skip to main |
skip to sidebar
Home »
Posts filed under Ethecal Hacking
We recently published a post about the inherent dangers of passwords and how they are increasingly vulnerable thanks to user negligence. With so much data being safeguarded by elemental passwords, the need for a refined security layer is imperative. However, a common question we received was about how attackers actually store and share compromised passwords with each other.
Understanding ‘Salting’ and ‘Hashing’ encryption
Before we go any further, we need to understand the significance of ‘salting‘ and ‘hashing‘ techniques used by web service providers. These methods encrypt passwords and they prevent the bad guys from getting their hands on large databases of stored passwords. If these databases are recklessly stored in plain text, they become highly vulnerable and visible.
This ensures that even if an attacker gets his hands on databases, he will be unable to crack the code without considerable effort. Salting refers to the process of adding a string of characters to a password. For instance, a password like ‘hello‘ becomes ‘hello3ab9‘ after the process. Hashing refers to the process of encrypting the salted password with a key. So ‘hello3ab9‘ becomes ‘39e19b234…‘ after hashing. Providers use popular programs like MD5, SHA-1, SHA-256, SHA-384 and SHA-512 to carry out this encryption.
Methods to crack stolen passwords
Unfortunately, attackers now have their hands on these programs. As a result, hackers who have cracked certain hashes and navigated around system protection software, share the results with each other over underground forums. Here are the common tools that are utilized and shared by attackers to crack our secure passwords.
1. Rainbow Table
These are tabular databases that contain hashed passwords that have been cracked. Every encryption program is targeted and the results are then shared in a “you-help-me-I-help-you” manner. Subsequently, if a hashed password is obtained by a hacker he simply runs it against the rainbow tables to see if the plain text password can be derived. This process takes him a few seconds if he has multiple tables at his disposal. His results are then recorded in the table and then shared with other hackers to complete the chain.
2. Dictionary Attack
In this scenario, an attacker runs an encrypted password against an existing set of words. In most cases, this list is simply derived from a dictionary. Many people use day-to-day dictionary words as their passwords and attackers are well aware of this. All they do is run the password against a list of all dictionary words and if the password is in fact a simple word, it will be cracked. This is why it is recommended that you use a combination of letters, numbers and special characters for your password.
3. Brute-Force Attack
Also known as an ‘exhaustive key search’, this attack is the most comprehensive and detailed trick used by hackers. They scan an encrypted password against all possible combinations including alphabets, numbers and special characters. This process is extremely lengthy so only the most dedicated and persistent attackers make use of it. But if an attacker adopts a brute-force technique then he is guaranteed to crack a password sooner or later. In order to discourage attackers from making use of this technique, it is recommended that you create passwords that are at least 8-10 characters long.
Hackers use these primary techniques, and other lesser known ones, to crack passwords once they obtain a list. After a password has been cracked, they update the list and share it with other hackers to spread the information. Password security is something that a lot of us take lightly so it is important to follow 3 rules – keep it long, use special characters and use different passwords for multiple accounts. Attackers share their resources and results with each other so we should also do the same and contribute towards raising awareness.
Getting Past a Log In Password, Getting Remote Access, Cracking a Wifi (WEP) Password
Hacking a computer is a useful and, at times, important skill to pick up. Below are
instructions for getting past a password (if you find yourself logged out of a computer or want to check up on your child or spouse), gaining remote access to a computer (to check on a user or help locate a stolen machine), or crack a wifi password (in the event of an emergency, such as if you become lost in an unfamiliar city and you need to look up directions
Also See.. Hack Wifi Password With backtrack 5
Method 1 of 3: Getting Past a Log In Password
1. Boot the computer in safe mode.
2. Click “Start”.
3. Click “Run”.
4. Type in “control userpasswords2”.[1]
5. Change passwords for any account. This is probably going to be obvious to the user, so you may have to tell them a little white lie. Try something along the lines of: "Oh, I hear computers glitch like that sometimes. You can always type in recoverpassword if you get locked out and then set a new password" (in which case you will want to set the password to the account to recoverpassword or whatever you tell this person).[2]
6. Reboot the computer.
Also See.. How to Hack into a School Computer
Method 2 of 3: Getting Remote Access
1. Download the program LogMeIn. There is a free version, though you can purchase a subscription if that better meets your needs.[3]
- The program will need to be downloaded to the computer you intend to remotely view or use. This makes it useful for gaining access to your computer if it is stolen or for checking up on your teen’s daytime activities during the summer.
- You will have to make an account with the LogMeIn website in order to use the software.
2. Log in to the website. Log in to LogMeIn’s website.
3. Navigate to the “My Computers” page. It should open automatically when you sign in.
4. Add the computer you intend to remotely access. You will see an “Add computer” button on the page. Click that and fill in the info for the computer you intend to access.
5. Click the name for the computer once it’s added.
6. Log on to the computer. This means you’ll have to know the username and password for the account you’re trying to access or view.
7. Click “Remote Control”. If you’re trying to be sneaky (such as to spy on the user), try to move the mouse as little as possible and don’t click on anything.
8. Log out when you’re done.
Also See..
How to Hack into a Computer Without an account
Method 3 of 3: Cracking a Wifi (WEP) Password
1. Download the necessary programs. You will need 2 programs to make this hack work: CommView (which will be used to look for vulnerabilities in the network you’re trying to access[4]) and AirCrackNG (which will break the security key itself)
- Make sure your computer’s wireless adaptor is compatible with CommView.
2. Find a Network. Use CommView to scan for wireless networks. Choose a network with a WEP key and a decent signal.
3. Filter the search to that network. Right click on the network you want to access, select “Copy MAC address”, go to the Rules tab, then MAC Addresses, enable MAC address rules, then click Action→Capture→Add Record→Both. Paste in the MAC address.
4. View Data packets. Sort out the Management (M) and Control (C ) packets so that you are only viewing the Data (D) packets.
5. Save the packets. Go to the Logging tab and enable auto saving. You may need to change the settings on the Directory size and File size. Try 2000 and 20, respectively.
6. Press the “Play” button to begin collecting. Wait until you have at least 100,000 packets.
7. Click “Concatenate Logs” under the Log tab. Make sure all of the logs are selected.
8. Export the logs. Go to the folder where the logs were saved and open the log file. Click File→Export→WireShark/tcpdump format and save it where you can find it easily.
9. Open the newly created file with Aircrack. Start Aircrack and choose WEP. Open the file and click “Launch”.
10. Enter the index number. When the command prompt opens, you’ll need to enter the index number for the target network. It is probably 1. Hit enter and wait. If it works, the key will be shown.
Warnings
- Hacking a computer can have very serious consequences, especially if done on a public or school computer.
- You will most likely be seen in court or go to jail for illegally accessing computers that don't belong to you.
- Only use these techniques on your computer or on another person's computer with their permission.
- This form of hacking will cause the victim to know someone's been in their computer. Beware, you can get caught easily.
- When even writing a non-harmful script on computer, people will not trust you with their computer
