Countermeasures for System hacking

Thursday 9 June 2011

CRACKING PASSWORDS 

Types of passwords :

                   Password that contain only letters :: HJKL
                   Password that contain only numbers :: 2545
                   Password that contain only special characters :: $#%^
                   Password that contain letters and numbers :: jdsh563
                   Password that contain only letters and special characters :: js$#ZD
                   Password that contain only special characters :: ^#%456$
                   Password that contain letters special characters and numbers :: E$f$56

There four types of password attacks ::
                       

  •  Passive online attacks
  •  Active online attacks
  •  Offline attacks      
  •  Non-electronic attacks

Passive online attack :

 Wire Sniffing

  •  Access and record the raw network traffic
  •  Wait until the authentication sequence
  •   Brute force credentials

Man in the middle

  •   Somehow get access to the communications channel
  •   Wait until the authentication sequence
  •    No need to brute force


Active online attack ::

Password Guessing

  •  Try different password until one works
  •  Bad password
  •  Open authentication points

Offline attacks ::

  •  Offline attacks are time
  •  Web services are available
  •   Distributed password cracking techniques are available
                   

Tools for Attacks ::


                             NAT ::  NetBIOS Auditing TOOL
                             BFT ::  Brute Force Tool
                                     ::  KerbCrack


Password Sniffing ::

  • Password guessing is a tough task
  • If an attacker is able to eavesdrop on NT/2000 logins, then this approach can spare lot of random guesswork

Password Cracking Tools::
                    

  •   Access PassView
  •   Crack
  •   LCP
  •   Keyloggers


Countermeasures for Password Hacking

How to keep STRONG PASSWORD :: Try to use full keyboard means use alphabets, numbers and characters :: Use capital letters too :: for example P.r.#.a.S.O.$.o.n

Changer your password :: Change your password every after 10 days of 15 days :: This will more good for you to be safe and try to keep strong password ::

Use different passwords for different accounts. Everybody knows this but nobody cares to follow this. I know remembering a dozen cryptic passwords is very difficult but still I will suggest you to use different passwords for the accounts having sensitive informations.

Check your Security Question. Usually people keep some cryptic password but their security question is too simple to guess. For example, many people keep the security question as the name of their pet or first school

Threats and Countermeasures 

Threat                          Countermeasures

Spoofing user identity             Use strong authentication.

                                              Do not store secrets (for example, passwords) in plaintext.
  
                                              Do not pass credentials in plaintext over the wire.

                                              Protect authentication cookies with Secure Sockets Layer (SSL).

Tampering with data                Use data hashing and signing.

                                               Use digital signatures.

                                               Use strong authorization.

                                               Use tamper-resistant protocols across communication links.

                                               Secure communication links with protocols that provide message integrity.

Repudiation                             Create secure audit trails.

                                                Use digital signatures.

Information disclosure              Use strong authorization.

                                                Use strong encryption.

                                          Secure communication links with protocols that provide message confidentiality.

                                          Do not store secrets (for example, passwords) in plaintext.

0 comments: