Strategies for Password Cracking

Strategies for Password Cracking Abdulmalik Nasser The aim of my project is to give ICT students an idea of the mechanism of cracking password using an using John the ripper. I will also explain the process that the application does to crack a password. Moreover,I will talk about password complexity. how does the complexity increase the cracking time? are there intractable passwords? why? encryptions . Finally , I will explain different types of cracking like brute force, dictionary attack etc. Password cracking is one of the oldest hacking arts. Every system must store passwords somewhere in order to authenticate users. However, in order to protect these passwords from being stolen, they are encrypted. Password cracking is the art of decrypting the passwords in order to recover them. Passwords are the most common means of authentication. Passwords are protected by using one-way cryptographic algorithms that produce a hash of set length. Cryptography can only protect something to the point where the only feasible attack on the encrypted secret is to try and guess it. However, in the case of passwords guessing is easy. Passwords are insecure by nature because they are used for preventing humans from guessing a small secret created by humans. To understand how to get a good understanding about password, we have to understand how they are stored in a system. To store a password in a text form is strongly unacceptable. The same thing when storing the passwords deep in tree of directories that would result in Security through Obscurity and this is also unacceptable. Unix management file system gives an acceptable solution: one of the main distributions of Multicast (the precursor to Unix) stored the file of password in a clear text, but it can be seen by a super user only. This was a improper solution. Also caused a bug to which switching some temporary file and showed the password in text being printed for all the clients when they login. Unix instead of doing that, saves the passwords that were hashed in the password file and not the actual passwords. After that, as the user puts his password , the system has the ability to simply compare the hash of the user password input and it will be compared with the stored hash value [1]. Â   Â   3.1 What a complex password should include. Figure 1 what password combination should include. A strong password should include what is listed in Fig1 in order to be complex password. so, what complex password means that password that include :Upper lower case letters, symbols and numbers getting that password is an extreme power consumption and time wasting for any password cracker [2]. 3.2 Common passwords Figure 2 : the most common passwords According to a study that was accomplished by David Bisson in 2014 . The result shows the most common passwords that are used on the Internet which any cracker would definitely add to his word list. These are typical example of an obvious passwords and easy to crack unfortunately. Easy passwords like what is shown above is very easy to guess it would not even use processor of the cracker it will be in his word list, because these passwords are the most common passwords at all time. So, any password cracker would definitely start cracking the password with guessing such passwords [3]. Figure 3: TOP 100 password hints by category [4] Fig3 shows the result of a study that was done by Troyhunt shows how people choose their password. Guessing a password from the E-mail address: Figure 4: Passwords derived from the email address [4] Figure 5: Number of Password combinations alphanumeric Password [5] The table above shows number of possibilities based on the password length so, any digit of the password is considered as process loop. Each digit can have 64^ the number of digits. Imagine having 13 characters that 64 raised to the power of 13 its an extremely big number of combination that the cracker has to try. Its extreme based on the source of the cracker processor and its also based on time. 3.3 Password complexity and Time Complex password is extremely important for securing your data and information. Most of the people think their password is being hacked or sniffed but the main reason for their password was not complex so, the depending on the assigned password the time will be proportional for example, three digit numeral or alphabet password ahc, 897, or even abc432 would take less than a second for cracking. However,[emailprotected] would take almost a month to be cracked, because the cracking cycle will go checking numbers,alphabet,and symbols and that is why complex password is strongly required [6]. The quicker your PC can hash passwords, the more you can crack in a given certain of time, and that results in a better chance of having of cracked passwords. We used John The Ripper because it is an open source cracking tool which is available on almost all Linux distros. However, it is not usually the best choice. John runs depending upon the CPU, but password hashing can be launched really efficiently depending upon graphics cards. Hashcat is password cracking tool that can run on graphics cards, and on the right hardware can do much better than John. Password cracking computers most of the time have number high-performance GPUs and depend on these for their rapidity . You might not find Hashcat in your distros repositories, but its downloadable on www.hashcat. net (itsfree as in zero cost, but not free as in free software) [7]. 5.1 Cracking tools and applications 5.1.1 Aircrack-ng its a free network hacking tool which include packet sniffer,detector, and various of encryption types cracker. Moreover, it includes Analysis tool that works with WLAN. In addition, this tool can sniff and monitor packets which travels from one person to another. This tool can run in a verity of platforms eg, FreeBSD, OSX, Wubdows, OpenBSD and Linux. Maemo, Zaurus and Android platforms 5.1.2 Crow bar This tool is exclusive on Linux operating systems. It is a free tool that runs a type of password cracking technique called Brute Force. It doesnt save a list of passwords, but try every possible combination of a password. this tool is supporting remote Desktop Protocol with NLA, VNC key authentication, open VPN and SSH private key authentication. 5.1.3 L0phtCrack This is a recovery password auditing app designed by Mudge. It was written to crack windows encrypted passwords. Moreover, it can crack from Primary domain controllers, and network servers or Active Directory. It also allows the user to sniff a password off the wire. This tool can go further and create many methods for guessing a password. It can work only on Microsoft Windows OS. 5.1.4 Medusa It a tool that is designed to be a strong, fast login using brute force. The purpose of this tool is to work with a lot of services remotely at the same time. That means this tool can not only brut force only one host but multiple hosts and passwords at a time. The targeted information can be registered in different methods. So each entry can be single information or file with many entries.Each mod file is for separate mod file . Meaning , this is needed for brute forcing. It is a free tool and Medusa works on Linux and MAC OS X operating systems. 5.1.5 Ophcrack This is a rainbow table that discovers passwords and crack a complex passwords. Moreover, it can crack simple passwords within minutes.In order to get the great advantage of this tool the user has to buy what is so-called rainbow tables to crack complex passwords.This tool is free runs on Linux,Microsoft Windows and MAC operating system. 5.1.6 RainBow Crack This tool is free and runs on Linux,Microsoft Windows, and MAC OS. It is specialized in hash cracking . It is a common brute force cracking tool that tries every combination of plaintext and that results in time consuming for complex passwords. It does not only crack passwords only but store the result in a library called(Rainbow tables).The brute force process takes extremely long time to be done but when using precompute tables it is one of the fastest cracking tool. 5.1.7 SolarWinds This tool works on Windows only .It is also known as FireWall Security Manager. It is the best solution for any company that needs reports and advanced management on their sensitive devices. It can be configured to allow multiple clients to be deployed at Multiple system administrators at once. It also features network discovery router password decryption , SNMP brute force cracker and TCP connection reset application. 5.1.8 THC hydra This tool is free and works on all the operating systems except MAC. This tool allows the user to remotely break into a system and crack a password using different protocols. It crack using fifty protocols. it can crack a network login. it crack the password using the dictionary or brute force attacks. It also features login brute force attack. 5.1.9 Wfuzz This is a free tool that works on Linux Windows and Mac Os. it features the following :multiple injection points capability, recrusion when doing dictionary brute force, Post headers and authentication data brute force, out put to HTML, Proxy and SOCK support. It is usually used to brute force web applications and to find user name and password [8] [9]. 6.1 Overview John the ripper is the best cracking tool ever. John the ripper comes with two versions the popular version is free and there is a pro version which is commercial version. It runs on many platforms like DOS, Unix, BeOS, Win32 and OpenVMS. It is similar to THChydra but the main difference is that Hydra is Online password cracker whereas John the ripper is offline password cracker. It is usually used by hacktivists for penetrating passwords. John the Ripper is a fast password cracker. Period. In fact, you can consider John The Ripper as the definitive password hacking tool. Johnny is a graphical interface that can replace John the ripper to simplify the cracking process instead of using the command line interface. it comes by default with kali Linux. 