HOW TO HACK: HACKING SECRETS EXPOSED: A BEGINNER'S GUIDE (2014)
Chapter 7. Hacking Passwords
Password hacking is one of the hottest and most widely discussed topics in the field of computer hacking. In today's world, passwords alone play a key role in deciding the security of a web server or any other computer system. As a result, hacking the password is one of the easiest and sometimes the only way to gain access to the system. In this chapter, you will be introduced to various password hacking techniques that are frequently used in the hacking industry.
To begin with, I will let you know some of the obvious, simple yet effective techniques to hack passwords:
1. Social Engineering: This type of technique involves psychological manipulation of people into performing actions that lead to the disclosure of their confidential information. In other words, social engineering is just a trick played by the hacker to gain the trust of people so that they reveal the password by themselves.
· Scenario-1: The hacker may call the target person by pretending himself as a bank official and ask him to confirm his password stating that this has to be done as a part of an ongoing verification program. In most cases, the target person on the other end believes this and reveals his password to the hacker.
· Scenario-2: In order to avoid suspicion, instead of directly asking the victim to reveal the password, the hacker may obtain other vital information such as the "Date of Birth", "Place of Birth", "High School Details" etc. from the target person. Using these details, the hacker can easily reset the password and gain unauthorized access.
Even though social engineering seems simple, it is proven that most people would easily fall victim to this attack. Lack of awareness among people is the prime reason for the success behind this trick.
2. Guessing: As most people are known to use easy to remember words such as their "pet's name", "phone number", "child's name" etc. as their passwords, it is often possible for the hacker to easily guess the password.
3. Shoulder surfing: It is the act of spying on one's keyboard from behind the shoulders as a person types his/her password. This technique works well particularly in crowded areas such as cyber cafes and ATMs where people are usually unaware of what is happening behind their shoulders.
After understanding some of the simple password hacking techniques, it is time to move on to the next level. Now, let us jump into some of the serious methods that hackers use to crack passwords:
A dictionary attack is a type of password cracking technique where a long list of words from the dictionary is repeatedly tried against the target until the right match is found. This technique can be used to crack passwords that contain words found in the dictionary.
Generally, the success of a dictionary attack is based on the fact that most people have a tendency to use easy to remember passwords that are found in the dictionary. However, if one uses a strong password with a combination of alphabets and numbers or introducing a slight variation to the actual spelling would make it impossible for the dictionary attack to crack such passwords.
One of my favourite tool to carry out the dictionary attack is Brutus. It is a remote online password cracker that works on Windows platform and can be downloaded from the following link:
Brutus Download: http://www.hoobie.net/brutus/
NOTE: Some antivirus programs are known to have conflict with the Brutus application. So, it is recommend that you temporarily disable your antivirus before running the Brutus application.
Now, let me give you a small demo on how to use Brutus. Here is a step-by-step procedure:
1. After downloading the tool from the above link, unzip the package into a new empty folder.
2. Run the "BrutusA2.exe" file to open the application as shown in the figure below:
Figure 7. 1
3. Enter the IP address (or domain name) of the target server in the "Target" field. Select the type of password that you want to crack from the "Type" field or enter your own custom port number in the "Port" field".
4. If you know the username for which you want hack the password for, then check the "Single User" option and enter the username in the "UserID" field. Otherwise leave the default settings to work as it is so that the username list is loaded from the "users.txt" file.
5. In the "Pass Mode" field select the option "Word List". The list of words will be loaded from the "words.txt" file by default which contains around 800+ words. If you've a .TXT file that contains more words, then you can use that by selecting the "Browse" option. The more bigger the list is, better the chances of cracking the password. Below is an example of how a username and password list might look like:
Figure 7. 2
6. Now, hit the "Start" button to begin the cracking process. Brutus will try every word in the password list for each of the usernames present in the username list. It will take a while for the process to complete and if you're lucky, you should get a positive authentication response and the cracked password as shown in the below figure:
Figure 7. 3
NOTE: It is always a smart idea to use a proxy before attempting this hacking process. This will prevent your real IP address from being stored in the logs of remote server and thus reduces the chances of being traced back.
Unlike the dictionary attack which tries only those words present in the list, the brute force attack on the other hand tries every possible permutation of alphabets, numbers and even special characters until the right password if found.
In theory, it is possible to crack any password using this approach, but here's the catch! Brute force attack takes a long time to crack passwords. The time actually depends on the speed of the computer and the complexity of the password.
For example, if the target password is small and doesn't contain any numbers or special characters, it is fairly easy to crack such passwords using this approach. However, if the password is lengthy, contains numbers or even special characters, this approach may take a long time to complete. For some complex passwords, brute force approach may take up even years to finish the cracking process as there are billions of permutations to try.
Here is how you can configure the Brutus program to try the brute force approach:
1. Configure the "Target", "Type" and "Port" in the same way as in case of the dictionary attack. Under the "Authentication Options", select the "Pass Mode" as Brute Force and click on the "Range" button as shown in the Figure 7.4 below:
2. Once you click on "Range" you will see a number of options to select with such as "Digits only", "Lowercase Alpha", "Uppercase Alpha" and so on. You can also set the Min Length and Max Length to narrow your brute force attack options (Figure 7.5).
Figure 7. 4
Figure 7. 5
In the above example, Brutus will try all permutations of lower alphabets ranging from 0 to 6 characters in length. Going for options like "Mixed Alpha" or "Alphanumeric" and increasing the Max Length would increase the success rate of cracking the password but consequently takes more time to complete.
