They bypass the system after taking some information and scanning result. Finding the vulnerability is so much easy rather than network scanning. It's not worthy anymore. Now we are discussing basic things over here.so be ready with all the older stuff.
In this part we are looking to the given techniques.
1) Password Cracking
2) Password Cracking techniques
3) Types of password attacks
Basically we are talking about only password which we are using before logging. 1st and last thing is that user should use case sensitive password, So no one crack it easily. So let's start. are you ready to gain access anybody account? :)
We have seen foot printing, Network scanning mechanisms etc. So before you start with practical things over you lappi and desktop you should have this things with you like.....
1) IP Address
2) Services running on host
3) Identify system flows
Now we can see the methodology this module
1) Using to collect enough information to gain access using brute force or password eavesdropping e.t.c
2) Then scan the system or host
3) Try to gain access of the host using cracking password method
4) After gain the access of host try to maintaining the access.
In this step attacker can execute some important application & hiding some important files, After doing all this stuff final is the covering all tracks.Attacker did all the stuff smoothly so nobody knows whats happened before?
Password Cracking
1) Password cracking is a technique which are used to remove password from host or system.
2) Attackers use password cracking techniques to gain unauthorized access to the vulnerable system.
3) Most of the pwd cracking technique are successful due to weak or easily guessable password.
4) So for prevention of this methodology use complex password by which attacker can't access your system easily.
Types of password attack
1) Passive online attack
An attacker don't contact with authorized party for staling password in other words he attempts password hacking but without communicating with victim or victim account.
e.g Man in middle attack, wire sniffing
Let's something discuss regarding man in middle attack.
An attack where a user gets between the sender and receiver of information and sniffs any information being sent. In some cases, users may be sending unencrypted data, which means the man-in-the-middle (MITM) can obtain any unencrypted information.
In other cases, a user may be able to obtain information from the attack, but have to unencrypt the information before it can be read. In the above picture is an example of how a man-in-the-middle attack works. The attacker intercepts some or all traffic coming from the computer, collects the data,
and then forwards it to the destination the user was originally intending to visit.
2) Active Online attack
It can be directly termed as password guessing, an attacker tries number of password one by one against victim to crack his/her password
e.g password guessing, Trojan/Spyware/Key loggers
Let's talk about something keylogger
What is keylogger?
A keylogger is a device that tracks every key that has been typed on the computer that you need to monitor.
Most keyloggers will not categorize the keystrokes and they can be very difficult to understand,
especially when someone is multi-tasking
Related feature
Software keyloggers may be augmented with features that capture user information without
relying on keyboard key presses as the sole input. Some of these features include:
• Clipboard logging. Anything that has been copied to the clipboard can be captured by the program.
• Screen logging. Screenshots are taken in order to capture graphics-based information. Applications with screen logging abilities may take screenshots of the whole screen, just one application or even just around the mouse cursor.They may take these screenshots periodically or in response to user behaviors (for example, when a user has clicked the mouse). A practical application used by some keyloggers with this screen logging ability is to take small screenshots around where a mouse has just clicked; these defeat web-based keyboards (for example, the web-based screen keyboards that are often used by banks)
and any web-based on-screen keyboard without screenshot protection.
• Programmatically capturing the text in a control. The Microsoft Windows API allows programs to request the text 'value' in some controls. This means that some passwords may be captured, even if they are hidden behind password masks (usually asterisks).
• The recording of every program/folder/window opened including a screenshot of each and every website visited, also including a screenshot of each.
• The recording of search engines queries, instant messenger conversations, FTP downloads and other Internet-based activities (including the bandwidth used).
Hardware-based keyloggers do not depend upon any software being installed as they exist at a hardware level in a computer system.
It performed from a location other than the actual computer where the password reside or were used offline acrequires physical access to the computer which stores password file.The attacker copies the password file & then tries to break password in his own system
e.g Dictionary attack, Brute force attack, syllable attack
4)Non technical attack
Does not required technical knowledge hence it is called non technical attack.
e.g Social engineering, keyboard sniffing etc