6.2 John the ripper features Decrypt most guessing hashes using wordlist dictionaries. Ability to specify guessing with certain letters and symbols assigned by the user without using the dictionary. Ability to decrypt more than hash at once. Automatically detect the type of the hash. Rapidly crack passwords. ability to continue guessing process that has started earlier from another device [10] [11]. 6.3 How does John the ripper work? John the ripper cracks the password in four main Modes: 6.3.1 WordList Mode Its the simplest technique that mainly allows the user to assign what is so-called word lists which is a text file includes a password in each line and some password files. Also features the ability of generating other likely password files. 6.3.2 Single Crack Mode this is the mode a user should start cracking with. It assigns the login names. Moreover, it uses GECOS which contain personal information about the user, user home dictionary, also several of rules applied. It also have got the ability to crack other password hashes if guessing is success, it would try the same password for all the hashes because more likely there will be another user with the same password. Usually the administrator should have an access to the a file which contains the users information and passwords. Finally, single mode is much faster because it cracks single password at a time. The user can also use this mode in two different files at the same time [12]. 6.3.3 External Mode To define an external cracking mode you need to create a configuration file section called [List.External:MODE], where MODE is any name that you assign to the mode. The section should contain some functions programmed in a C-like language. John will compile and use the functions if you enable this cracking mode via the command line 6.3.4 Incremental Mode. This is the most effective and powerful cracking mode. It assigns every possible combination of characters for cracking passwords . but it still have a disadvantage which is the cracking process will keep running and will never stop because the tried combination password characters are too large. there for, crackers usually limit the character combinations to lower case so, it doesnt take as much time as if its not set. It uses what is so-calledtrigraph process for example: (aa, ab,ac,etc,), (ba,bc,bd,be,baa,bba etc,) it would not miss any password combination every combination will be tried. Its main advantage is to crack a password in a limited time [11] [10]. 7.1 Brute force attack This technique of password attack That is not actually decrypt any data, but also continue trying a list of password combination eg, words, letters .A simple brute force could be dictionary of all words commn passwords. doing trying cycle until it gets the access to an account. the complex example of brute force is trying every possible combinations of numbers, letters and symbols. However, this technique is the has to be the last option for any cracker because it can take long and the bigger number of encryption (64-32-265)bit the longer time it will take for cracking. 7.2 Dictionary attack This type of password where the cracker can assume the password consisting of string of words, Years, or special number that is chosen from the dictionary. This tool has to be included with what is so-called dictionary input list. The cracker can download a big database including specific vocabularies for example, Sports, movies, and so on. 7.3 Password sniffing This technique called sniff because the the crackers have the ability to sniff the authentication packets that are travelling from the client to the server among the Internet or the local area network. This technique can provide the cracker with hashes or other authentication data necessary for cracking process. There are verity of sniffers tools such as Wireshark,ScoopLM,KerbCrack. The NTLNv2 authentication traffic cannot be sniffed neither by ScoopLM nor Kerbcrack. 7.4 Password capturing Alot of crackers get passwords easily by launching a keyboard sniffing Trojan horse or buying a physical keyboard logging device.According to many reports 82% of the most widely used viruses steal critical data.Most of them sniff passwords. Less than a $100 anyone can get key logging device which is very small and can simply fit between the keyboard and the computers keyboard port. Its also extremely easy to sniff password even from wireless keyboards [13]. To conclude, First, There are verity of applications and tools that you could crack any password. Second, protecting your password requires using strong password. Moreover, there is nothing called uncrackable password its just a matter of time and resources. Finally, the only thing you can do is using strong password and keep changing your password from time to time. [1]M. Tokutomi and S. Martin, Password Cracking. [2]Chit Ko Ko Win, Password management for you, 08:57:17 UTC. [3]D. Bisson, Cracked Ashley Madison passwords consistent with years of poor security, Graham Cluley, 16-Sep-2015. . [4]The science of password selection, Troy Hunt, 17-Jul-2011. [Online]. Available: https://www.troyhunt.com/science-of-password-selection/. [Accessed: 16-Feb-2017]. [5]jsheehan2014, Choosing a Password: Needle in a Haystack, MACED Tech Resource, 15-May-2015. . [6]How Long Would it Take to Crack Your Password? Find Out! Randomize, Random ize. [Online]. Available: http://random-ize.com/how-long-to-hack-pass/. [Accessed: 15-Feb-2017]. [7]B. Evard, JOHN THE RIPPER, linuxvoice, 2015. [Online]. Available: https://www.linuxvoice.com/issues/008/john.pdf. [Accessed: 13-Feb-2017]. [8]Wfuzz, Concise Courses. . [9]10 Most Popular Password Cracking Tools, InfoSec Resources, 27-Dec-2016. [Online]. Available: http://resources.infosecinstitute.com/10-popular-password-cracking-tools/. [Accessed: 27-Feb-2017]. [10]ports, John the Ripper, 18-Feb-2014. [Online]. Available: http://tools.kali.org/password-attacks/john. [Accessed: 19-Feb-2017]. [11]John the Ripper cracking modes, openwall. [Online]. Available: http://www.openwall.com/john/doc/MODES.shtml. [Accessed: 20-Feb-2017]. [12]passwords What exactly is single mode in John the Ripper doing?, Information Security Stack Exchange, 2014. [Online]. Available: https://security.stackexchange.com/questions/37072/what-exactly-is-single-mode-in-john-the-ripper-doing. [Accessed: 20-Feb-2017]. [13]Types of Password Attacks, windowsitpro, 30-Jan-2006. [Online]. Available: http://windowsitpro.com/security/types-password-attacks. [Accessed: 02-Mar-2017].

Pepsi Refresh Analysis Essay

A Thirst for Change For decades, PepsiCo beverages have had success in capturing much market share of the soft drink industry through fascinating advertising campaigns. Their campaigns revolved around the idea that Pepsi was a drink for the young and young at heart. The advertisements were filled with optimism and aimed to bring people together in some way. At the turn of the twenty-first century, Pepsi was challenged with the fact that people were simply drinking less soda to switch to healthier options. In response to the issue, Pepsi began to expand its product portfolio by including healthier alternatives to the sugar-filled soft drink. Although it was a good attempt to conform to the more health-conscious world, this new focus hindered the attention that was given to their money-making products. Pepsi knew they had to appeal to their audience as more than just a soft drink brand. The problem was how do to so. They began to follow the sentiments of the country and focus on making a change for the better of society. First they launched the Refresh Everything campaign, which gave Pepsi a voice and then the Pepsi Refresh Project, which put that voice to action. The project, which aimed to increase brand equity, earned them an award at the International Advertising Awards but failed to increase sales or market share. Even though the project was successful it was not selling product, which in the end was the main goal. The Pepsi Refresh Project took advantage of one of the company’s best strengths, brand awareness. People knew about Pepsi and were interested in what they were doing to better the society around them. Pepsi saw this new project as an opportunity to establish a point of difference from their biggest competitor, Coca-Cola. They believed that the new socially conscious America was a threat to their industry and had to combat the issue by giving in and helping out. Through social-media and traditional promotion as well as various public relations, Pepsi was able to generate 3. 24 billion media impressions, estimated to be worth $66 million in earned media value, with the Pepsi Refresh Project. Because much of their promotion was done through social networking, Pepsi added 3 million Facebook fans and 53,000 Twitter followers. They also advertised via commercials on NBC, ABC, Fox, MTV, Spike, and ESPN and had print ads in People and Parade magazines. For public relations, they encouraged celebrities to participate in the program and offered grants to help their cause. Even with all of the success in participation of the program, the numbers that really mattered were not increasing. Pepsi sales dropped 4. 8% while market share also decreased. Ultimately, Pepsi believed that long-term brand equity was gained but was unsure whether to continue the project. They could not go another year spending the same amount of money on the Pepsi Refresh Project without their sales increasing. In my opinion, Pepsi broadened the way people think about them as a company and for that, the project was a success. I do not think that continuing this project would be beneficial and they should lend their focus to creating a campaign that drives sales now that they have an even stronger brand equity and awareness.

