Remote Password Auditing Using THC-Hydra: Or, why brute force/dictionary attacks don't work (often).

THC-Hydra is a remote dictionary attack tool from The Hacker's Choice group. Its a well made tool that supports a lot of protocols and options. The following protocols are supported:
TELNET. FTP. HTTP, HTTPS. HTTP-PROXY, SMB. SMBNT, MS-SQL. MYSQL. REXEC. RSH, RLOGIN, CVS, SNMP, SMTP-AUTH. SOCKS5, VNC, POP3, IMAP. NNTP, PCNFS. ICQ, SAP/R3. LDAP2. LOAP3. Postgres. Teamspeak. Cisco auth. Cisco enable. LDAP2. Cisco AAA
Please don't take anything I say in this tutorial as a slam against THC and their tool, I just think I should point out some of the flaws in using brute force and dictionary attack tools against remote hosts. Their three major negatives are:
1. They are slow because of network latency and bandwidth requirements. Attacks against local password hashes may be fast, but attacking a remote network services can take orders of magnitude longer. If the target has good password policies in place it's unlikely that a brute force password attack will ever work. 2. If there's any sort of logging going on they will be HUGE records of it in the service's logs. Also, any IDS worth its salt is likely to detect the attack. 3. Accounts may be locked out way before the right password is guessed.
With that said, I think Hydra is a tool more suited for the authorized pen tester than it is for an illegal attacker since the pen tester has less to worry about from getting caught. In this first video on THC-Hydra I'll show how to do a simple dictionary attack against a single account.

Phishing

Phishing :- This is the most effective and easily executable password cracking technique which is generally used to crack the passwords of e-mail accounts, and all those accounts where secret information or sensitive personal information is stored by user such as social networking websites, matrimonial websites, etc.
Phishing is a technique in which the attacker creates the fake login screen and send it to the victim, hoping that the victim gets fooled into entering the account username and password. As soon as victim click on "enter" or "login" login button this information reaches to the attacker using scripts or online form processors while the user(victim) is redirected to home page of e-mail service provider.

Never give reply to the messages which are demanding for your username-password, urging to be e-mail service provider.

It is possible to try to obtain the passwords through other different methods, such as social engineering, wiretapping, keystroke logging, login spoofing, dumpster diving, phishing, shoulder surfing, timing attack, acoustic cryptanalysis, using a Trojan Horse or virus, identity management system attacks (such as abuse of Self-service password reset) and compromising host security.
However, cracking usually designates a guessing attack.

Brute Force

Brute Force :- If all other techniques failed, then attackers uses brute force password cracking technique. Here an automatic tool is used which tries all possible combinations of available keys on the keyboard. As soon as correct password is reached it displays on the screen.This techniques takes extremely long time to complete, but password will surely cracked.

Long is the password, large is the time taken to brute force it.

Default Passwords

Default Passwords :- A moderately high number of local and online applications have inbuilt default passwords that have been configured by programmers during development stages of software. There are lots of applications running on the internet on which default passwords are enabled. So, it is quite easy for an attacker to enter default password and gain access to sensitive information. A list containing default passwords of some of the most popular applications is available on the internet.

Always disable or change the applications' (both online and offline) default username-password pairs.

Guessing

Guessing :- Many passwords can be guessed either by humans or by sophisticated cracking programs armed with dictionaries (dictionary based) and the user's personal information.
Not surprisingly, many users choose weak passwords, usually one related to themselves in some way. Repeated research over some 40 years has demonstrated that around 40% of user-chosen passwords are readily guessable by programs. Examples of insecure choices include:
* blank (none)
* the word "password", "passcode", "admin" and their derivatives
* the user's name or login name
* the name of their significant other or another person (loved one)
* their birthplace or date of birth
* a pet's name
* a dictionary word in any language
* automobile licence plate number
* a row of letters from a standard keyboard layout (eg, the qwerty keyboard -- qwerty itself, asdf, or qwertyuiop)
* a simple modification of one of the preceding, such as suffixing a digit or reversing the order of the letters.
and so on....
In one survery of MySpace passwords which had been phished, 3.8 percent of passwords were a single word found in a dictionary, and another 12 percent were a word plus a final digit; two-thirds of the time that digit was.

A password containing both uppercase &  lowercase characters, numbers and special characters too; is a strong password and can never be guessed.

Check Your Password Strength

Hashing

Hashing :- Here we will refer to the one way function (which may be either an encryption function or cryptographic hash) employed as a hash and its output as a hashed password.
If a system uses a reversible function to obscure stored passwords, exploiting that weakness can recover even 'well-chosen' passwords.
One example is the LM hash that Microsoft Windows uses by default to store user passwords that are less than 15 characters in length.
LM hash breaks the password into two 7-character fields which are then hashed separately, allowing each half to be attacked separately.

Hash functions like SHA-512, SHA-1, and MD5 are considered impossible to invert when used correctly.