Password Theft Cyber Attack

Advanced Network Security

By

Engr.Sidra Mudassar

Submitted To:

Dr. Osama Rehman

BAHRIA UNIVERSITY KARACHI CAMPUS

Department of Software Engineering

TABLE OF CONTENT

Contents
CHAPTER 1..................................................................................................................................................4
INTRODUCTION...........................................................................................................................................4
1.1 BACKGROUND...................................................................................................................................4
1.2 Characteristics...................................................................................................................................4
1.3 Attack mechanism:............................................................................................................................5
1.3.1 Brute force attack:......................................................................................................................5
1.3.4 Shoulder Surfing.........................................................................................................................6
1.3.5 Key logger Attack........................................................................................................................6
1.3.6 Replay Attack:.............................................................................................................................7
1.3.7 SQL Injection Attack....................................................................................................................7
Password theft on OSI Layer:......................................................................................................................8
2. 1 Black-hole attack:-............................................................................................................................8
2.2 Brute Force Attack Patterns in IoT Network......................................................................................9
2.3 MitM in Password Reset Process.....................................................................................................11
2.3.1Challenges in password reset MitM attack................................................................................11
2.3.2 Password reset link on the user registered email.....................................................................11
2.3.2 Changing of Geo Location.............................................................................................................12
2.4 Keylogger Application to Monitoring Users Activity with Exact String Matching Algorithm............13
Solutions to Password Attack:..................................................................................................................14
3.1 Time delays approach between keystroke:.....................................................................................14
3.2 IMAGE BASED PASSWORD TECHNIQUES:........................................................................................15
3.2.1 Pass-point Scheme:...................................................................................................................16
3.2.2 Cued Click Point scheme...........................................................................................................16
3.3 Virtual Passwords:...........................................................................................................................16
3.3.1 Virtual Password...........................................................................................................................17
3.3.2 Differentiated Security via a VPF..................................................................................................17
3.3.3 User Specified Programs/Functions..............................................................................................18
3.3.4 Codebook......................................................................................................................................18
REFERENCE:...............................................................................................................................................19
LIST OF FIGURES

Figure2-1Black hole Attack..........................................................................................................................9

Figure 2-2 brute force attack.....................................................................................................................11
Figure 2-3 PRMitM Attack..........................................................................................................................13
Figure 2-4 Key Logger Attack.....................................................................................................................14
Figure 3-1 Time delay flow chart...............................................................................................................16
 CHAPTER 1

INTRODUCTION
1.1 BACKGROUND
In this era everyone is connected to the digital word through internet & computer system have to
protect its own self from malicious codes and attacks which is very common now a days for
everyone who is connected with the internet for the ease and common people use widely Local
Area Network which is also known as internet network or LAN . So nowadays it’s easy for
hackers to steal the user’s credentials and their private life data and their banking details through
cyber-attack. Dictionaries are the most commonly use identifications for a person to gain the
accessibility to the system which are not enough secure. These type of identification methods are
not enough secure because they are library based or in other words they are human generated
which can easily guess & crack able. Although computer/system generated passwords are bit
stronger than human generated passwords but they are difficult to memorize. Now a days there
are so many ways to hack the user’s confidential information or their banking details, their
passwords etc.

Dictionary attack is one of the basic type of attack in which dictionary is made up of commonly
use passwords which can be used to crack the user’s password & a system which is network
connected can also be the victim of Denial of service attack which is also known as DoS attack.
In today world still we have plenty of websites which are based on Hyper Text Transfer Protocol
HTTP. HTTP are not enough secure and mostly http websites are the targets of newly born
attackers/hackers and this type of authentication attacks is known as HTTP attacks. The purpose
of describing the above few basics attacks are too aware the users that in internet world it is very
difficult to keep safe your data and credentials.

1.2 Characteristics
The password is the main entry point of the applications and the gate pass to enter in their
environment. Password theft is the most common topic for cyber-attack. The IT companies are
spending their millions of dollars in researches to keep the credentials of users safe and secure
for the hackers. Here I would like to include the example of Facebook they are updating their
structure and their policies in order to keep the users account safe. They have introduced two
factor authentication in which user have to enter the password and to verify his/her self from
telecom message also which is sent by the Facebook & they are updating their system day by
day. [1]

1.3 Attack mechanism:

As internet is growing around the globe where people with wide ranges are connected. Internet is
a system where password is a protected key to defend user’s confidential details. In numerous
computing applications including ATM machines, windows login, mobile etc., password plays a
vital role to keep the user’s sensitive data secure. Password attacks are vulnerable to breach the
security. Since they are necessary but still they are considered unsafe in providing security to
users due to various flaws in conventional password systems. Related to passwords, a large
number of attacks have been identified on various systems[2]. 
In order to prevent these password attacks it in important to study their attack
mechanisms .Different password attack mechanisms are discussed below

1.3.1 Brute force attack:

Brute Force attacks basically used to guess the users password by making the combination on
behalf of no of words in password they takes very long time for cracking 1 password of 6 words
it will try near about 1 million combinations due to this they are not recommended because they
consume so much time. But on the other hand it is very powerful and widely use to crack 4 digits
numeric pin because they are small in length.

1.3.2 Dictionary Attack:

A dictionary which is made up of mostly used password and can be a password of user who
chooses common words and easy words for their passwords. This dictionary is made up by the
attackers and they attack on system with the commonly used passwords for stealing the user’s
data. That’s why it’s recommended to include alpha numeric words with special characters to
make the password stronger. On the other hand comparatively it is much faster than the brute
force attack but it also have some limitations such as limited words that might not be successful
in obtaining the users password due to not availability in the dictionary. Most of the people uses
country name, city name, familiar things, their famous actors which can be easily guessable and
these types of password might be the victim of Dictionary attack[3].

1.3.3 Phishing Attack.

Phishing is just like trapping the user by just show them that everything happen to them is real
but it may be a trap by hacker to steal the passwords. Phishing is online web dependent attack
which takes the user to fake websites looks like as their real login platform but it is fake. Mostly
attacker uses fake/dummy pages of famous social platforms & various email platforms then they
redirect the victims to their own generated dummy pages and ask the credentials from user.
When the user enters the password it will sent on the desired location of the hacker. Sometimes it
is very difficult to understand for the user that the page he is visiting is fake or may lead to loss
of their credentials. After getting the credentials from the user hackers redirect them to their
original website and they even not feel that something happens to them and then attacker easily
uses the victims entered passwords for login into his/her private space.

1.3.4 Shoulder Surfing.

The Shoulder Surfing attack is also known as the “spying” in this type of attack the hacker
notices the victims by observing their movements to steal their password. The hackers notices
that how the victims types its password from which he observes that how many number of
characters the victim entered, which keys pressed to unlock the system & there are number of
methods of spying some of them are noticing through binoculars to see what keys have pressed,
the hacker can be a listener that how many no of keys pressed so the attacker can decode by
brute force or dictionary and hacker can also spy through CCTV which technique is normally
plotted in ATM which skimmers use to load their empty card with the victims debit/credit card.
[4]

1.3.5 Key logger Attack.

The word key logger express that maintain the logs of every key. Basically Keylogger is
computer software which is use to trace the every single key pressed by the victim and the data
which is recorded by the Keylogger will further refine into a meaningful information and users
credentials. In this type of attack user is unaware of that what he/she is pressing/typing will be
recorded and not safe enough. In real world mostly the Internet café users are the victims of
Keylogger attack. In this attack hackers installs the Keylogger in the victim’s computer or trap
the victim by giving fake offers for installing the software and people normally installs on
clicking fake links. The Keylogger sent the log file which have user typing activity through cloud
or email on hacker’s desired address which is further use to steal his/her password.[5]

1.3.6 Replay Attack:

Replay attack is based on mechanism of authentication in which the hacker types the victim
name through which when the system goes for verify the victim the device which gets the data
will transmit the challenge on sender’s location[6].

1.3.7 SQL Injection Attack

In this type of attack the hacker injects the SQL statements in the victims system through which
the data will directly goes on the desired location of hacker. By modifying the existing system
sql queries with their own desired statements. It is very common attack that’s why inline queries
are prohibited while developing/writing the code because inline queries can easily modify by
SQL injection attack[7].
 CHAPTER 2

Password theft on OSI Layer:

There are the attacks which effect the systems and breach the security of password

2. 1 Black-hole attack:-
This research is based on password vulnerability which are length related & introduces the
mechanism from which hackers trap the users over internet and seizes the accounts details of the
users. Furthermore this research also suggests for an improved processes which are essential in
preventing various type of attacks such as seizing the user account by the hacker.