Limited Use of Cell Phones

Argumentative essay Mobile cell phones should be limited in certain schools Mobile phones can be an issue in certain schools. Mobile phones should be banned in elementary and middle schools. However, phones during class in high school and college should be up to the teacher, whether or not to have them. As youths get older, they become more responsible on how they use their phones. Elementary  schools  shouldn’t  have  phones'  period. The  kids  shouldn’t  have  a  phone  that  young. They  don’t  need  it  for  many  reasons. Parents  know  where  they  are  any  ways. There  is  always  an  adult  around. In  case  of  an  emergency,  the  school  can  contact  the  parents.There  is  also  a  phone  in  the  office  and  every  classroom. Kids  that  young  are  easily  distracted  and  those  having  a  phone  will  make  it  worse. I f  they  have  a  phone,  they  won’t  do  their  class  work  or  homework. They  are  not  as  social  because  they  are  too  distracted  with  the  latest  Smartphone. Kids wouldn’t have as much fun with their friends that are over. They would be too involved in looking at their cell phones. Having  a  cell  phone  when  in  elementary  school  can  help  when  kids  are  walking  home  from  school. If  the  kids  don’t  answer  the  house  phone  when  they  are  home,  they  are  more  likely  to  answer  their  cell  phones.If  they  are  outside,  and  their  parents  try  to  call  they  won’t  hear  the  house  phone. Kids  won’t  bring  out  the  house  phone;  however,  will  bring  their  own  cell  phone. On  the  other  hand,  say  that  a  gr oup  of  5th  graders  are  walking  to  get  a  drink  from  sonic  or  7-elven they have something in case one of the parents wants to text them to see where they are. Middle schools should have phones either during school hours. Middle schoolers can be a little active. When you have a cell phone, they are more likely to cheat during a test. The students are more probable to text parents to get them out of a test or quiz.They are more likely to get into trouble. During class, they could be internet surfing and texting. They also could make wrong calls to authorities. Making an artificial call to authorities can make what you did a lot worse. Some parents think that schools should let students have their phones in use during school. They are a little more independent. They will always change their mind of what they are doing. If they have a parent pick them up, and they do an activity after school, and that activity gets canceled for some reason, the kids have to let the parents know.If a shooting happens during school hours, and the kids made it out, that would be a comfortable thing to do is to let the parents know. However, if they are stick in a classroom for a school shooting, it’s an easy way to text the parents to let them know that they kids are okay. Thankfully, the Deer Creek Middle school shooting happened after school hours, and almost everyone got away safely. The Deer Creek shooting was probably one of the things that scared me. I knew a lot of people that went to the school at the time. A gentleman came to the school grounds and started to shoot as students were leaving to head home.The shooter had gone to the school before to look around. He shot a girl in the arm and a boy in the chest. None of the students died. Students were either already on the bus, walking or getting picked up by a parent. Many students ran to Stony Creek, a nearby elementary school, to get away. Some of the students managed to jump into some strangers’ cars as well. Dr. Benke, a math teacher who was on bus duty, managed to get him onto the ground without getting more rounds off. Students who had phones were able to text friends to see if they were okay and to text parents. High school can be like college.The school should let the teachers pick if students are allowed to have phones or not. Students in high school are a little more responsible. The students know what is wrong and right. Students in high school are a little more responsible. If they really need to use their phones, they will go out into the hallways. For example if they needed to call their parents or any relative, for some reason. Most students are good about not using their phones during tests. Some classes do have some days where they need to look things up and that is where the smart phones come in handy.For example, if you are taking a foreign language class and need to look it up, you have the phone to look it up. That is if the teacher is busy and you can find it in the book. If they teachers don’t say anything about phones they can’t get mad at the students. Cell  phones  should  be  very  limited  in  high  school  but  not  as  strict  as  middle  school. For example,  they  should  be  allowed  during  passing  period  and  lunch  but  not  classes. Phones  should  be  turned  in  when  they  are  taking  a  test  or  quiz. Students  are  allowed  to  get  it  after  everyone  is  done.If  they  have  their  phones  out  the  students  can  take  a  picture  of  it  and  send  it  to  other  students  as  well  as  looking  up  