Friday, 19 May 2023

Types of Passwords Attack

There are three types of password attacks:

  • Non-electric attacks
  • Online attacks
  • Offline attacks

1) Non-electric attacks

A non-electric attack is a type of attack that uses chicanery to get sensitive information from users or perform actions through which the security of a network will be compromised. Non-electric attacks are as follows:

Social Engineering

Social engineering is the process in which a user is tricked into believing that the hacker is a legitimate agent. The hacker uses a common tactic. The hacker poses as technical support and calls a victim. Hackers ask for a network access password so that they can provide assistance. If the person has done this using fake credentials and fake uniforms, this technique will become effective. But these days, this technique is less common.

Hackers can be highly lucrative and highly convincing if social engineering attacks are successful. For example, a hacker hacked $201,000 from a UK-based energy company by tricking the CEO of the company with an AI tool that mimics his assistant's voice.

Shoulder Surfing

Shoulder attacks are performed by the most confident hackers. The hacker can take the look of an aircon service technician, parcel courier, or anything else so that they can easily access an office building. Once they entered the office, they will get a kind of free pass, and they can note the passwords that are entered by the staff members of the company.

The Brazen example includes hackers who distinguish themselves so that they can gain access to the company sites. To grab sensitive information, documents, and passwords, they look over the employee's shoulders. This attack mostly affects smaller businesses.

Recently security experts get some vulnerabilities in the process of authentication used by WhatsApp. If the user takes a new device and wants to use Whatsapp, he has to enter a unique code that is sent to the number via text message. By using that code, the account of a user can be restored, and the chat history can also be retrieved from the background. It was found that if an attacker knows the phone number of a user, they can download Whatsapp on a new device, and after downloading, they issue a prompt for a new code. If the hacker uses a spying device, they can copy the code as it arrives on the user's own device.

Spidering

The techniques which are used in phishing attacks and social engineering attacks are also used in spidering. Savvy hackers have understood that the passwords used in the corporate office are made of business-related words. In the brute force attack, the custom words list is built by Website sales material, listed customers on websites, studying corporate literature, and website of competitions. The process is automated by really savvy hackers.

Using spidering, a hacker knows their target, and based on the target's activity; they can get the credentials. For example, many companies set their internal service password related to their business so that their employees can easily remember them. If a hacker targets a company and knows their work, they may try and access the networks or handbooks of their employee to further their understanding. Hackers can also create a list of all possible combinations of words by studying the products that the company creates. That list can be further used in brute force attacks.

2) Online attacks

Active online attacks can be categorized as follows:

Guess

Guess is like a best friend of a password cracker. If all the attacks fail, the hacker can try to guess your password. These days, various password managers create various password strings that are impossible to guess for a hacker. Many users set a random password based on their memorable phases of life like family, interests, pets, dob, hobbies, and so on. The password can also be based on things that you like to chat about on social networks, and the things can also include in your profile. When the password crackers attempt to get a customer-level password, they will look at this information and make a guess based on the available information on social networks. If you want to protect yourself from guesses, you should use a password manager and maintain password hygiene. Many password managers are free so you can use them.

Brute Force attack

In the Brute force attack, we access a system using different methods of hacking, which involves password guessing. For example, a hacker can use the relevant clues and guess the person's password. Many people use the same password on many sites. Using the previous data breaches, the password can be exposed using the previous data breaches. Using some most commonly used passwords, a hacker attempts to guess the associated username, which is a reverse brute force attack.

Dictionary attack

This attack shows a sophisticated brute force attack example. In a Dictionary attack, an attacker uses a dictionary that contains words. The words are nothing but a straightforward names. In other words, the attacker uses the words that most of the users use as their passwords. In dictionary attacks, every word in the dictionary is a test in seconds. Most of the dictionary contains the credentials gained from previously hacked passwords. The dictionary also contains the word combinations and most commonly used passwords.

A hacker knows all the clever tricks. So if the user groups the works like "superadministratorguy" or "best mommy", it will not prevent the password from a hacker. It will only increase a few extra seconds to being hacked. Many people use their memorable phrases like gf name, dob, bf name, and so on as their password and dictionary attack takes advantage of this fact. That's why while creating the password system urges the user to enter multiple character types.

Phishing

Phishing is a very easy way to hack the password of any user. In this attack, the hacker asks the user to enter his password. In the phishing email, a hacker sent the fake login page to the unsuspected user, which is associated with any service, the hacker wants to access. The page requests the user to write some terrible problem that he finds in their security. After that, the page skims its password. Now hackers can use that password to get the sensitive information of the user. When the users are giving you a password happily, then why will you have trouble cracking the passwords.

Malware

The Umbrella of malware contains a host of malicious tools, screen scrapers, and keyloggers. To steal the person's information, this malicious software is used. Ransomware software, which is highly disruptive malicious software, attempts to block access to the entire system. The malware families have some highly specialized malware that specially targets the password.

The activity of a user is recorded by Keyloggers and their ilk. Keyloggers can record it through screenshots or keystrokes and then share it with the attacker. Some malware attacks hurt the existence of the web browser's client password file. If the file is not properly encrypted, the hacker can easily access the saved password from the browser history of the user.

3) Offline attacks

Offline attacks are as follows:

Offline Cracking

We should remember that not all attackers hack through the internet connection. Mostly works done offline. You imagine that through the blocking automated guessing application, your password is safe. In this application, if a user enters the wrong password three or four times, the system lockout the user. This process will be true if all password hacking takes place online, but it's not. Offline hacking takes place using the hashes set in the password file, which was obtained from a compromised system.

Through the hack on the third party, the target compromises. They provide access to the hash file of the user's password and system server. Now the hacker can take time to try and access the code without knowing the individual user or target system. When the initial attack succeeds, this attack will be done, whether hackers access a database by stumbling or by the SQL injection attack or gain elevated privileges upon an unprotected server.

Rainbow table attack

As the name implies, the rainbow table is not colorful. The password is encrypted using cryptographic alias or hash whenever it is stored on the system. This encryption makes it impossible for a hacker to determine the original password. To bypass this, the hacker must maintain and share the directories built from previous hacks containing passwords and their corresponding hashes. This process reduces the time of hackers breaking into the system.

The Rainbow table is one step further from the rainbow. Rainbow provides password and hash, but the rainbow table uses the hash algorithm and provides the list of all possible encrypted password's plain text versions. If the hacker discovers any encrypted password in a company system, they can compare this encrypted password with the list provided by the rainbow table. Before the attack takes place, if most of the computation is done, launching an attack will become quicker and easier as compared to other methods.

Network Analyzers

Network analyzers are the type of tools that allows monitor and intercepting the package, which is sent over the network. The package contains a plain text password, and that tool lifts that password.

Without the malware, an attacker cannot access the physical network. The network analysis does not rely on exploiting network bugs and system vulnerabilities. In any attack, the first phase is network analyzers followed up with brute force attacks.

We can also use the same tools in our business to scan our network, which is useful for troubleshooting and running diagnostics. Using these tools, the admin can find out the information which is transmitted as plain text. He can put policies in place of information and prevent this from happening. If you route your traffic through a VPN (Virtual private network), you can prevent yourself from this attack.

Mask attack

This attack is specific in its scope. In a mask attack, the guess is based on numbers or characters. For example, if a password starts with a number and the hacker knows about it, they can tailor the mask to try only those types of passwords, which start with numbers. Some criteria to configure the masks are special characters, the arrangement of characters, the number of repeated single characters, password length, etc. The goal of a mask attack is to remove the unnecessary characters and reduce the time while cracking a password.


No comments:

Post a Comment