Password Cracking - HACKING 17 Most Dangerous Hacking Attacks (2017)

HACKING 17 Most Dangerous Hacking Attacks (2017)

Chapter 6 – Password Cracking

There are so many different methods to hack certain systems. However one of the easiest ways is still with the right username and password. If I give you my username and password because I trust you, then you would log on using those should be legal, however also would be dumb of me. Some of you might be sharing your usernames and passwords with your boyfriend, girlfriend, wife or husband. However, I would suggest you NOT to for the following reason:

Imagine that your partner knows your Bank account number and your password. However, he or she would get hacked, and those details would be stolen then you would realize that someone is making purchases illegally. Would you blame your partner for not being careful? Or think if it happens exactly in the opposite and is you that has been hacked, and not only your credentials have been stolen, but your partners too, and you still have explained that you have not been careful enough… Either way, your username, and password should not be shared with anyone, preferably not written down anywhere, or saved anywhere, especially places or websites where it would be readily available to others.

I have explained in some previous chapters about strong passwords and requirements for them. Therefore I will not go into more details on that subject. Instead, I will begin to explain some of the most known variations of password attacks.

Dumpster diving

This is an old technique of going through the trash, having a goal in mind to find useful information. This can be messy, and dangerous work, as you never know what you mind find in the bin, however even today there are many people misplace certain information might have been printed by mistake or only temporary use. The reality is that people still write down usernames and passwords then throw them into the wrong bin. Most companies are practicing having a confidential bin, therefore, additionally, hackers could have so many other ways to find or crack passwords that this technique are indeed out of fashion. However since the 80’s until the early years of the 21st Century, this has been very common for hackers.

Shoulder surfing

When you work in the office, there are almost always someone close by and could potentially see your password that you type into your computer.

You should always be aware of your surroundings, and look out for people around you are not watching what you type when your password would require. In case someone just keeps on watching you, wait until they would pay attention somewhere else. When I was still a Junior Engineer, I was working with a Senior Telecom Engineer, who loved to wind me up by cracking my passwords for fun. I wasn’t happy about it. However it was always a good laugh, and I have learned from my mistakes. One day he showed me a video on his mobile phone that was played in super slow motion. The Video camera was focused on a keyboard, and I was able to see every single keystroke. Seeing after the fifth character I realized that is me on the video typing my password, looking to the direction of the angle of video might have been shot realized it was where he keeps his mobile cell phone on the charger. I was embarrassed, and certainly changed my password right then, but this time I have covered my hands so no one can see what I typed. The lesson for me and to everyone is that because you are a typing super fast and having an adamant password, means nothing is someone can record it and replay in slow motion. Therefore you should look around no matter of your location where you may type your password into any device.

When I take public transport, and sometimes I get on the crowded train, it’s unbelievable how many people log on to their Companies e-mail provider and so many people can see the password they type in as well the contents of their e-mails. I have a feeling too sometimes that covering my hands are so unethical, and many people feel embarrassed when they should do it, and unfortunately, many people just don’t do it. However, the real embarrassment is to watch a video recorded you typing the password that is visible, believe me.

Nowadays people using mini hidden cameras that are disguised as a pen or watch, therefore you should always be very careful as you never know who is watching.

Brute force attack

In reality, there is no matter what your password is, as any password can be cracked using software JTR – John the Ripper, DenyHosts or Crain the Abel and much more. The only difference is that some weak passwords can be cracked in few minutes, and some strong passwords could take days if not weeks. I have explained before that using Back|Track OS, or Kali Linux, these tools are already built into those systems, and some of them just having a very user-friendly Graphical User Interface it is very easy to set it up, then let the software do the work until the password would be cracked. Again longer and more complex your password is, more difficult it is to be cracked. Then by the time, a JTR would crack your password you should change it so the software would have to start the process again. As I mentioned before every 20 days, your password should be modified, that used to be a recommended 30 days. However, the new recommended time for changing your password is 20 days. Still, there is no guarantee that your password will not be cracked. However, your chances will increase if you choose to have a very complex password.

Dictionary attack

Again the method is very similar to Brute force attack. However this time the attacker would use the dictionary list. There are build in files to operating systems such as Back||Track or the new version of Kali Linux, which can be loaded into a software and let that run until it finds the password.

Dictionary attacks can be implemented by using the same software sets as I explained before for Brute force attack, and again the most common ones are JTR – Jack the Ripper, Metasploit, or Crain the Abel. What it differ from a Brute force attack is that Dictionary attacks would start with the most common passwords first. Therefore it might have a faster result than having Brute force.

Rainbow Tables

This is a pre-computed for reverse engineering hash functions that are cryptographic for the goal in mind to crack multiple passwords.

This is more advanced, however overall this time the attacker would go for the database where all the passwords are kept. Imagine that there is a medium size company that has 1000 employees that are all required to have unique usernames, and passwords. Having that many usernames and passwords in the same place must be secured and hashed according to the Company policy defined by IT Security.

Advanced hackers wouldn’t try to hack one password. Instead, they would try to steal them all. All usernames and passwords meaning not just an average employee, but the CEO, as well all the Finance, HR, Sales, Project Management, Business Continuity, IT Security, Service Management, Infrastructure Engineers, Technical as well Application Developers, IT Service Desk, Desktop Support and so on. All employees usernames and passwords can be taken by one go using Rainbow Tables. As you see there are more than a few passwords would be kept in the same place, they would be hashed to be not visible to anyone, however having a rainbow table in place, it would recover plain text information to the attacker.

Keystroke logging

This technique can be implemented any many different ways, and the main purpose is to log everything that the victim would type into the computer possibly without even knowing it by the victim. The software can be installed by a Trojan so that once it would be on the victim's machine, it would activate itself and sending log files back to the attacker in a plain text format. Spyware has those functions too, and I already discussed on that topic. However, there are other methods to go about keystroke logging, and that would be using hardware.

Such hardware could be a USB stick that would begin to collect all the keystrokes. By capturing everything, the victim would type it would even include sensitive usernames and passwords. In large offices, the computers are often placed under the desk. Most people wouldn’t even bother to band down, and go below the desk to see if there might be some additional hardware are connected to the PC-s. However, this has been used before even with the Police, if they would investigate someone for monitoring purposes.

Social Engineering

I have explained some of the techniques and methods on how to find or crack passwords, however many people have an excellent skill set that would beat all the cracking methods, and that is Social Engineering. If you keep practicing, you can be so convincing, that certain people would believe whatever you want them to think. Manipulating people to achieve them doing thinks that they should never do can be very easy if you would impersonate employees. Imagine that you would call into an XYZ company and you would look ask to speak to the CEO. Most probably they would ask you who you are, so you could say that you are a brother or Sister. However, they would probably put you through to the CEO-s PA – Personal Assistant. But you should do first ask who you are talking to, so if they would state their name, for example, Peter from IT Helpdesk, you could take note of using it for future requirement. Once they would you through to the PA lets say called John, you should mention that they put you through to the wrong extension and hang up. Next, you could call back the IT Helpdesk, and say that you are a Jack, the PA to the CEO and already talked to Peter to change your password, but you still can not log in. And it’s crucial as now you are in the middle of the meeting, and your presentation is required, so you would say to change the password quickly to something easy as the CEO already agrees that Peter made a mistake. The reality is that most people on the Helpdesk are afraid of the CEO, and they certainly wouldn’t want to waste time and going through proper channels to change password for the PA of the CEO.

There are password policies in most places, and requirements exist to change an employee’s password, however, once it comes to the Executives or Top management, unfortunately often the rules are bent. Most organizations take additional measurements for implementing secured password policies to follow. However, many new employees just started with the Company can be tricked to do certain things as they are still not sure of how the daily operation is running and might be afraid to ask questions regards to password change procedures for the CEO. There are many different ways that company employees can be manipulated. Therefore most organizations are severe on implementing better security policies to address these issues. Some places when it comes to training employees on how to deal with sensitive service requests such as password recovery, they would state that when it comes to trust and to question people, CEO-s or any highly ranked Employees must be challenged to prove their identities. Especially when some of these highly rated employees would be in the rush and frustrated, still they should be trained too, so if they wouldn’t know the right answer to their security questions, their password will not be reset. Due to the password policy that requires employees to change their passwords in every 20 days, what I have experienced is that often when employees are returning from their Holiday, they wouldn’t remember their passwords. So they would call IT Helpdesk to change or reset their password for something easy they can remember, then they would be able to log in, and change their password according to their requirements. Back to social engineering, there are multiple ways to manipulate employees. Therefore I would highly suggest that you do not share your password with anyone, especially be extra careful on the phone and it doesn’t matter who they claim they might be, following the company procedures you will never get into trouble.