answers. Students could also not pay attention to something that they need to know for college or their career path. They won’t focus on what is really important. Cell phones already take over so much of student’s l ives. College is a big campus to control, that’s why teachers should be allowed to pick whether or not to have cell phones in their classrooms. The president of the university can tell the teachers, that cell aren’t allowed. The students are old enough not to use phones in class.Nevertheless, there are certain times during class that it is appropriate time to use a phone. If a teacher has a more than 30 students, it is hard to see who has a phone or not. Students who are in a class that is not allowed to use a cell phone, may still try to sink using their phone. Many people can be split on phones in class in college. Ages in college, especially at Metro vary. Students who are older may have kids and need to be in contact with their kids. If they have later classes between one and three they may have their kid’s text them to let them know that they are home or got over to a friend’s house.As you go up in education the more it will change. Plus, the more yo u have to be responsible for yourself and your actions. Anyone having a cell phone can make you want and not want to do things that you normally do or not do. Students are more likely to use their phones during school than outside of school. With my own experience I’ve noticed that I would use my phone more during class than when I’m out of class. That’s why it should be limited in schools. Like being banned in elementary and middle schools and then having

The Definition of Market and Some Marketing Resources

A market is any place where sellers of particular goods or services can meet with buyers of those goods and services. It creates the potential for a transaction to take place. The buyers must have something they can offer in exchange for the product to create a successful transaction.   There are two main types of markets  Ã¢â‚¬â€œ markets for goods and services and markets for the factors of production. Markets can be classified as perfectly competitive, imperfectly competitive or monopolies, depending on their features. Terms Related to Market A  free market economy  is dictated by supply and demand. Free refers to the lack of governmental control over price and production.   Market failure occurs when an imbalance exists between supply and demand. More of a product is produced than is demanded, or more of a product is demanded than is produced.   A complete market is one that has components in place to address virtually any eventual circumstance.   Resources on Market   Here are a few starting points for research on market if youre writing a term paper or maybe just trying to educate yourself because youre contemplating launching a business.   Good books on the subject include the  Dictionary of Free-Market Economics,  by Fred E. Foldvary. It is literally a dictionary encompassing just about any term you might encounter dealing with free market economics.   Man, Economy, and State with Power and Market  is by Murray N. Rothbard. Its actually two works gathered in one tome explaining Austrian economic theory.   Democracy and the Market  by Adam  Przeworski  discusses economic rationality as it relates to and interacts with democracy. Journal articles on market that you may find enlightening and useful include  The Econometrics of Financial Markets,  The Market for Lemons: Quality Uncertainty  and the Market Mechanism, and  Capital Asset Prices: A Theory of Market Equilibrium under Conditions of Risk. The first is offered by Cambridge University Press and was  written by three economics scholars to address empirical finance.   The Market for Lemons  is written by  George A. Akerlof  and is available on the JSTOR website. As the title implies, this paper discusses the various rewards for sellers who produce and market merchandise and products that are, quite simply, of poor quality. One might  think manufacturers would avoid this like the plague ... but maybe not.   Capital Asset Prices is also available from JSTOR, initially published in the Journal of Finance in September 1964. But its theories and principles have stood the test of time. It discusses the challenges inherent in being able to predict capital markets. Admittedly, some of these works are very highbrow and may be difficult for those just wading into the area of economics, finance, and market to digest. If youd like to get your feet a little wet first, here are some offerings from ThoughtCo. to explain some of these theories and principles in plain English like how markets use information to set prices, the role of the market, and the effects of a black market using supply and demand. Sources Foldvary, Fred E. Dictionary of Free-Market Economics. Hardcover, Edward Elgar Pub, December 1, 1998. Murray N. Rothbard, Man, Economy, and State with Power and Market, Scholars Edition. Joseph T. Salerno (Introduction), Paperback, 2nd edition, Ludwig von Mises Institute, May 4, 2011. Przeworski. Democracy and the Market. Studies in Rationality and Social Change, Cambridge University Press, July 26, 1991.