Password Cracking
A password is the digital key to our computer systems, online accounts, and personal data. Password cracking is the process of recovering these keys from data that has been stored or transmitted by a computer system. While it can be used ethically to recover forgotten passwords or test system security, it is most famously used by attackers to gain unauthorized access.
The process typically involves an attacker repeatedly making guesses for the password, using various methods to find the correct combination as efficiently as possible.
It includes guessing attacks, rainbow attacks, and dictionary attacks. It is one of the techniques hackers use to gain access to sensitive data, financial information, or a person's account.
The Three Fronts of Attack
Password cracking attacks can be broadly classified into three categories based on how the attacker approaches the target.
1. Online Attacks: Cracking the Live System
In an online attack, the attacker tries to guess a password against a live, running system or application (e.g., a website login page or a remote server). This method is often slow and noisy, as the system may lock the account after too many failed attempts.
Manual Guessing: The simplest form, where an attacker has knowledge of the user's personal information (birthdays, pet names, etc.) and tries a few likely passwords.
Automated Attacks: The attacker uses a script or tool (like Hydra) to rapidly try thousands of passwords from a list against the live login form.
Man-in-the-Middle (MITM) Attack: A more advanced online attack where the attacker secretly intercepts the communication between a user and a server. By placing themselves in the "middle," they can capture credentials as the user sends them. This is common on unencrypted public Wi-Fi networks.
2. Offline Attacks: Working with Stolen Data
An offline attack is performed on a stolen copy of a password database or file. Because the attacker is working on their own machine, they are not limited by network speed or account lockouts, making this method incredibly fast and powerful.
This is where the most common cracking techniques are used:
Dictionary Attack: The attacker uses a "dictionary"—a list of common words, phrases, and previously leaked passwords—and tries each one. This is highly effective because so many people use simple, predictable passwords.
Brute-Force Attack: The attacker attempts every possible combination of characters until the correct password is found. Think of it like trying every single key on a massive key ring. This is slow but will always succeed given enough time.
Hybrid Attack: A combination of dictionary and brute-force methods. For example, the attacker might take a word from a dictionary, like
password, and then append numbers and symbols (password123,password!@#).Rainbow Table Attack: A highly advanced offline attack that uses a "pre-computed answer key." A rainbow table contains a massive list of password hashes and their corresponding plaintext passwords. If an attacker steals a hashed password database, they can quickly look up the hash in their table to find the original password. Salting—adding random data to each password before hashing—is the primary defense against this.
Credential Stuffing: Credential stuffing involves using previously leaked username and password combinations from one service on other services. This attack is prevalent because many users reuse passwords across multiple accounts.
3. Non-Electronic Attacks: Exploiting the Human Element
These attacks don't involve technical cracking but instead manipulate people to get their passwords.
Social Engineering: Tricking someone into revealing their password through phishing emails, pretext phone calls, or impersonation.
Shoulder Surfing: Directly observing someone as they type in their password.
Dumpster Diving: Searching through a company's or individual's trash to find carelessly discarded notes with passwords written on them.
Common Password Cracking Tools
A wide range of tools exists to automate and accelerate the cracking process.
| Tool | Primary Use & Description |
|---|---|
| Hashcat | The "world's fastest password cracker." An extremely powerful offline tool that uses GPUs to crack hashes at incredible speeds. |
| John the Ripper | A classic and highly versatile offline password cracker that supports hundreds of hash types and is available on many platforms. |
| Hydra | The go-to tool for online brute-force attacks against network login forms (e.g., SSH, FTP, web logins). |
| Ophcrack | A free GUI-based tool that specializes in cracking Windows passwords using rainbow tables. |
| Cupp | A simple tool that generates custom password lists (dictionaries) based on personal information about a target. |
| Crunch | A powerful tool for generating custom wordlists for use in brute-force or dictionary attacks. |
Spyware
Spyware is a broad category of malicious software (malware) designed to secretly infect a computer, monitor a user's activity, and collect information without their knowledge or consent.
One of the most common and dangerous types of spyware is the keylogger, a tool focused specifically on capturing every keystroke a user makes.
Common Features and Capabilities of Spyware
While there are many different spyware programs, they typically share a common set of intrusive features:
Keystroke Logging: Capturing everything you type, including passwords, private messages, and financial information.
Information Theft: Stealing files, browser history, saved login credentials, and other personal data.
Activity Monitoring: Recording which applications you use, which websites you visit, and for how long.
Screen and Webcam Capture: Taking screenshots of your screen or even secretly activating your webcam and microphone.
System Modification: Changing your browser's homepage, redirecting your search queries, or slowing down your computer's performance.
| Spyware | Brief Description |
|---|---|
| 007 Spy | Capability of overriding "antispy" programs like "Ad-aware"; record all websites URL visited on the Internet; powerful keylogger engine to capture all passwords; view logs remotely from anywhere at anytime; export log report in HTML format to view it in the browser; automatically clean-up on outdated logs; password protection. |
| Spector Pro | Captures and reviews all chats and instant messages; captures E-Mails (read, sent and received); captures websites visited; captures activities performed on social networking sites such as MySpace and Facebook; enables to block any particular website and/or chatting with anyone; acts as a keylogger to capture every single keystroke (including usernames and passwords). |
| eBlaster | Besides keylogger and website watcher, it also records E-Mails sent and received, files uploaded/downloaded, logging users' activities, recording online searches, recording MySpace and Facebook activities and any other program activity. |
| Remotespy | Besides remote computer monitoring, silently and invisibly, it also monitors and records users' PC without any need for physical access. Moreover, it records keystrokes (keylogger), screenshots, E-Mail, passwords, chats, instant messenger conversations and websites visited. |
Keyloggers
A keylogger (or keystroke logger) is a specialized form of spyware whose sole purpose is to record the keys struck on a keyboard. It's an incredibly effective way for criminals to capture sensitive data like passwords, credit card numbers, and private conversations in real-time.
