login page.
Step 3: start the burp intercept and submit the login form with valid username and dummy password
Step 4: Burp will catch request in intercept section now right click to it and sent to intruder
Step 5: Now configure the position to password field because it is submitted as per our values.
Step 6: Go to Payload section and copy the password list.
Step 7: Go to intruder section and click on start attack.
Step 8: Intruder windows open and start the attack which is shown below.
Let’s analyse the attack from above screenshot it is observed that length of 10th request is maximum 32283.
Select that 10th request and go its 2nd response finally click render tab.
Now it’s clear that page is after login page and has logout and change password feature. So password is values of 10th payload i.e. 9326550515.
Web applications should use CAPTCHAs to prevent brute force attack. Sometimes application
Now let’s crack the Linux password with xHydra. Its very robust online attack tool witch support multiple protocols.
Step 1: Open xhydra and set the target host. Select port and protocol in this case port is 22 and protocol is SSH which is shown in Screenshot 1.
Step 2: Select password section and select username and password list. This is shown in screenshot 2.
Step 3: Go to start tab and click on start. It will start password brute force.
If login is successful it will highlight username and password in bold text.
Cleartext protocol (telnet, FTP) makes attacker job easier. Attacker may sniff the traffic and capture sensitive packets in which username and password is transmitted in clear text.
Sometimes weakness in authentication mechanism leads to various attack let’s take an example of WEP.
WEP stands for Wired Equivalent Privacy. The 802.11 designer’s intention was to provide wireless users with a level of security equivalent to that achievable on a wired network. Unfortunately WEP has turned out to be much less secure than intended. It can be cracked within 10 minutes.
Prerequisites of WEP cracking: Alfa card, Backtrack instance Now let us crack WIFI network protected by WEP.
Step 1: Open Aircrack-Ng in BackTrack Type iwconfig and hot enter.
Let’s note that our wireless adapter is recognized by BackTrack and is renamed wlan0. Yours may be wlan1 or wlan2.
Step 2: Put the Wireless Adapter into Monitor Mode We can do that by typing:
airmon-ng start wlan0
Step 3: Start Capturing Traffic
We now need to start capturing traffic. We do this by using the airmon-ng command with the monitoring interface, mon0. Command airodump-ng mon0
As we can see, we are now able to see all the APs and clients within our range!
Step 4: Start a Specific Capture on the AP
As you can see from the screenshot above, there are two APs one with WEP encryption. Let’s target the first with the ESSID of „Prasad.” Let’s copy the BSSID from this AP and begin a capture on that AP. command
airodump-ng --bssid BC:F6:85:E1:07:6A -c 1 –w prasadcrack mon0
This will start capturing packets from the SSID „prasad” on channel 1 and write them to file WEPcrack in the pcap format. This command alone will now allow us to capture packets in order to crack the WEP key.
We now need to wait for someone to connect to the AP so that we can get the MAC address from their network card. When we have their MAC address, we can spoof their MAC and inject packets into their AP.
As we can see at the bottom of the screenshot, someone has connected to the „prasad” AP. Now we can hasten our attack!
Step 5: Inject ARP Traffic
To spoof their MAC and inject packets, we can use the aireplay-ng command. We need the BSSID of the AP
and the MAC address of the client who connected to the AP. We will be capturing an ARP packet and then replaying that ARP thousands of times in order to generate the IVs that we need to crack WEP. Command
aireplay-ng --arpreplay -e Prasad -h 68:5D:43:36:9D:C2 mon0
Now when we inject the ARPs into the AP, we will capture the IVs that are generated in our airodump file prasadcrack.
Step 6: Crack the Password
Once we have several thousand IVs in our WEPcrack file, all we need to do is run that file against aircrack-ng, Command aircrack-ng prasadcrack1.cap
And finally WEP password id prasadbha2112.
Its always recommended that configure your WiFi with WPA2/PSK standard.
Offline attack
If there is no active connection with remote machine while cracking password then it is called as offline attack.
Authentication must contain a database of passwords, either hashed or in plaintext, and various methods of password storage exist. Windows uses password hashes for authentication. These hashed passwords are in SAM file which is located at C:\windows\system32\config\SAM file. Attacker come up with new concept to crack this precomputed hash, they create table for password and its hash called as rainbow table. By using Rainbow table one can reverse lookup the password i.e (input is password hash and output is password).
Windows uses LM and NTLM algorithm for hashing. LM algorithm has multiple weaknesses like any password that is shorter than 8 characters will result in the hashing of 7 null bytes, yielding the constant value of 0xAAD3B435B51404EE, hence making it easy to identify short passwords on sight. Ophcrack is good tool which uses to crack password using rainbow tables. Ophcrack come up with bootable cd from which attacker can extract the hash of the account.
How to crack windows password with Ophcrack:
Prerequisites: Ophcrack software, account hash which we want to crack, Ophcrack rainbow table.
Step1: Open Ophcrack and click on load select single hash and pest the hash inside the window and click ok which is shown in screenshot 1.
Step 2: make sure that rainbow tables are loaded in Ophcrack and press the crack button as shown in screenshot 2
Screenshot 2 shows that NT password of user administrator is password. During this process there is no active connection with remote machine so it is good example of offline attack.
Non-electronic attacks using Social engineering
Social Engineering is the human side of breaking into a corporate network. An employee may unwittingly give away key information in an email or by answering the question over the phone with someone they don’t know. Social Engineering is art of exploiting the basic human nature such as Trust, Fear and Desire to help.
Let take an example. Attacker calls as Technical staff and request id and password to retrieve data.‘Sir, this is Prasad, Technical support, from X company. Last night we had a system crash here and we are checking lost data. Can you give me your ID and Password?’
A man calls a company’s help desk and says he forgotten his password. In panic he adds that if he misses the deadline on big advertising project, his boss might fire him. The help desk worker feels sorry for him and quickly reset the password unwittingly giving the hacker clear entrance in to corporate network.
Social engineering may take more advance form like phishing. An illegitimate email falsely claiming to be from legitimate site attempts to acquire users personal account information. It lures online user with statements such as Verify your account, Update your information or Your account will be closed or suspended. Email has also link which will redirect user to site which is looking exactly same as original site where attacker program is capturing username and password.
Website: https://netbanking.hdfcbank.com
Attackers website: https://netbanking.hdfbank.com
Victim visits the links given by attacker and enter his/her credentials because he/she want to verify his/her account. At same time attacker get valid net banking username and password without any kind of brute force and guessing.
Summary
For password cracking various tools and techniques are available. Cracking require good amount of time and computational power. Now a day’s cracker takes advantage of cloud computing to perform complex operation in small time which result in cracking password in less time. Social engineering can be use along with cracking and brute force techniques to make attack faster and sharper.
Mitigations
Basic mitigation is to make attacker goal more difficult, i.e cost of cracking password is greater than cost of confidential information.
Here are some handy do and don’ts DOS
• Use strong password policy
• Rotate your passwords regularly. We recommend changing passwords every sixty days, but rotating them every six months will put you way ahead of most others.
• Develop a difficult-to-guess but easy-to-remember password that incorporates memory devices.
• Use two factor authentications whenever possible.
• Check last login history.
• While configuring wireless always use WPA2 personal.
DON’TS
• Don’t write password pin on desk, behind credit card etc.
• Don’t share password over call.
• Don’t store password in browser.
IN SOME CASES