When performing a password cracking attack, it is either an online or offline attack. Let’s look at each method in detail.
Online Password Cracking
Online attacks are necessary when you don’t have access to the password hashes.
When performing an online attack, you are usually presented with a web form asking for a username and password combination. There, you could try to guess the password, but that usually won’t get you anywhere. Instead, you could create or use an available automatic password guessing tool. Luckily for those of you who can’t program, there are already hundreds of these tools freely available online.
The downside of performing an online attack is that it can be very noisy, extremely slow and sometimes just not feasible.
Many login forms have a lockout feature that locks you out after a certain number of failed login attempts. For example, one of my cPanel hosting accounts will completely block my IP address if I fail to login after five attempts. When this happens, I am forced to contact customer support to have my IP address manually unblocked so that I could access the site. Another example is if I fail to login into my online banking after multiple tries, my account will be locked for 20 minutes.
If the target websites doesn’t have a lockout feature, that doesn’t mean you’re golden. Online password cracking attacks are very noisy, and when you are throwing random wrong passwords at a system, its log file will grow tremendously. It looks very suspicious when there are hundreds of wrong password attempts logged to the same IP address.
To get around these factors, you might try to cover up your IP address via a proxy, use a different proxy for every 5 to 10 guesses, or even attempt a few guesses every 30 minutes so it looks less suspicious. Many of the password cracking programs out there have these features available.
Online attacks can be very slow because the speed of the attack depends on the speed of your internet connection and the speed of the target server. Because of this, the best and really the most effective type of attack is a dictionary related attack. So if you have a fairly secure password you will most likely not fall victim to an online password cracking attack.
Offline Password Cracking
Offline attacks are only possible when you have access to the password hash(es). The attack is done on your own system or on systems that you have local access too. Unlike an online attack, there are no locks or anything else to stop you on an offline attack because you are doing it on your own machines. The only thing that could hold you back is the limits of your computer hardware because an offline attack takes advantage of its machine’s processing power and its speed is dependent on the speed of the actual machine. So the better the processor and nowadays even graphics card, the more password guessing attempts you can get per second.
Now that you know the difference between online and offline attacks, I’m sure you’ll agree with me that you should try to use offline attacks whenever possible. This obviously won’t be possible most of the time, so we will look at real world examples of both methods later on in this course.