Keyloggers come in two main forms: software and hardware.
Software Keyloggers
These are malicious programs that are installed on a computer, often without the user's knowledge. They are typically delivered via:
Trojans or Viruses: Hidden within a seemingly legitimate program or file.
Phishing Links: Installed when a user clicks a malicious link in an email or message.
A software keylogger usually consists of two parts: a DLL file that does the actual recording and an EXE file that installs and activates the DLL file. Because they are just software, they are commonly found on insecure public computers, like those in cybercafes or libraries.
Hardware Keyloggers
These are small physical devices that require an attacker to have direct, physical access to the target computer. Because they are hardware-based, they are invisible to software scans.
Common examples include:
USB Connectors: A small device that sits between the keyboard's USB plug and the computer's USB port.
ATM Skimmers: Malicious devices installed on ATM machines to capture both the PIN (via a fake keypad or keylogger) and the card data.
Antikeylogger
An antikeylogger is a tool that can detect the keylogger installed on the computer system and also can remove the tool.
Firewalls cannot detect the installation of keyloggers on the systems; hence antikeyloggers can detect the installation of a keylogger.
This software does not require regular updates of signature bases to work effectively like other antivirus and antispyware programs.
It prevents ID theft and secures E-mail and instant messaging/chatting.
Defending Against Keyloggers and Spyware
Protecting yourself requires a multi-layered approach, as a simple firewall is often not enough.
Anti-Spyware Software: Use reputable antivirus and anti-malware programs that are specifically designed to detect and remove spyware and keyloggers.
Be Wary of Downloads: Only download software from trusted sources to avoid accidentally installing Trojans.
Use an On-Screen Keyboard: For entering highly sensitive information like banking passwords, an on-screen keyboard can bypass most keyloggers, as no physical keys are pressed.
Physical Security: Be cautious of unfamiliar devices plugged into your computer or public machines.
Logic Bombs
A logic bomb is a malicious piece of code secretly inserted into a software system. It remains dormant and undetected until a specific condition is met, at which point it activates and unleashes its harmful function.
A logic bomb is defined by two key components: its payload and its trigger. Because they are often planted by insiders with legitimate access, they can be extremely difficult to detect before they detonate.
The Payload
The payload is the malicious action the bomb executes. The impact can be devastating and can include:
Data Destruction: Deleting critical files, wiping entire databases, or corrupting essential data.
System Disruption: Crashing servers, disrupting network operations, or rendering systems unusable.
Financial Loss: The cost of data recovery, system repair, and business downtime can be enormous.
Reputation Damage: A successful attack can severely damage customer trust and an organization's reputation.
The Trigger
The trigger is the specific condition that activates the dormant code. Triggers can be simple or highly complex.
Time-Based: The bomb activates on a specific date or at a specific time. This is why they are sometimes called "time bombs." (e.g., activating on Friday the 13th).
Event-Based: The bomb is triggered by a system event, such as a program being launched, a file being accessed, or a database reaching a certain size.
User Action-Based (Positive Trigger): The bomb activates when a specific user performs an action, like logging in.
User Action-Based (Negative Trigger): This is a common type used by disgruntled insiders. The bomb activates when a specific condition is not met, such as an employee's name being removed from the payroll file (indicating they have been fired).
Defending Against Logic Bombs
Because logic bombs are often planted by insiders, defense requires more than just standard antivirus software.
Code Reviews: Implement a policy where all code, especially for critical systems, must be reviewed by multiple developers before deployment. This makes it harder for a single person to insert malicious code.
Strict Access Controls: Adhere to the principle of least privilege. Employees should only have access to the systems and data they absolutely need to do their jobs.
Regular Audits: Routinely audit system logs and file integrity to detect unauthorized changes or suspicious code.
Standard Cybersecurity Practices: Keep all software and systems updated, use reliable security software, and be cautious with third-party apps and attachments. These practices help prevent external attackers from gaining the access needed to plant a bomb.
Real-World Examples
The Disgruntled Employee
A common scenario involves a system administrator who is about to be fired. Before leaving, they insert a logic bomb into a critical server that is programmed to wipe all data 30 days after their departure.
Siemens Corporation (2019)
A contractor intentionally programmed logic bombs into spreadsheets he created for Siemens. The bombs were designed to malfunction after a certain period, forcing the company to hire him back for expensive "repairs."
Stuxnet (2010)
A highly sophisticated nation-state worm that targeted Iran's nuclear program. Stuxnet contained a complex logic bomb that was triggered only when it identified a specific industrial control system. Once activated, its payload subtly altered the speed of nuclear centrifuges, causing them to self-destruct.