Password Attacks and Safety Guide

𝐈𝐓𝐒_𝐌𝐄_𝐊𝐀𝐋𝐈™️ 🧡✺💚

Password attacks are one of the most common forms of corporate and personal data breach. A password attack is simply when a hacker trys to steal your password.

1. Brute force attack

A brute force password attack is essentially a guessing game where the hacker tries different password combinations using hacking software until they’re able to crack the code. These hackers hope that their victims either reused a password that’s already compromised or used a generic phrase, such as “12345.”

How to avoid: Create unique passwords for every online account.

2. Credential stuffing

Credential stuffing is also a type of brute force attack that uses stolen credentials to break into your online accounts and profiles. Aside from using spyware and other kinds of malware to get the credentials they want, the dark web often has lists of compromised passwords for cybercriminals to use for their devious plans. Hackers may use these lists to carry out their credential stuffing schemes and exploit your data.

How to avoid: Enable two-factor authentication on your online accounts when possible.

Cyberthieves have a variety of skills — one of which is creating believable websites. Password hackers create what people know as social engineering websites that they design to seem like legitimate login pages. These cybercriminals send you to a fake login field that won’t give you access to your account. It only records the information you type in, giving the cybercriminal exactly what they want.

How to avoid: Never click on suspicious links or attachments.

4. Dictionary attack

Another sibling of the brute force attack family is the dictionary attack. These cyberattacks play on our habit of using single-word phrases as our passwords. The hacker may use automated password-guessing software to try every word in the dictionary as your password to see if they have any luck.

More advanced dictionary attack hackers develop a list of keywords specific to your life, such as birthdates, sibling/pet names, and/or previous street names.

How to avoid: Create complex passwords that include a variation of numbers, letters, and symbols.

5. Keylogger attack

A keylogger is spyware used to track and record what you type on your keyboard. Despite being legal to use, depending on the reasoning, hackers take advantage of this software by intentionally infecting vulnerable devices and recording private information without their knowledge.

How to avoid: Install reliable antivirus software onto your device.

6. Data leaks or Password spray attack

Password spraying is when a hacker uses a large number of stolen passwords — sometimes in the millions — on a small number of online accounts to see if they can gain access. Hackers use advanced automated password-guessing software that can limit the number of attempts that it tries on an account. This lets them avoid triggering security alerts and continue trying under the radar .

How to avoid: Make a routine of changing your passwords every couple of months.

7. Phishing

Password phishing attacks often come in the form of an email or text message bringing your attention to some kind of urgent matter. The hacker may pair these messages with a link to a strategically designed social engineering website created to trick you into logging into your profile. These websites will record the credentials you type in, giving the attacker direct access to your actual account.

How to avoid: Double check the URLs before logging into accounts.

8. Man-in-the-middle attack

A man-in-the-middle attack uses phishing messages to pose as a legitimate businesses to complete the following goals:

Use malicious attachments to install spyware and record the passwords

Embed links to social engineering websites to get people to compromise their own credentials

How to avoid: Double-check the sender’s email address on suspiciousemail messages.

9. Traffic interception

Traffic interception is also a kind man-in-the-middle attack. This is when password crackers eavesdrop on network activity to capture passwords and other types of sensitive information. There are a number of ways cybercriminals do this, one of which is by monitoring unsecure Wi-Fi connections. But they could also use a tactic called SSL hijacking — when the cybercriminal intercepts a connection between a target and the legitimate site they’re on and records any information shared between the two.

How to avoid: Avoid public Wi-Fi and install a VPN.

10. Shoulder surfing

Being aware of your physical surroundings is just as important as watching for suspicious activity online. One way that hackers get their hands on passwords is by looking over people’s shoulders in public as they type. People are often too focused on putting in their password to check for nosey neighbors looking their way.

How to avoid: Enable biometric features like facial recognition to sign into accounts on mobile devices.

Password Cracking Guide

Before moving to our main topic let's focus on some basics points that everyone should know .

1.) Hashing :

Hashing is a form of computer security that enables data integrity and authentication.It is a cryptographic technique that transforms any form of data into a special text string.

Types Of Hashing Algorithms

Here are some popular hashing algorithms:

MD-5

Designed in 1991, it was one of the first hashing algorithms to become popular. The MD-5 hash function encodes a string into a 128-bit fingerprint. It uses a checksum function to verify data integrity. Most data security experts do not recommend the MD-5 hash as it suffers from extensive hash collisions due to its age.

SHA

The United States Government developed the earlier versions of the SHA family of hashing algorithms. They are more secure and harder to break than the MD-5 algorithm. There are several versions of the SHA algorithm. The SHA-2 algorithm contains six hash functions with hash values that are 224, 256, 384 or 512 bits. The number at the end of the SHA algorithm denotes its data of release and complexity. For example, the SHA-3 includes the source of randomness and is more advanced than its predecessor, SHA-2.

RIPEMD-160

Developed in Belgium in the mid-90s, the RACE Integrity Primitives Evaluation Message Digest (or shortly RIPEMD-160) is a secure hashing algorithm with no cases of successful hacking. It is a stronger version of its predecessor, the RIPEMD algorithm and generates a 160-bit output. Cryptocurrency blockchains use this algorithm for hashing user data.

CRC32

The CRC32 hashing algorithm works using a cyclic redundancy check (CRC) that detects accidental changes to stored data. Encoding data using CRC32 always results in a hash output of fixed length. Zip file and file transfer protocol (FTP) servers use the CRC32 algorithm for hashing purposes.

Whirlpool

Published in 2000 and revised in 2003, the Whirlpool is a hash function based on the advanced encryption standard (AES) and the form square. It takes inputs lesser than 2^256 bits and converts them into a 512-bit hash. Every block cypher in the whirlpool algorithm is an 8 x 8 matrix.

Scrypt

It is a computationally intensive hashing algorithm that takes a relatively long time to generate the hash compared to other algorithms. Due to its complex and high memory volume, it is one of the most secure hashing functions. Litecoin, a popular cryptocurrency, uses the Scrypt hash function to secure its blockchain.

Ethash

The Ethereum network created and implemented the ethash, proof-of-work mining algorithm to secure the Ethereum blockchain. It offers three major benefits, including light client verifiability, ASIC-resistance and full chain storage. It is another secure hashing algorithm that ensures the integrity of the Ethereum blockchain and cryptocurrency.

2.) Encryption :

Encryption is a form of data security in which information is converted to ciphertext. Only authorized people who have the key can decipher the code and access the original plaintext information.

Types of encryption

Here are some examples of common types of encryption used today.

Triple DES

The Triple Data Encryption Standard (DES), often written 3DES, is a version of the original DES encryption algorithm that encrypts data three times. The Triple DES uses three 64-bit keys, so the key length is 192 bits. Triple DES is a symmetric encryption, and the key is private. Because it encrypts data in 64-bit segments, Triple DES is considered a block cipher. Cipher Block Chaining (CBC), however, is an encryption mode that struggles at high data rates.

Blowfish

Blowfish is an encryption technique that was designed by Bruce Schneier in 1993. Similar to Triple DES, Blowfish is a symmetric block cipher. Unlike Triple DES, Blowfish does variable-length key encryption. Rather than set 64-bit segments, Blowfish encrypts segments ranging from 32 to 448 bits. Blowfish is an unpatented and unlicensed encryption technique. For this reason, it is free and available for public use.

RSA

The RSA encryption key, named after creators Ron Rivest, Adi Shamir, and Leonard Adelman, is the standard encryption technique for important data security. RSA is asymmetric cryptography, so there is one public key and one private key. The RSA algorithm uses prime factorization. Simply put, this key requires the factorization of a product involving two large prime numbers. While it seems easy, figuring out these two numbers can be difficult. Even for large computers, it can be expensive and exhaustive to decrypt. While RSA can be very useful, it becomes increasingly inefficient at higher security levels.

AES

Because of an increase in brute-force attacks on the original DES, the Advanced Encryption Standard (AES) was put into place in 2002. AES is a symmetric block cipher that was originally named Rijndael. This block cipher uses three separate keys: AES-128, AES-192, and AES-256. These three keys are used to encrypt and decrypt information of 128 bits. Since its adoption, AES has been used to protect classified government information and sensitive data.

ECC

Elliptic Curve Cryptography (ECC) is a very advanced approach. Often based on a common public key algorithm, ECC combines elliptic curves and number theory to encrypt data. These elliptic curves are within finite fields and are symmetrical over the x-axis of a graph. Given these properties, cryptographers can provide robust security with much smaller and efficient keys. For example, an RSA key of 15,360 bits would be equivalent to an ECC key of just 512 bits.

How Password Cracking Works :

The general process a password cracker follows involves these four steps:

Steal a password via some nefarious means. That password has likely been encrypted before being stored using a hash Hashes are mathematical functions that change arbitrary-length inputs into an encrypted fixed-length output.

Choose a cracking methodology, such as a brute-force or dictionary attack, and select a cracking tool.

Prepare the password hashes for the cracking program. This is done by providing an input to the hash function to create a hash that can be authenticated.

Run the cracking tool.

