Password attacks is one among the crucial stages of system hacking. Password cracking mechanisms often exploit otherwise legal means to realize unauthorized system access, like recovering a user’s forgotten password. Classification of password attacks depends on attacker’s actions.
Which are typically one among four types:
Non-Electronic Attacks :
This is often probably the attacker’s first attempt at gaining target system passwords. Non-electronic or non-technical attacks don’t require any technical knowledge about hacking or system exploitation. Therefore, this is often a non-electronic attack. Techniques wont to perform non-electronic attacks include shoulder surfing, social engineering, dumpster diving, etc.
Active Online Attacks :
This is often one among the simplest ways to realize unauthorized administrator-level system access. An attacker must communicate with target machines to realize password access. Techniques employed by the attacker to perform active online attacks include password guessing, dictionary and brute forcing attack, hash injection, phishing, Poisoning, using Trojan spyware key loggers, etc.
Passive Online Attacks :
A passive attack may be a system attack that doesn’t end in a change to the system in any way. During this attack, the attacker doesn’t got to communicate with the system. Instead, he/she passively monitors or records the info passing over the channel to and from the system. The attacker then uses the observed data to interrupt into the system. Techniques wont to perform passive online attacks include wire sniffing, man-in-the-middle attack, replay attack, etc.
Offline Attacks :
Offline attack refers to password attacks where an attacker ties to recover clear text passwords from a password hash dump. Offline attacks are often time consuming, but are often successful, as password hashes are often reversed thanks to their smaller key space and shorter length. Attackers use pre-computed hashes from rainbow tables to perform offline and distributed network attack.
Non-Electronic Attacks :
Non-electronic, or non-technical, attacks don’t require technical knowledge of methods of system intrusion. There are four kinds of non-electronic attacks: social engineering, shoulder surfing, keyboard sniffing, and dumpster diving.
– Dumpster Diving
“Dumpster diving” may be a key attack method that targets a considerable failure in computer security. The sensitive information that folks crave, protect, and devotedly secure are often accessed by almost anyone willing to scrutinize garbage. Searching through the trash may be a sort of low-tech attack with many implications.
Dumpster diving was actually quite popular within the 1980s. The term itself refers to the gathering of any useful, general information from waste dumps like trashcans, curbside containers, and dumpsters. Even today, curious and/or malicious attackers sometimes find discarded media with password files, manuals, reports, receipts, MasterCard numbers, or other sensitive documents.
Examination of waste products from waste dumps can help attackers, and there’s ample evidence to support this idea. Support staff often dumps sensitive information without an idea regarding on whose hands it’s going to find yourself in. Attackers thus gain unauthorized system, access using these methods. Likewise, the objects found can cause other sorts of attacks, like social engineering.
– Shoulder Surfing
Shoulder surfing may be a technique through which attackers steal passwords by hovering near legitimate users and watching them enter their passwords. Attackers simply watch users’ keyboards or screens as they log in, and to ascertain if users ask, for instance, an object on their desks for written passwords or- mnemonics. Obviously, shoulder surfing is feasible only in some proximity to the target. This type of attack also can occur during a grocery queue, when a possible victim is swiping a revolving credit and entering the specified PIN (Personal Identification Number), which is usually only four digits, making it easier to watch.
– Social Engineering
1) In computer security, social engineering is that the term applied to a non-technical sort of intrusion that exploits human behavior. Typically, it relies heavily on human interaction and sometimes involves tricking people into breaking normal security procedures.
2) A social engineer runs a “con game” to interrupt security procedures. For instance, an attacker using social engineering to interrupt into a network would attempt to gain the trust of somebody authorized to access the network, then attempt to extract the knowledge that compromises network security. Social engineering is, in effect, a run-through won’t to procure tip by deceiving or swaying people.
3) An attacker can misrepresent himself/herself as a user or supervisor to get a user’s password. It’s natural for people to be helpful and trusting. People generally make an attempt to create amicable relationships with friends and colleagues. Social engineers cash in of this tendency.
4) Another trait of social engineering relies on the lack of individuals to stay up with a culture that relies heavily on information technology. Most of the people aren’t conscious of the worth of the knowledge they possess and few are careful about protecting it.
5) Attackers cash in of this fact. Social engineers will typically search dumpsters for valuable information. A social engineer would have a tougher time getting the mixture to a secure, or to a health-club locker, than a password. The simplest defense is to teach, train, and make awareness.