Ethical Hacking 简明教程

Ethical Hacking - Password Hacking

我们有用于电子邮件、数据库、计算机系统、服务器、银行账户和我们想要保护的几乎所有内容的密码。密码通常是进入系统或帐户的密钥。

We have passwords for emails, databases, computer systems, servers, bank accounts, and virtually everything that we want to protect. Passwords are in general the keys to get access into a system or an account.

通常情况下,人们倾向于设置易于记住的密码,例如他们的出生日期、家人的名字、手机号码等。这正是导致密码薄弱且容易被黑客攻击的原因。

In general, people tend to set passwords that are easy to remember, such as their date of birth, names of family members, mobile numbers, etc. This is what makes the passwords weak and prone to easy hacking.

人们应该始终注意使用强密码来保护他们的帐户免受潜在黑客的攻击。强密码具有以下属性:−

One should always take care to have a strong password to defend their accounts from potential hackers. A strong password has the following attributes −

  1. Contains at least 8 characters.

  2. A mix of letters, numbers, and special characters.

  3. A combination of small and capital letters.

Dictionary Attack

在字典攻击中,黑客使用词典中预定义的单词列表来尝试猜测密码。如果设置的密码较弱,则字典攻击可以非常快速地对其进行解码。

In a dictionary attack, the hacker uses a predefined list of words from a dictionary to try and guess the password. If the set password is weak, then a dictionary attack can decode it quite fast.

Hydra 是一个流行的工具,被广泛用于字典攻击。请看以下屏幕截图,了解我们如何使用 Hydra 来找出 FTP 服务的密码。

Hydra is a popular tool that is widely used for dictionary attacks. Take a look at the following screenshot and observe how we have used Hydra to find out the password of an FTP service.

dictionary attack

Hybrid Dictionary Attack

混合字典攻击使用字典单词集与扩展名组合。例如,我们有单词“admin”,并将其与数字扩展名(例如“admin123”、“admin147”等)组合在一起。

Hybrid dictionary attack uses a set of dictionary words combined with extensions. For example, we have the word “admin” and combine it with number extensions such as “admin123”, “admin147”, etc.

Crunch 是一个单词列表生成器,您可以在其中指定标准字符集或字符集。 Crunch 可以生成所有可能的组合和排列。此工具与 Linux 的 Kali 发行版捆绑在一起。

Crunch is a wordlist generator where you can specify a standard character set or a character set. Crunch can generate all possible combinations and permutations. This tool comes bundled with the Kali distribution of Linux.

hybrid attack

Brute-Force Attack

在暴力攻击中,黑客使用字母、数字、特殊字符、小写字母和大写字母的所有可能组合来破解密码。这种类型的攻击成功的可能性很高,但需要大量的时间来处理所有组合。暴力攻击速度很慢,黑客可能需要一个具有高处理能力的系统来更快地执行所有这些排列和组合。

In a brute-force attack, the hacker uses all possible combinations of letters, numbers, special characters, and small and capital letters to break the password. This type of attack has a high probability of success, but it requires an enormous amount of time to process all the combinations. A brute-force attack is slow and the hacker might require a system with high processing power to perform all those permutations and combinations faster.

John the RipperJohnny 是设置暴力攻击的强大工具之一,它与 Linux 的 Kali 发行版捆绑在一起。

John the Ripper or Johnny is one of the powerful tools to set a brute-force attack and it comes bundled with the Kali distribution of Linux.

brute force

Rainbow Tables

彩虹表包含一组预定义且已散列的密码。它是一个查找表,尤其用于从密码文本中恢复明文密码。在密码恢复过程中,它只需查看预先计算的散列表即可破解密码。这些表可从 http://project-rainbowcrack.com/table.htm 下载

A rainbow table contains a set of predefined passwords that are hashed. It is a lookup table used especially in recovering plain passwords from a cipher text. During the process of password recovery, it just looks at the pre-calculated hash table to crack the password. The tables can be downloaded from http://project-rainbowcrack.com/table.htm

RainbowCrack 1.6.1 是使用彩虹表的工具。它可在 Kali 发行版中再次使用。

RainbowCrack 1.6.1 is the tool to use the rainbow tables. It is available again in Kali distribution.

rainbow table

Quick Tips

  1. Don’t note down the passwords anywhere, just memorize them.

  2. Set strong passwords that are difficult to crack.

  3. Use a combination of alphabets, digits, symbols, and capital and small letters.

  4. Don’t set passwords that are similar to their usernames.