The users over the internet is increasingly rapidly day by day and according to the research most
of the people have the same identical ID and password for the various different platforms such as
shopping sites and social sites. So if the hacker got the one password than might be he will
access the other famous platform with the same credentials stolen. This research will also
describe the password weakness and the techniques to steal the password information using the
phishing sites and also across the session layer the get password of the user.

Basically the phishing sites are the dummy sites which seems as the original page which ask the
users for their credentials and when the user enters his/her credentials then it will directly goes
on the hackers destination. Similar to phishing there is an attack named as Pharming which
means the attack which use to steal the financial information of the users after infecting the
system of user with malicious code. The success rate of pharming is higher than the phishing.

A system named Honeypot which is made to prevent the hacker subsequent attacks. Honeypot
develops a system as if it contained the information which is attractive to the hacker. This system
basically used to track the hackers pattern of attacks. It attack through session layer, application
layer and network layer

The Black-hole attack method is when the users tries to logging into web and it’s failed, when
the user repeatedly trying different other passwords which comes to his/her mind without
resetting the password from forgot password option. By using this mechanism in the reverse
order the user credentials easily seized by hacker. The pictorial representation of the scenario on
the Black-hole attack which is given below which says that client accesses the honeypot which
he/she does not want & his/her account credentials were stolen due to virus/malicious code.

Figure2-1Black hole Attack

As we all know that day by day higher processing speed system are coming into the market the
usage of varied characters, extended words & secure hash functions for credentials to strengthen
the authentication of websites is essentials[8].

2.2 Brute Force Attack Patterns in IoT Network

Brute force malware attacks on the FTP server of an IoT network to gain escalating privileged
access in the IoT environment.

BFAs strength is the insertion of characters that have possibility to guesses password and it get a
password remotely by an attacker machine.BFAs are classified into two attacks one is insider
and other is outsider, these two attacks are explained in Figure 1. BFAs have real-time
competence to truly deduce right passwords on FTP servers. Several types of insider attacks are
possible. One of them are the man in the middle attack, carry your own device (BYOD) attack,
malware, device/physical data theft, and sabotage.
(a) Insider attack is usually perceived as a legitimate user of the organization. Insider attack takes
limited access to some services without additional coverings on different service packages and
also varies from inbound packages from outside the network that are closely scrutinized by filters
with multiple DMZ services

(b) An insider attack on IoT is a multiform that poses numerous problems connected to malicious
and accidental security incidents stemming from outsources and employees

(c) The attacker is insider, they have detailed information of technical matters such as the
network’s backbone, IP address allocations, the virtual local area network (VLAN), the service
clustering application, and IT staff members who monitor the network[2]

Figure 2-2 brute force attack

Password elements includes: the existence of digits, length, upper-case, or non-alphanumeric

Characters can be used to estimate the “strength” of a password[9]
2.3 MitM in Password Reset Process.

MitM is the short form of Man in the Middle. We will describe that how it will be used to get the
victims credentials through password resetting & the attack falls on the application side. The
hacker takes is start from launching the reset process of password through website & sends all
challenges to user in this way hacker gets the victims credentials by don’t even realizing them
that anything happened or not.

2.3.1Challenges in password reset MitM attack

In MitM attack the hacker faces many difficulties from which few of them are listed below
which he faces during the attack.

2.3.1.1 Challenges in CAPTCHA

CAPTCHA pretend the attacker from not performing the attack through BOTS. BOTS
automatically performs the continuous attack on a system that’s why CAPTCHA use to verify
that the requester is human or BOT.

2.3.1.2 Security Question

During the signup there was a Security question which is further used in password resetting.
These security questions are based on the memorable type questions just like city of birth,
favorite teacher, childhood friend etc.

2.3.1.3 Security code on cellular network through SMS/System Call.

In order to authenticate the user system sends the 4, 6, 8 digits numeric code through SMS or
through system generated voice message on user provided number. When user request to forget
the password option then system sends the code or make a call on the user provided number with
security code in system generated voice message to verify the user.

2.3.2 Password reset link on the user registered email

Sending the password reset link on registered email is the most common and widely used
method for resetting the password. The hacker faces the challenges for getting that reset link but
on the other hand if the hacker have victims email access then he can easily fire the victim from
accessing that system by resetting the password through email. If the user email address in risk
then its all accounts associated with that email are at high level risk.
2.3.2 Changing of Geo Location
Now a day’s world is moving fast with technology. The developing systems are smart enough to
trace the daily activates of user login. When a new user enters a correct id/password but from
different region/location from which he never login before the system will not allow the user
until he proves his/her identity. Basically its work on changing of system IP locations. If
someone tries to login from different location then system generates the alert to user on
Email/SMS[10].

