| Most commonly used techniques for hacking Passwords. By:ArSLan 1. Hacking into a server that stores passwords in plaintext there are many ways to do this. I won't delve into the technical details but they can range from sophisticated-sounding methods like an 'SQL injection' to "manual" methods like stealing the server's hard disk. Once the attacker gets into the system, passwords can be easily retrieved from the database because they are all in plaintext. considering the risks of storing sensitive data in plaintext, you'd think it would be unimaginable for big companies to store passwords in this manner. Well, think again. That's exactly what Yahoo! did (result: 4 million passwords shown online), which led to that massive data breach referred to earlier. 2. Operating as a man-in-the-middle In a man-in-the-middle (MITM) attack, an attacker hijacks communications between two machines (e.g. a server and a client, two clients, a router and a client, or a router and a server). Hacker then sets up his computer to impersonate both legitimate machines and then makes it appear they are still communicating with one another. As a result, all of their messages would pass through his computer, allowing him to view any information that is sent in plaintext; including usernames and passwords. 3. Luring gullible victims using trojans trojans are malware, disguised as downloadable programs, that hackers make available through harmless-looking emails or websites. That interesting downloadable freebie online, for example, might be a trojan… Once downloaded, a trojan can stealthily perform whatever nefarious activity it is programmed to do. One common activity is recording keyboard strokes (keylogging), whenever the victim logs in to a "secure" site; another is scanning the memory and extracting what it suspects to be passwords ("memory dumping"). When done, the malware transmits this information to the attacker. 4. Employing social engineering As i mentioned in our old posts, this technique does not require any sophisticated hacking tool. A commonly used social engineering trick (known as "phishing") involves sending out fake notification emails informing users of a data breach at a legitimate website where the users have accounts. The email would then instruct the users to reset their passwords by clicking on a link that takes them to a spoofed website, closely resembling the real one. the fake page asks the users to enter their username, old password, and new password. Those falling for that then pass their login credentials into the wrong hands. Another example of social engineering is simply calling a company's tech support, convincing them you're someone else, asking for a password reset, and then requesting that the temporary password be sent to an email address you control. 5. Using brute force Do you know what the crudest way of cracking a password is? Simple. You just make an educated guess. You can base your guess on the user's name and a bunch of dates important to him (e.g. his birthday or wedding day). If your first guess doesn't work, you guess again. And again. And again. Until you get it correctly. Some systems don't put a limit to the number of times you can enter a password. Of course, this can take forever… unless you can automate the process. Brute force attack programs like John the Ripper, Cain & Abel, or TCH Hydra, enable you to do just that. These programs can make a large number of rapid intelligent guesses… which is great for hackers, but not so great for the security of your passwords. Now that you're familiar with the common techniques used for stealing passwords, in next post i'l suggest some good tool to prevent password stealing. til enjoy be safe. |