We have passwords for emails, databases, computer systems, servers, bank accounts, and virtually everything that we would like to guard. Passwords are generally the keys to urge access into a system or an account.

In general, people tend to line passwords that are easy to recollect, like their date of birth, names of relations, mobile numbers, etc. this is often what makes the passwords weak and susceptible to easy hacking.

One should lookout to possess a robust password to defend their accounts from potential hackers. a robust password has the subsequent attributes −

Contains a minimum of 8 characters.
A mixture of letters, numbers, and special characters.
A combination of small and capital letters.

Dictionary Attack

In a dictionary attack, the hacker uses a predefined list of words from a dictionary to undertake and guess the password. If the set password is weak, then a dictionary attack can decode it quite fast.

Hydra may be a popular tool that’s widely used for dictionary attacks. Take a glance at the subsequent screenshot and observe how we’ve used Hydra to seek out out the password of an FTP service.

Hybrid Dictionary Attack

Hybrid dictionary attack uses a group of dictionary words combined with extensions. for instance , we’ve the word “admin” and mix it with number extensions like “admin123”, “admin147”, etc.

Crunch may be a wordlist generator where you’ll specify a typical list or a personality set. Crunch can generate all possible combinations and permutations. This tool comes bundled with the Kali distribution of Linux.

Brute-Force Attack

In a brute-force attack, the hacker uses all possible combinations of letters, numbers, special characters, and little and capital letters to interrupt the password. this sort of attack features a high probability of success, but it requires a huge amount of your time to process all the combinations. A brute-force attack is slow and therefore the hacker might require a system with high processing power to perform all those permutations and combinations faster.

John the Ripper or Johnny is one among the powerful tools to line a brute-force attack and it comes bundled with the Kali distribution of Linux.

Rainbow Tables

A rainbow table contains a group of predefined passwords that are hashed. it’s a lookup table used especially in recovering plain passwords from a cipher text. During the method of password recovery, it just looks at the pre-calculated hash table to crack the password. The tables are often downloaded from http://project-rainbowcrack.com/table.htm

RainbowCrack 1.6.1 is that the tool to use the rainbow tables. it’s available again in Kali distribution.

Quick Tips

Don’t write the passwords anywhere, just memorize them.
Set strong passwords that are difficult to crack.
Use a mixture of alphabets, digits, symbols, and capital and little letters.
Don’t set passwords that are almost like their usernames.

Ethical Hacking – Pen Testing

Penetration Testing may be a method that a lot of companies follow so as to attenuate their security breaches. this is often a controlled way of hiring knowledgeable who will attempt to hack your system and show you the loopholes that you simply should fix.

Before doing a penetration test, it’s mandatory to possess an agreement which will explicitly mention the subsequent parameters −

what are going to be the time of penetration test,
where are going to be the IP source of the attack, and
what are going to be the penetration fields of the system.

Penetration testing is conducted by professional ethical hackers who mainly use commercial, open-source tools, automate tools and manual checks. There are not any restrictions; the foremost important objective here is to uncover as many security flaws as possible.

Types of Penetration Testing

We have five sorts of penetration testing −

Black Box − Here, the moral hacker doesn’t have any information regarding the infrastructure or the network of the organization that he’s trying to penetrate. In black-box penetration testing, the hacker tries to seek out the knowledge by his own means.
Grey Box − it’s a kind of penetration testing where the moral hacker features a partial knowledge of the infrastructure, like its name server.
White Box − In white-box penetration testing, the moral hacker is given all the required information about the infrastructure and therefore the network of the organization that he must penetrate.
External Penetration Testing − this sort of penetration testing mainly focuses on network infrastructure or servers and their software operating under the infrastructure. during this case, the moral hacker tries the attack using public networks through the web . The hacker attempts to hack the corporate infrastructure by attacking their webpages, webservers, public DNS servers, etc.
Internal Penetration Testing − during this sort of penetration testing, the moral hacker is inside the network of the corporate and conducts his tests from there.

Penetration testing also can cause problems like system malfunctioning, system crashing, or data loss. Therefore, a corporation should take calculated risks before going ahead with penetration testing. the danger is calculated as follows and it’s a management risk.

RISK = Threat × Vulnerability

Example

You have a web e-commerce website that’s in production. you would like to try to to a penetration testing before making it live. Here, you’ve got to weigh the pros and cons first. If you plow ahead with penetration testing, it’d cause interruption of service. On the contrary, if you are doing not wish to perform a penetration testing, then you’ll run the danger of getting an unpatched vulnerability which will remain as a threat all the time.

Before doing a penetration test, it’s recommended that you simply put down the scope of the project in writing. you ought to be clear about what’s getting to be tested. for instance −

Your company features a VPN or the other remote access techniques and you would like to check that specific point.
Your application has webservers with databases, so you would possibly want to urge it tested for SQL injection attacks which is one among the foremost crucial tests on a webserver. additionally , you’ll check if your webserver is resistant to DoS attacks.

Quick Tips

Before going ahead with a penetration test, you ought to keep the subsequent points in mind −

First understand your requirements and evaluate all the risks.
Hire a licensed person to conduct penetration test because they’re trained to use all the possible methods and techniques to uncover possible loopholes during a network or web application.
Always sign an agreement before doing a penetration test.

So, this brings us to the end of blog. This Tecklearn ‘Concept of Password Hacking’ blog helps you with commonly asked questions if you are looking out for a job in Cyber Security. If you wish to learn Ethical Hacking and build a career in Cyber Security domain, then check out our interactive, Certified Ethical Hacker Training, that comes with 24*7 support to guide you throughout your learning period. Please find the link for course details:

https://www.tecklearn.com/course/certified-ethical-hacker-training/

Certified Ethical Hacker Training

About the Course

Tecklearn’s CEH certification training course provides you the hands-on training required to master the techniques hackers use to penetrate network systems and fortify your system against it. In this training, you will master how to identify security vulnerabilities by inspecting network infrastructures and defend the malicious hacker with essential tools and techniques, advanced network packet analysis and system penetration testing techniques to build your network security skill-set and prevent hackers. We will train you on the advanced step-by-step methodologies that hackers actually use such as writing virus codes and reverse engineering so you can better protect corporate infrastructure from data breaches.

Why Should you take Certified Ethical Hacker Training?

The average salary for a Cybersecurity Specialist is $110,881 per year in the United States and INR 900,000 per year in India – Indeed.com
Global Cybersecurity industry is estimated to cross US$ 220 billion by 2021.
Today cyber security is one of the most important aspects for any organization. In today’s digitally-driven world every organization needs professionals who can keep the hackers at bay. Hence the salaries for certified ethical hackers are among the best in the industry.

What you will Learn in this Course?

Introduction to Ethical hacking

Scope of ethical hacking
Enterprise information security architecture
Introduction and PCI Data Security Standard Overview
Role of Security and Penetration Testers
Vulnerability assessment
Various cyber security laws
Penetration testing

Various aspects of Information Security

Information security attacks
OS attacks
Application level attacks
Phases and Concepts of Hacking
Information Security Law and Standards

System Hacking

What is System Hacking
Goals of System Hacking
Understanding the certified ethical hacker methodology
About Kali Linux
Hands On

Technology Standards

Introduction to F5 Technology and Terms
POS (Point of Sale ) , mPoS
What is GLBA Compliance
OWASP
Site monitoring Tools
Introduction to PCI DSS Standard

Semantics and Introduction to Footprinting

What is Semantics
Fuzzy Logic
Footprinting

Threats

Types of Threats
Threats against the Application
Threat modelling
Hands on

Threat modelling

Threat modelling with STRIDE model
Ways to Find Security Issues
Penetration Testing Tools
Modelling Models – Whiteboard Diagrams, Brainstorming, Structured Diagrams etc.
Trust Boundaries
Threat Trees
DREAD Model

Example of Attack

Vulnerability Scanning Tools

OpenVAS
Wapiti
Burp Suite Community
Metasploit

Threat Modelling with Different models

Various Threat Models
PASTA Model in Depth

Advanced concepts like network packet analysis

Network scanning
How to scan the network, overview of scanning
WireShark
Sniffing attacks
File Signature

Got a question for us? Please mention it in the comments section and we will get back to you.

528