A password cracker may also be able to identify encrypted passwords. After retrieving the password from the computer's memory, the program may be able to decrypt it. Or, by using the same algorithm as the system program, the password cracker creates an encrypted version of the password that matches the original.

Best Password Cracking Tools :

1.) John the Ripper

John the Ripper is a good choice for a password cracking tool, mainly because of its open-source nature and support for different platforms. The open-source nature means that the code is available to the public, so users do not have to worry about the legality of the software and about potential malware of malicious programs that might be deeply integrated into the software.

🍁Link :https://www.openwall.com/john/

2.) Hashcat

Touted as the world’s first and only in-kernel rule engine, Hashcat is another password cracking tool that can help recover different passwords, such as those used for WiFi, documents, and other file types. Multiple platforms and operating systems are supported, such as Windows, Linux, and macOS for desktop. There is also mobile support for Android, iOS, and Windows mobile.

🍁Link : https://hashcat.net/hashcat/

3.)Medusa

Medusa is an online password-cracking tool that supports plenty of protocols, including HTTP, SSH, FTP, CVS, AFP, POP3, Telnet, and more. The software works as a login brute-forcer; many credentials using as many protocols as possible are inputted to arrive at the correct password.

🍁Link : https://www.kali.org/tools/medusa/

4.) THC Hydra

THC Hydra has seen many comparisons to Medusa as a password cracker, but there are notable differences between the two software. Like Medusa, THC Hydra is also an online password cracking tool that uses a brute-force password guessing method. One key difference is that THC Hydra can be installed on Windows, macOS, Linux, Free BSD, and Solaris, notably more platforms than Medusa supports. In addition to the brute-force method, THC Hydra can also use dictionary attacks, using external wordlists.

🍁Link :https://www.kali.org/tools/hydra/

5.) WFuzz

WFuzz is another brute-force password-cracking tool, much like Medusa and THC Hydra. Another feature of the program is finding hidden resources like servlets, directories, and scripts. The tool also supports multiple injection types with multiple dictionaries.

🍁Link : https://www.kali.org/tools/wfuzz/

6. ) Brutus

Brutus can recover passwords and usernames from websites, operating systems, and other applications. True to its name, Brutus utilizes a brute-force dictionary attack to retrieve passwords.

🍁Link : https://www.mediafire.com/file/rctr93q69nq4bd0/brutus-aet2-password-cracker-download.zip/file

7.) RainbowCrack

RainbowCrack is another password cracker tool that uses a rainbow table attack to decipher passwords in hash form. The main technique used is the time-memory trade-off technique which can be accelerated with multiple GPUs. Users can use RainbowCrack to generate rainbow tables to be used in the password cracking process or download preexisting rainbow tables from the Internet.

🍁Link : http://project-rainbowcrack.com/

8.) L0phtCrack

L0phtCrack is an open-source password cracking tool that can be used to crack Windows passwords. The main techniques that L0phtCrack uses are the dictionary attack and the brute-force attack, which allows the program to generate and guess passwords.

🍁Link : https://gitlab.com/l0phtcrack/l0phtcrack/-/releases

9.) OphCrack

OphCrack is a free, open-source password cracker that uses rainbow table attacks to decipher passwords. Specifically, the program cracks LM and NTLM hashes. LM hashes are for Windows XP and earlier operating systems, while NTLM hashes are for Windows Vista and subsequent Windows operating systems.

🍁Link : https://ophcrack.sourceforge.io/

10.)Aircrack-ng

Aircrack-ng is a good choice for cracking WiFi passwords, allowing users to crack passwords that use either the WEP or the WPA/WPA2 PSK standards. As for the technique, Aircrack-ng uses a dictionary attack with multiple supported algorithms, including PTW and FMS.

🍁Link : https://www.aircrack-ng.org/

11.) CrackStation

Unlike most entries on the list, CrackStation does not have a standalone program installed on the computer. Rather, CrackStation is a free web-based password cracker that uses the dictionary attack technique to crack hashes, which allows the program to be used on any operating system, even on mobile.

🍁Link : https://crackstation.net/

12.) Cain and Abel

Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort. It covers some security aspects/weakness present in protocol's standards, authentication methods and caching mechanisms; its main purpose is the simplified recovery of passwords and credentials from various sources, however it also ships some "non standard" utilities for Microsoft Windows users.

🍁Link: https://web.archive.org/web/20190603235413/http://www.oxid.it/cain.html

13.)HackBrowserData

🍁Link: https://github.com/moonD4rk/HackBrowserData

💚Password Hacking Course💚

❤️‍🔥Note : This post is only for educational purpose, stay safe, stay ethical.