The simplest type of hacking a hacker can do is to use brute force attack to gain sensitive information about some one.Generally ,it is applied to guess the password of any desktop or user name-password pair of any web application.
Brute force technique requires no decrypting tool,no computer knowledge and just nothing.
Brute force technique is sometimes also know an dictionary attack.
The "dictionary attack" method uses mostly words in the dictionary to guess the passwords and may add a number at the beginning or in the end for best guesses.
The "brute force" method uses a crypt analysis techniques to find more complex words that has a combination of "alpha" "numeric" and "special" characters in them.
In this technique a combination of strings is repeatedly applied to crack the password until a perfect match is found.The time is main component in this attack.
If sufficient time is given every password can be cracked sooner or later.The time depends heavily on the complication involved in choosing the password.
The power and efficiency of this simple algorithm can be understood but the fact that every password can be cracked through brute force attack provided a sufficient time is given,which partially means a password is 100 % can be cracked using this simple technique.
The process is extremely simple and a thousands of automated software are already available on the Internet.
However as a Member of an Ethical group i am interested in giving information about how to prevent it.
So lets us see how we can minimize this.
1.PASSWORD SELECTION
Its human tendency to search of comfort and so does it apply while choosing password.At least , yaar be specific while choosing password.Generally people don't remember complicated password and choose such as license number,date of birth,spouse,father name,pet name,gf/bf name etc.As these passwords are easy for u too remember it is equally easy for any interested hacker to guess it.
Alternatively as the hackers are very smart,he will not use any web browser to guess each user name and password .He will be using a computerised automated tool which can fire more than 1000 passwords combination per minute, with credentials generated from a large list.
This list is actually called as a dictionary.
Again if the attacker gets success in cracking password of any one website he might be able to crack all other passwords of different websites as most people keep same password for all places.So pls frends choose ur Passwords security.
A Strong password policy can be as follows..
must contain at least 7 characters..
must contain at least single uppercase letter
must contain at least single lowercase letter
must contain at least single digit
must contain at least single special characters
A pa sword like M!c12@ will generate 735091890625 combination trough brute force attach and about 37558352909169000000 through dictionary attack and would require approx.233 years at 100 passwords per second to crack on normal machine and at least 8 continuous days at 1000000 passwords per second on a highly powerful machine...
Again my password M!c12@isbest will require in 5389762 years, 2 months.
to check ur password strength pls click here
The above policy may seem st rick but will guarantee you that it will not be able to cracked easily.A password with 7 digits having a mixture of lowercase letter,uppercase letter ,special symbols generated more than 70 trillion combinations and requires more than 10000 years of human time through a dictionary attack.
Many organisation uses intrusion detection system (IDS) to monitor a high number of request from a same user but this is not sufficient to prevent brute force attack as the band with of the automated tool can easily be controlled.
2.USER NAME SELECTION
As disused above password is the only half information the other half is the user name.
While choosing user name is also equally important.The same policy can be applied while choosing user names also.
Some web development tools or frameworks implement default settings which is a very easy targets for any smart hacker.
.jpg)
User names can also be guessed and therefore is more risky than passwords as a default titles like admin or administrator gives a more privileged rights.If the hacker is able to lo gin through these administrative rights he may do more damage than normal users accounts.beside administrative accounts users accounts are also easily hackable.Normally the users choose names,email ids,phone number as their user names(remember face book).Here once again the user laziness is again benefited to the attacker.
The other methods can be disabling the account after a finite number of failed lo gin attempts occurs but this creates another type of attack known as denial of service attack(DOS).
first of all in this type of preventive measures the attacker might get frustrated as if suppose if after a 3 wrong attempts locks the account for few hours using automated tool for brute forcing at the rate of 100 will increase from a single seconds to many many days.
The side effect of this is the legitimate user will be denied by the service.
as the automated tool keeps on attempting wrong password and locking it continuously,the legitimate user will not get the chance to use the service.
Again locking is done to prevent the password guessing but what if the attacker is inters ted in user name.
Instead of varying the password this time he will vary user names and he will fire more than thousand of request and the system will register only single failed traction per account.
Another method can be using incremental delay in sending response.1 second delay for first wrong attempts,2 second delay for second wrong attempt and so on.The user can wait for few seconds instead waiting hours after locking but the automated software will suffer heavily from this delay.
There disadvantages of the above method can be as the the system has to keep the track of the sending application however the automated tool can be configured to send new session each time a request is end to the server.
The user can also be tracked by the ip address but there is many situations when multiple user shares same ip address or the single user can use different ip address.
however this is at least better method for guarding against brute force attack than locking the accounts.
3.ERRORS
The last strategies can be displaying the appropriate errors when a failed lo gin attempt occurs.
consider the two errors messages.
1.user name does not exist
2.incorrect password.
The first message tell us all that the user name is not existing in the system hence he will moved to the next user name and would a lot of time while trying to guess the password for that account.
The second message tells us that the user name does exist but the password is wrong hence the hacker now know the user name is correct he just constantly applies the password cracking techniques.
Error messages like " user name and password do not match " can be used to report failed lo gin.No one can guess from this error message whether the user name is wrong or the password.
There are numerous more techniques and me sures which we will see in the coming articles..
pls comments...
JITENDRA KUMAR PATEL.
http://www.facebook.com/bewithjitendrapatel
No comments:
Post a Comment
PLS GIVE ME UR COMMENTS IT IS VERY MUCH IMPORTANT FOR ME.