Figure 2-3 PRMitM Attack

2.4 Keylogger Application to Monitoring Users Activity with Exact String Matching
Algorithm
To compare the values entered on keyboard with the input which receive from the keyboard is
known as exact string matching algorithm in Keylogger. In simple the word entered by the user
first converts into ASCII form, then its matches with ASCII codes which was present in the
Keylogger if the character was found then it coverts that into letter. Which was practically
examine through application which was develop on C# & for OS windows 8.1

Basically Keylogger is computer software which is use to trace the every single key pressed by
the victim and the data which is recorded by the Keylogger will further refine into a meaningful
information and users credentials. In this type of attack user is unaware of that what he/she is
pressing/typing will be recorded and not safe enough. In real world mostly the Internet café users
are the victims of Keylogger attack. In this attack hackers installs the Keylogger in the victim’s
computer or trap the victim by giving fake offers for installing the software and people normally
installs on clicking fake links. The Keylogger sent the log file which have user typing activity
through cloud or email on hacker’s desired address which is further use to steal his/her password.

Figure 2-4 Key Logger Attack

 CHAPTER 3

Solutions to Password Attack:

There are the solution how to secure a password or how to maintain a security of passwords

3.1 Time delays approach between keystroke:

Securing a password from cyber-attacks by using Time delays approach between keystroke. This
new mechanism is used to strengthen the password by giving the delays of time in-between
password typing while doing signup & for the sign-in process you should not only insert your
correct passwords but also have to give the delay in inserting the password in the wright order. If
a user attempted to provide real password while sign-in without giving proper delay in time with
wright order then it will be rejected. To test the mechanism it was tested in laboratory.

This mechanism is not like the Keystroke Dynamics basically KD (keystroke dynamics) are the
just delays information which measures the individual’s rhythm and manner while typing on the
keyboard.

By following this approach user can have a secure password by giving the augmenting time
delays in typing the password with the wright procedure the user will highlight the time delayed
positions during sign-up process this what we can say “adopted keystroke pattern”. The user
should insert the wright password and gives the maximum time delays in precise positions than
the gap of time between the remaining characters of password. The main focus is to not enter the
password in rhythm. If the user’s time delay was not in correct positions then it will lead towards
failure of sign-in. The user can only login when he/she knows that how much time delay he/she
have to give while inserting a password if the password was typed in a correct time delay after
specific characters then the login will be successful otherwise it will lead towards the failure of
login. The whole mechanism was experimented in laboratory which was experimented through
VB application and for getting the clear pictorial representation of the whole mechanism the
figure is mentioned below.
 Figure 3-0-5 Time delay flow chart.

To achieve the goals of the mechanism algorithm was used which based on sorting the time gaps
& calculating the differences between the time gaps in milliseconds. This mechanism is very
important in those organization who have confidential data and curious about their password
theft. Through this approach the system will be more secure even if anyone knows your
password he/she cannot login into the system[11].

3.2 IMAGE BASED PASSWORD TECHNIQUES:

Two Graphical Password strategies are

1. Pass-point Scheme
2. Cued click point Scheme
3.2.1 Pass-point Scheme:
In this pattern a series of five unrelated click points that contained by a particular image. For
making a password user choice any five pixels in a series of the image as a click point on similar
image. When user want to login a system it enter a same series of clicks of five pixels of the
similar image for access to system

3.2.2 Cued Click Point scheme

Cued Click Point scheme designed the technique was to reduce patterns and the usage of hotspots
for attackers. Instead of selecting 5click-points on one image, CCP technique are use one click -
point on five diverse images. After one click the second image in sequence is based on the
position of the first entered click-point; it makes a series through an image sequence. One of the
best points of Cued-Click Point is that it shows authentication failure only after clicking final
click-point, to protect from guessing attacks[12].

3.3 Virtual Passwords:

Differentiated Virtual Passwords, Secret Little Functions, and Codebooks for Protecting Users
from Password Theft

This research describes that how to stop the users password from being stolen in online world
and ATM (automated teller machines). This research describes the differentiated virtual
credentials mechanism in this mechanism user is freely allowed to choose a scheme of virtual
password ranges from low security password to high security password. Virtual password needs
a very small amount of human computing in order to make more secure the users passwords. We
have traditional password scheme which is also called default method, user specified, system
recommended functions & users specified program etc. Implementing virtual password concept
from program/functions which requires a small amount of human computing and not very hard to
achieve. Furthermore in this paper secret little functions were adopted which will be playing an
important role in enhancing the security by hiding secret algorithms/functions.

