In the enumeration phase, you collected a wealth of information, including usernames. These usernames are important now because they give you something on which to focus your attack more closely. You use password cracking to obtain the credentials of a given account with the intention of using the account to gain authorized access to the system under the guise of a legitimate user.
To fully grasp why password cracking is a popular first step in gaining access, let’s first look at the function of a password. A password is designed to be something an individual can remember easily but at the same time not something that can be easily guessed or broken. This is where the problem lies: Human beings tend to choose passwords that are
easy to remember, which can make them easy to guess. Although choosing passwords that are easier to remember is not a bad thing, it can be a liability if individuals choose passwords that are too simple to guess.
Here are some examples of passwords that lend themselves to cracking:
- Passwords that use only numbers
- Passwords that use only letters
- Passwords that are all upper- or lowercase
- Passwords that use proper names
- Passwords that use dictionary words
- Short passwords (fewer than eight characters)
Dictionary Attacks An attack of this type takes the form of a password-cracking application that has a dictionary file loaded into it. The dictionary file is a text file that contains a list of known words up to and including the entire dictionary. The application uses this list to test different words in an attempt to recover the password. Systems that use passphrases typically are not vulnerable to this type of attack.
Brute-Force Attacks In this type of attack, every possible combination of characters is attempted until the correct one is uncovered. According to RSA Labs, “Exhaustive keysearch, or brute-force search, is the basic technique for trying every possible key in turn until the correct key is identified.”
Hybrid Attack This form of password attack builds on the dictionary attack but with additional steps as part of the process. In most cases, this means passwords that are tried during a dictionary attack are modified with the addition and substitution of special characters and numbers, such as [email protected] instead of Password.
Passive Online Attacks Attacks in this category are carried out simply by sitting backand listening—in this case, via technology, in the form of sniffing tools such as Wireshark, man-in-the-middle attacks, or replay attacks.
Active Online Attacks The attacks in this category are more aggressive than passive attacks because the process requires deeper engagement with the targets. Attackers using this approach are targeting a victim with the intention of breaking a password. In cases of weak or poor passwords, active attacks are very effective. Forms of this attack include password guessing, Trojan/spyware/key loggers, hash injection, and phishing.
Offline Attacks This type of attack is designed to prey on the weaknesses not of passwords but of the way they are stored. Because passwords must be stored in some format, an attacker seeks to obtain them where they are stored by exploiting poor security or weaknesses inherent in a system. If these credentials happen to be stored in a plaintext or unencrypted format, the attacker will go after this file and gain the credentials. Forms of this attack include precomputed hashes, distributed network attacks, and rainbow attacks.
Passive Online Attacks Much like other cases where we examined and used passive measures, passive online attacks are used to obtain passwords without directly engaging a target. These types of attacks are effective at being stealthy because they attempt to collect passwords without revealing too much about the collecting system. This type of attack relies less on the way a password is constructed and more on how it is stored and transported. Any issues with these areas may be just enough to open the door to gain these valuable credentials.
Nontechnical Attacks Also known as non-electronic attacks, these move the process offline into the real world. A characteristic of this attack is that it does not require any technical knowledge and instead relies on theft, deception, and other means. Forms of this attack include shoulder surfing, social engineering, and dumpster diving. Let’s look at each of these forms and its accompanying attacks so you can better understand them.