Difference between revisions of "Access Control attacks"
(Created page with "Access control attacks generally skip access control methods to steal data from the user. Adversaries securely break access control by logging in as an authorized user and acc...") |
|||
(24 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
− | Access control attacks generally skip access control methods to steal data from | + | '''Access control attacks''' generally skip access control methods to '''steal data''' from systems like communication links, networks, computers, services and sensitive data. Adversaries securely break access control by logging in as an authorized user and accessing their credentials. |
+ | |||
+ | |||
+ | ==Password Attack== | ||
+ | |||
+ | A password attack is any means by which a hacker attempts to obtain a user’s login information. In many cases, passwords can simply be guessed after trying a few common words, such as “password” or "root". | ||
+ | |||
+ | ===Brute Force=== | ||
+ | |||
+ | The Brute force attack is guessing a key by testing all possibles combinations of numbers and letters through a computer program until find the one that allows access. | ||
+ | |||
+ | *'''Hybrid brute force attacks''':It uses a systematic approach to guess that it does not use external logic. | ||
+ | *'''Reverse brute force attack''':Involves using a common password or group of passwords against multiple possible usernames. | ||
+ | *'''Credential stuffing''':Credential stuffing is a unique form of brute force attack that uses breached username and password pairs. | ||
+ | |||
+ | Automated tools are also available to help with brute-force attacks, the most popular are: | ||
+ | |||
+ | *<code>[[Aircrack-ng]]</code> | ||
+ | *<code>[[John the Ripper]]</code> [[password cracking]] | ||
+ | *<code>[[Rainbow Crack]]</code> | ||
+ | *<code>[[Crack]]</code> | ||
+ | *<code>[[Hashcat]]</code> | ||
+ | *<code>[[DaveGrohl]]</code> | ||
+ | *<code>[[Ncrack]]</code> | ||
+ | *<code>[[THC Hydra]]</code> | ||
+ | |||
+ | See also: <code>[[fail2ban]]</code> | ||
+ | |||
+ | ===Rainbow Table=== | ||
+ | |||
+ | A [[wikipedia:rainbow table]] is pre-computed dictionary/database of plain-text passwords and their corresponding hash values that can be used to find out what plain-text password produces a particular [[hash]]. | ||
+ | |||
+ | The [[passwords]] in a computer system are not stored directly as plain texts, but are hashed using encryption. A [[hash function]] is a one way function, which means that it can’t be decrypted. Whenever a user enters a password, it is converted into a hash value and is compared with the already stored hash value. If the values match, the password has been found. | ||
+ | |||
+ | |||
+ | ==== [[Rainbow tables]] availability ==== | ||
+ | Nearly all distributions and variations of Unix, Linux, and BSD use hashes with [[salt]]s, although many applications use just a hash with no salt (typically [[MD5]]). | ||
+ | |||
+ | The Microsoft [[Windows NT]]/2000 family uses the LAN Manager and NT LAN Manager unsalted hashing method, based on [[MD4]], which makes it one of the most popularly generated rainbow tables.<ref>https://en.wikipedia.org/wiki/Rainbow_table#Common_uses</ref> | ||
+ | |||
+ | ===[[Password spraying]]=== | ||
+ | |||
+ | ===Sniffer Attacks=== | ||
+ | |||
+ | ===Dictionary Attack=== | ||
+ | |||
+ | ===Birthday Attack=== | ||
+ | |||
+ | ==Spoofing Attacks== | ||
+ | ===Email Spoofing Attack=== | ||
+ | ===Phone Spoofing Attack=== | ||
+ | ===Social Engineering Attack=== | ||
+ | ===Phishing Attack=== | ||
+ | ===Spear Phishing Attack=== | ||
+ | |||
+ | |||
+ | == See also == | ||
+ | * [[Cain & Abel]] | ||
+ | * {{passwords}} | ||
+ | * {{Security}} | ||
+ | |||
+ | |||
+ | [[Category:Security]] |
Latest revision as of 08:37, 10 November 2020
Access control attacks generally skip access control methods to steal data from systems like communication links, networks, computers, services and sensitive data. Adversaries securely break access control by logging in as an authorized user and accessing their credentials.
Password Attack[edit]
A password attack is any means by which a hacker attempts to obtain a user’s login information. In many cases, passwords can simply be guessed after trying a few common words, such as “password” or "root".
Brute Force[edit]
The Brute force attack is guessing a key by testing all possibles combinations of numbers and letters through a computer program until find the one that allows access.
- Hybrid brute force attacks:It uses a systematic approach to guess that it does not use external logic.
- Reverse brute force attack:Involves using a common password or group of passwords against multiple possible usernames.
- Credential stuffing:Credential stuffing is a unique form of brute force attack that uses breached username and password pairs.
Automated tools are also available to help with brute-force attacks, the most popular are:
Aircrack-ng
John the Ripper
password crackingRainbow Crack
Crack
Hashcat
DaveGrohl
Ncrack
THC Hydra
See also: fail2ban
Rainbow Table[edit]
A wikipedia:rainbow table is pre-computed dictionary/database of plain-text passwords and their corresponding hash values that can be used to find out what plain-text password produces a particular hash.
The passwords in a computer system are not stored directly as plain texts, but are hashed using encryption. A hash function is a one way function, which means that it can’t be decrypted. Whenever a user enters a password, it is converted into a hash value and is compared with the already stored hash value. If the values match, the password has been found.
Rainbow tables availability[edit]
Nearly all distributions and variations of Unix, Linux, and BSD use hashes with salts, although many applications use just a hash with no salt (typically MD5).
The Microsoft Windows NT/2000 family uses the LAN Manager and NT LAN Manager unsalted hashing method, based on MD4, which makes it one of the most popularly generated rainbow tables.[1]
Password spraying[edit]
Sniffer Attacks[edit]
Dictionary Attack[edit]
Birthday Attack[edit]
Spoofing Attacks[edit]
Email Spoofing Attack[edit]
Phone Spoofing Attack[edit]
Social Engineering Attack[edit]
Phishing Attack[edit]
Spear Phishing Attack[edit]
See also[edit]
- Cain & Abel
- Password, Password policy, Change password, Password manager,
passwd
, PAM, Password cracking, PasswordAuthentication - Security: Security portfolio, Security standards, Hardening, CVE, CWE, Wireless Network Hacking, vulnerability scanner, Security risk assessment, SCA, Application Security Testing, OWASP, Data leak, NIST, SANS, MITRE, Security policy, Access Control attacks, password policy, password cracking, Password manager, MFA, OTP, UTF, Firewall, DoS, Software bugs, MITM, Certified Ethical Hacker (CEH) Contents, Security+ Malware, FIPS, DLP, Network Access Control (NAC), VAPT, SIEM, EDR, SOC, pentest, PTaaS, Clickjacking, MobSF, Janus vulnerability, Back Orifice, Backdoor, CSO, CSPM, PoLP, forensic, encryption, Keylogger, Pwn2Own, CISO, Prototype pollution
Advertising: