Advantages and Disadvantages of Password-based Authentication
For any information system one of the one of the biggest security concerns is the passwords used by the users in order to authenticate. The Hydra is one of the most efficient tools that is used as the login cracker. Authentication of the users through the passwords has its pros and cons. Some of the advantages can be listed as while they are used properly this is helpful in securing information systems, user accounts and their confidential data. in addition to that, this also allows the users of the information system in order to login to their accounts regardless of their locations and some extra equipment.
Web applications can be exploited with the vulnerabilities due to the security properties of the concerned web application that were not properly addressed. Conversely, the administrators should use vulnerability assessment tools that can be helpful in automating process. This automated process can help in saving time as well as defend the concerned web applications from the threats and attack vectors.
On the contrary the disadvantages include that most of the users tends to forget their respective passwords for their accounts, use of short and weak passwords for their accounts which can be easily cracked by the attackers. This leads to the allowing the unwanted users and attackers to access the sensitive information from thee different user accounts.
This tool supports copious protocols to attack and crack the login credentials of a system. This tool is comparatively easy to use and is best for brute-force attacks.
This tool presently supports the following protocols;
HTTP-FORM-POST, Asterisk, HTTPS-GET, HTTPS-HEAD, AFP, PCNFS, POP3, Cisco AAA, MS-SQL, NCP, NNTP, Cisco auth, Cisco enable, Rexec, Rlogin, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-PROXY, HTTPS-FORM-GET, VMware-Auth, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, POSTGRES, RDP, SAP/R3, SIP, SMB, SOCKS5, different versions of SSH , Subversion, Telnet, SMTP, SMTP Enum, SNMP and XMPP.
other features of this tool includes the following;
Compared to the password cracking tools it is considered as the fastest one in cracking speed.
This tool is cross platform i.e. it is available for Linux, Windows, OS X and Solaris.
Additional modules can be easily added in order to enhance its features for security testing of the information system.
This tool supports both the Brute force and dictionary attacks for cracking the passwords.
In case of the Dictionary attack, it is simplest as well as the fastest password cracking tool to carry the attacks. In simple words it can be said that, this tool tries and runs through a dictionary of words or the related passwords while trying each combination in order to find out if any of them works and leads to the granting access to the attacked information system.
Hydra: An Efficient Login Cracking Tool
Even though this approach seems to be tedious as well as impractical in order to achieve the access to the system manually. compared to the manual process computers with efficient processing speed can complete this task of going and trying through millions of dictionary words as the passwords. This is usually first approach used by attackers while attacking any password cracking attack to the information system as this can help them in successfully cracking the passwords in mere few minutes after starting the attack which eventually lead to securing the attackers from IDS.
following are the options that can be used with the commands that can help in exploring the actions that can be used for the attacks.
Options:
-R in order restore previous aborted or crashed attack session
-S in order to initiate an SSL connect operation.
-s PORT in order to define the default port if the application is deployed on different port.
-l LOGIN: user id or the username for the attack using several logins from a specified FILE
-p PASS provided password to try for an account or load several passwords from FILE
-x MIN: MAX: CHARSET or the password in order to use them in brute force generation.
server the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
service the service to crack (see below for supported protocols)
-t in order specify the number of tasks or number of connection tries parallel manner. 16 is the default value for this option.
-w / -W TIME wait time for responses (32) / between connects per thread (0)
-4 / -6 IPv6 or IPv4 addresses default is IPv4 it is recommended to use [].
-v / -V / -d verbose mode for every attempt on the attack.
-O use old SSL versions.
-e nsr for trying the null password for the accounts “r” for the reversed login
-u loop around users, not passwords (effective! implied with -x)
-C FILE colon separated file format for the password.
-M FILE list and details of servers which are to be targeted.
-o FILENAME write found login/password pairs to FILE instead of stdout
-f / -F exit when M: -f per host, -F global.
-q when specified then it does print messages related to the connection errors
-U service module usage details
OPT some service modules support additional input (-U for module help)
Protocols Supported by Hydra
In case of attacking a website with the login functionality over the http protocol using the post method and the used option from the Hydra is “http-post-form”. One more example is cracking the applications that are using the FTP that can be exploited using the “ftp” option available in Hydra.
Before this the user have to find the information around the website that you want to get access to find out useful data from the website. This kind of information can be found in the URL of the sites or “About” page of the sites of the application.
Different web applications used by the organizations are prone to the security vulnerabilities based on the security properties which were not addressed by the developers or the security auditors. In order to detect, identify and address the vulnerabilities that can be exploited by the attackers can be assessed using the automated tools which can help in saving time as well as also defend the applications from numerous modern threat vectors used .
One of the most important points which needs to be considered by the attackers or security auditors that in most of the cases variable values such as username, password is not constantly the same for every information system.
The values differ depending upon the sites or the service of the applications. In case most of the sites with the weak security mechanisms the attacker can get the value from the page source in order to find out the variable in which the values are stored.
similar to the other penetration testing tools Hydra also has numerous parameters as well as options that can make the efficient in different scenarios. with the use of the help command Help for Hydra users can explore the options for carrying out the attacks and experiment with it.
in order to test the functionality of the Hydra tool we at first created a user account on the acunetix acuforum website as the demo website. with the username and password “miststud” and “[email protected]”.
Following is the screenshot for the different options available for the Hydra tool.
following is the screenshot of the account which is created on accunetix and url is https://testasp.vulnweb.com/Login.asp?RetURL=%2FDefault%2Easp%3F
Following is the screenshot of the starting the attack from the GUI of the Hydra tool after confirming the text file that contains the possible passwords.
following is the screenshot on which it is evident that we are using the “muststud” for the username and along with that we have specified location of the text file.
Features of Hydra
In the above image we have started the attack on the specified targeted website in order to get access to the concerned account of the user using the list of probable passwords.
Conclusion
Use of the strong passwords is the most efficient way in order reduce the overall risk of a security breach1 through the password cracking mechanism. Furthermore, it can be stated that the with the use of the strong passwords it is also important to place effective security controls for securing the information systems. Effectiveness of used password on an information system mostly depends on the implementation and design of concerned authentication system on that specific system.
principally this is important to restrict the times until which password guesses can be tested by a user or an attacker. In addition to that, the way in which the passwords are securely passwords is stored in the database as well as transmitted in network transaction. other than this threats there are also other techniques that poses the ability to breach the security of the information system which are not connected with breaking the password. These techniques include keystroke logging, wiretapping, social engineering, dumpster diving, side-channel attacks and other vulnerabilities of the information system.
Chatterjee, R., Bonneau, J., Juels, A., & Ristenpart, T. (2015, May). Cracking-resistant password vaults using natural language encoders. In Security and Privacy (SP), 2015 IEEE Symposium on (pp. 481-498). IEEE.
Golla, M., Beuscher, B., & Dürmuth, M. (2016, October). On the security of cracking-resistant password vaults. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (pp. 1230-1241). ACM.
Gong, C., & Behar, B. (2018). Understanding password security through password cracking. Journal of Computing Sciences in Colleges, 33(5), 81-87.
Kakarla, T., Mairaj, A., & Javaid, A. Y. (2018, May). A Real-World Password Cracking Demonstration Using Open Source Tools for Instructional Use. In 2018 IEEE International Conference on Electro/Information Technology (EIT) (pp. 0387-0391). IEEE.
Patil, D. N., & Meshram, B. B. (2016). Windows Password Vulnerability and Preventive Measures. Indian Journal of Computer Science• September-October, 13.
Shen, C., Yu, T., Xu, H., Yang, G., & Guan, X. (2016). User practice in password security: An empirical study of real-life passwords in the wild. Computers & Security, 61, 130-141.
Trieu, K., & Yang, Y. (2018). Artificial Intelligence-Based Password Brute Force Attacks.
Ur, B., Bees, J., Segreti, S. M., Bauer, L., Christin, N., & Cranor, L. F. (2016, May). Do Users’ Perceptions of Password Security Match Reality?. In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems (pp. 3748-3760). ACM.
Yisa, V. L., Baba, M., & Olaniyi, E. T. (2016). A Review of Top Open Source Password Cracking Tools.
Zhang-Kennedy, L., Chiasson, S., & van Oorschot, P. (2016, June). Revisiting password rules: facilitating human management of passwords. In Electronic Crime Research (eCrime), 2016 APWG Symposium on (pp. 1-10). IEEE.
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
