170
PART 2
|
A Technical Overview of Hacking
Types of Password Cracking
Despite what is seen in movies, TV shows, and other media, password cracking isn’t
as simple as a hacker sitting in front of a computer running some software and breaking
the password. It is much more involved. Password cracking can take one of four forms,
all designed to obtain a password that the attacker is not authorized to possess. The
following are the four password cracking methods that can be utilized by an attacker:
Passive online attacks
Active online attacks
Offl ine attacks
Nontechnical attacks
Each one of these attacks offers a way of obtaining a password from an unsuspecting
party in a different but effective way.
Passive Online Attacks
In passive online attacks, an attacker obtains a password simply by listening for it. This
attack can be carried out using two methods; packet sniffi ng, or man-in-the-middle and
replay attacks. These types of attacks are successful if the attacker is willing to be patient
and employ the right technique in the correct environment.
Using a packet sniffer is effective, but it can be thwarted by technology that prevents
the observation of network traffi c. Specifi cally, packet sniffi ng will work only if the hosts
are on the same collision domain. This is a condition that exists if a hub is used to join
the network hosts together; if a switch, bridge, or other type of device is used, the attack
will fail.
Other types of passive online attacks utilize a man-in-the-middle or replay attack
to capture the password of the target. If a man-in-the-middle attack is used, the attacker
must capture traffi c from both ends of the communication between two hosts with the
intention of capturing and altering the traffi c in transit. In a replay attack, the process
consists of an attacker capturing traffi c using a sniffer, using some process to extract
the desired information (in this case, the password), and then using or replaying it later
to gain access to a resource.
While a packet sniffer may have limited success when trying to capture passwords on most
networks, companies do tend to frown upon their use by unauthorized individuals. An individual
that runs a packet sniffer on a corporate network has a possibility of capturing a password, not
to mention other confi dential information. It is for these reasons that companies tend to take a
very tough stance on their usage, and in some cases have terminated employment of individuals
caught using them on the network without permission.

Get Hacker Techniques, Tools, and Incident Handling now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.