3. Once your range selection is over, click "OK" and hit the "Start" button. The brute force cracking attempt will begin and will take anywhere from a few minutes to a couple of hours to complete. If the crack attempt is successful, you should see the username and its corresponding password displayed on the Brutus window!
A rainbow table is a pre-computed table that contains a long list of password hashes for dictionary words as well as alphanumeric permutation of words. The hacker initially generates a long list of password hashes and stores them in a rainbow table for later use. Although generating a rainbow table initially takes a long time and utilizes more storage space, once computed it can greatly reduce the time taken for the password cracking process.
Any computer system that requires password authentication will maintain a table of usernames and passwords in its database. In case if the hacker manages to steal this table from the database, he would easily be in a position to gain access to a large number of accounts on the target system. In order to prevent this from happening, most systems store the passwords in a cryptographic hash format as opposed to plain text.
For example, when a user completes the sign-up process on an online portal, the system may convert his password to MD5 hash format and store it in its database table. Suppose if the user has his password as goldfish, its MD5 hash would be as follows:
MD5 Hash: 861836f13e3d627dfa375bdb8389214e
Thereafter whenever the user tries to log into the portal, his password gets converted to the MD5 hash format on the fly and is compared against the existing hash in the database table. If both the hashes match, access is granted to the user.
Now, even if the hacker manages to gain access to the database and steal the password table, he would only see a long list of cryptographic hashes and not the actual password.
This is where rainbow tables come in handy. The hacker can use the rainbow tables to compare the long list of pre-computed hashes against the stolen list of password hashes. If the hashes match, the password would be the one that was initially used to generate the hash.
Unlike a brute force approach where the hash is computed on every attempt, the rainbow table approach on the other hand utilizes a pre-computed list of hashes to directly compare them against an existing password hash. As the time required to compute the hash on every attempt is cut down, the rainbow table approach takes significantly less time to complete the cracking process.
A practical example of rainbow table approach will be discussed in the next chapter where we take up the topic of cracking Windows passwords.
Phishing is a form of social engineering technique used by hackers to gather sensitive information such as usernames, passwords and credit card details by posing as a trustworthy person or organization.
Phishing scams usually sends an email message to users requesting for their personal information, or redirects them to a website where they are required to enter their personal information.
In most cases, a phishing email directs the victims to follow a link leading to a website where they will have to enter their login details or other confidential information. In reality this website is a fake one created by the hacker (often referred to as spoofed website) which is an exact replica of the original or appears similar. When the victim enters his/her login details on a spoofed page they are actually stolen away by the hacker.
For example, the hacker may send an email that pretends to have been appearing from the bank where the victim maintains an account and ask him/her to update the login details by following the link present in the email. The email further mentions that this update process is mandatory and failing to do so will result in the bank account being locked. As a response, the victim clicks on the link where he/she will be taken to the fake login page that looks similar to the original one. However, when the login details are entered, they are recorded and stored on the website for later access by the hacker. The victim remains unaware of the entire process but the hacker skilfully manages to hack the password.
After addressing some of the popular password cracking techniques, let us now look at some of the countermeasures that can be taken to protect ourselves from the above mentioned attacks.
The measures needed to protect yourself from social engineering attacks are pretty simple and straight forward. Never disclose your password or any other personal information to anyone via phone or email. Attackers may even try to convince you by pretending to be an authorized person with whom you can share the personal details with. But remember that passwords are meant only to be entered on login pages and not to be shared with any person at all.
Guessing and Shoulder Surfing
Always make sure that your password does not contain your pet names, birth date, family member names or anything as such that are easy to be guessed. It is recommended that your password contains a combination of hard to guess words, numbers and special characters.
As far as the shoulder surfing is concerned, you can avoid the same by making sure that no one else behind you is watching the movement of your fingers over the keyboard when your are typing the password.
To protect yourself from a dictionary attack, all you need to do is make sure that your password does not contain words from dictionary. That means, your password is not something like "apple", "lotus" or "mango". Instead use words that are not in the dictionary. You can also use a phrase like str0ngpAss?? as your password so that it cannot be cracked using the dictionary attack approach.
Brute-Force Attack and Rainbow Table
Brute-Force attacks often become successful when the passwords are short. That means, by keeping the password long enough you can make it hard for the attacker to crack it. Usually a password whose length is of 8 characters was considered long enough and safe in the past. However, this is not the case in the present day scenario as the modern computers have high speed processing capabilities to try thousands of guesses per second. So, in order to make your password immune to brute-force attack make sure it is larger than 8 characters and is a combinations of alphabets, numbers and special characters.
You can avoid rainbow table attack on your passwords by making it too long. If your password is more than 12 or 14 characters, it would be extremely time consuming to create tables for them. This should keep you protected from such attacks.
You can avoid phishing attack by following the below mentioned guidelines:
· Do not respond to suspicious emails that ask you to give your personal information. If you are unsure whether an email request is legitimate, verify the same by calling the respective bank/company. Always use the telephone numbers printed on your bank records or statements and not those mentioned in the suspicious email.
· Do not use the links in an email, instant messenger or chat conversation to enter a website. Instead, always type the URL of the website on your browser's address bar to get into a website.
· Legitimate websites always use a secure connection (https://) on those pages which are intended to gather sensitive information such as passwords, account numbers or credit card details. You will see a lock icon in your browser's address bar which indicates a secure connection. On some websites like "PayPal" which uses an extended validation certificate, the address bar turns GREEN as shown below:
Figure 7. 6
· Even if the login page is not secure (https://) the target website may still be legitimate. However, look for misspellings like www.papyal.com, www.payapl.com or paypal.somethingelse.com instead of the legitimate site www.paypal.com and make sure that the login details are only entered on the legitimate web page.