Skip to main content
Version: 1.0.2

Cracking passwords overview

Password attack types

Non-electronic attacks

  • Do not require the attacker to have any technical knowledge about cracking passwords.
  • Dumpster diving
    • Looking for notes or anything that can help in cracking the password.
  • Shoulder surfing
    • Observing the target while they type in their passwords
    • E.G. looking at their keyboard or screen
  • Social engineering
    • Interacting with the target to trick them into revealing their passwords.

Active online attacks

  • Require the attacker to communicate with the target machine in order to crack the password.
  • E.g. trying to login with username password combination on an online login page.
  • ❗ Limitations
    • Network communication to server over internet takes long time
    • There are rate limits e.g. get locked after 5 minutes, then 10 then 15
    • If server becomes suspicious that it's a bot then it might shut you off directly
    • Offline attack can perform millions/billions a second
      • Online attack, e.g. every 5 seconds, if you fail 5 times you might get locked out.

Dictionary attack

  • 📝 Dictionary = file containing list of passwords
  • Steps
    1. Load a dictionary file into a password cracking program.
    2. The program checks the passwords against user accounts.
  • Helps to test against
    • Default passwords
    • Common / weak passwords
    • Leaks downloaded from internet
  • ❗ Limitations
    • Can get too big
    • No guarantee to find the password
  • See also Dictionary attacks | Cryptanalysis

Brute-force attack

Hybrid attack

  • 📝 Dictionary attack + brute force attack
  • Taking a dictionary and expanding it with guesses using brute-force.
  • It prepends, appends or substitutes characters in words.
  • E.g. using hashcat
    • Say an example.dict contains: password and hello
    • ... -a 6 example.dict ?d?d would generate from password00 and hello00 to password99 and hello99

Rule-based Attack

  • Used when the attacker has some information about the password
    • such as the length, if there are any digits, and similar.
  • Attacker combines several other attacks to crack the password.
    • E.g. brute force, dictionary, and syllable attack.
  • Can e.g. record people, or use other non-electronic attacks to get some portions of the password to build rules.

Password guessing

  • Guess passwords either by humans or by automated tools using dictionaries
  • Requires the attacker to manually attempt to log into the target's machine.
  • E.g.
    1. Find the target's username
    2. Create a password dictionary list
      • 💡 Good to add default passwords from manufacturers.
    3. Sort the passwords by the probability
    4. Try each password

Trojan/spyware/keylogger

  • Installed in target machine to get the target's passwords and usernames.
  • They run in the background and sometimes are difficult to detect.
  • Trojans
    • Design to collect information or harm the system.
    • Allow attackers to remotely access the machine and perform malicious activities.
  • Spyware are designed to collect secret information.
  • Keyloggers to send key strokes to the attacker.

Hash injection

  • Attack on systems that use hash functions for the user authentication.
  • Steps:
    1. Retrieve the hashes which are stored in a databases
    2. Find the hash that belongs to the user
    3. Use that hash to create an authenticated session.

LLMNR/NBT-NS poisoning

  • LLMNR = Link Local Multicast Name Resolution
  • NBT-NS = NetBIOS Name Service
  • Two main Windows OS elements that perform host name resolution.
  • Vulnerability
    • When DNS fails to resolve name queries, the host sends a UDP broadcast message to other hosts asking them to authenticate themselves
    • Allows an attacker to listen for such broadcast messages and tricks the host into establishing a connection.
    • Once the connection is established, the host sends its username and NTLMv2 hash, which the attacker can attempt to crack and in such a way discover the password.

Passive online attacks

  • Grabbing data in-transit e.g. a key, password hash
  • Without communicating with the target machine.
  • Attacker
    1. Monitors the communication channel
    2. Records the traffic data
    3. Uses the data to break into the system.

Wire sniffing

  • Attackers sniff credentials by capturing packets that are being transmitted
  • During the packet transmission, attackers
    • capture packets
    • extract sensitive information such as passwords and emails
      • uses them to gain access to the target system.

Man-in-the-middle (MITM) attack

  • Attacker gains access to the communication channel between the target and server.
  • Attacker then extracts information and data they need to gain unauthorized access.

Replay attack

  • Involves using a sniffer to capture packets and authentication tokens.
  • Need access to raw network data using e.g.
    • Network tap to physically copy everything that goes through in network.
    • Man in the middle attack using e.g. ARP poisoning.
    • Malware on victims computer
  • Attacker replay information using e.g. extracted authentication token or hashed password.
  • Countermeasure
    • Using Session ID for each user session on server side
    • Expire session ID in short time intervals so replay attack cannot use same session ID

Offline attacks

  • Cracking efforts on a separate system
  • Attacker never attempts to login to the application server that can be logged.
  • ❗ Does not mean disconnected from internet.
  • Usually the attacker tries to guess a password from a hash dump.
    • E.g. SAM file on Windows or /etc/shadow on Linux.

Distributed network attack (DNA)

  • Uses the power of machines across the network to decrypt passwords.
  • Used for recovering passwords from hashes
  • DNA manager is installed on a central location
    • Coordinates the attack by allocating portions of the key search to machines which are on the network.

Hash attacks

Password cracking countermeasures

  • 📝 Use password salting
    • The longer the random string, the harder it becomes to break or crack the password
    • Generates different hashes for the same password
    • Protects against rainbow tables as it would cause the table to include salts making it much bigger.
  • Use key stretching to derive stronger passwords to use in encryption.

Linux passwords

  • 📝 Linux hashed passwords lies in /etc/shadow/ so you can attack on that.
  • Linux usually use SHA512, you can find method in /etc/login.defs
  • In older systems password information was stored in /etc/passwd, now it holds only user account information.