The virtual password mechanism contains the functions which furthermore includes two schemes
known as codebook & reference switching functions. The objective is to write a function which
is capable of achieving both 1. Computational Ease & 2. Security point for keeping the function
simple and secure.
The capacity/program is utilized to execute the virtual secret word idea with a tradeoff among
security and intricacy and requires little measure of human registering. Notwithstanding, since
effortlessness and security conflict with one another, it is difficult to accomplish both. We further
proposed a few capacities filling in as framework suggested works and gave a security
examination. We broke down how the proposed plans protect against phishing, key-lumberjack,
bear surfing assaults, and numerous assaults. In client specified capacities, we received mystery
little capacities in which security is improved by concealing mystery capacities/calculations. All
in all, client defined capacities (mystery little capacities) are better. We trust that for some
significant records, for example, financial balances, a few clients might want to spend somewhat
more human figuring time to make it increasingly secure, particularly when utilizing a PC in a
safeguard domain, for example, the Internet café.

3.3.1 Virtual Password

It is dynamically generated password which is different each time it’s generated from scheme of
virtual password & then authenticate from server after submission.

V=Fh(X,R) OR Fh(Xi,Ri)=Vi this is the equation which is used by server to authenticate the
user. F is injective type function. In case F is not a injective it may be possible that server have to
authenticate the user by first find the record from database on behalf of ID then compute the V &
match it with users provided ID.

3.3.2 Differentiated Security via a VPF

This section tells that how it will work on Internet environment & also proposed a mechanism
for differentiated security for system registration. Which will allow the user to select a
registration scheme from easiest one to hardest one, A user can also define its own VPF(Virtual
Password Function) and also he can define & share a common function between user and the
server.

3.3.3 User Specified Programs/Functions.

The most grounded security approaches let the client define a user specified capacity or
program. Since the picked capacity is just known by the server and the client and the key space
of capacities are infinite with high-request, these methodologies are secure for even basic
capacities.
 3.3.4 Codebook
We first expect that our server has sufficient processing capacity to run a cryptographically
secure irregular number generator (RNG). This prerequisite is important to ensure the entire
framework in the event that a client loses their codebook, the framework won't be undermined
and the client can undoubtedly request another codebook without changing the parameters of the
RNG. Note that direct congruently generators isn't as cryptographically secure RNG [13].

REFERENCE:

[1] A. Eldar, I. Sharoni, T. Mendelson, and U. Blumenthal, "Techniques for password attack
mitigation," ed: Google Patents, 2012.
[2] E. S. E. C. †M.E. (CSE) Second Year, Erode,Tamilnadu,India ††Head of Department, Erode
Sengunthar Engineering College, Erode, Tamilnadu,India, "REVIEW OF PASSWORD PROTECTING
 MECHANISM," International Journal of Advanced Research in Computer Engineering &
Technology (IJARCET), 2013.
[3] M. Raza, M. Iqbal, M. Sharif, and W. Haider, "A survey of password attacks and comparative
analysis on methods for secure authentication," World Applied Sciences Journal, vol. 19, pp. 439-
444, 2012.
[4] V. Panchal and K. P. RavirajPrajapati, "AN INNOVATIVE PATTERN BASED PASSWORD METHOD
USING TIME VARIABLE WITH ARITHMETIC OPERATIONS," International Journal of Information,
vol. 6, 2016.
[5] R. Rahim, H. Nurdiyanto, D. Abdullah, D. Hartama, and D. Napitupulu, "Keylogger Application to
Monitoring Users Activity with Exact String Matching Algorithm," in Journal of Physics:
Conference Series, 2018, p. 012008.
[6] G. Dua, N. Gautam, D. Sharma, and A. Arora, "Replay attack prevention in Kerberos
authentication protocol using triple password," arXiv preprint arXiv:1304.3550, 2013.
[7] H. Patil and C. D. Parekh, "Attacks and Remedies of Authentication Techniques: A," 2017.
[8] H.-J. Mun and K.-H. Han, "Blackhole attack: user identity and password seize attack using
honeypot," Journal of Computer Virology and Hacking Techniques, vol. 12, pp. 185-190, 2016.
[9] J. Bonneau, "The science of guessing: analyzing an anonymized corpus of 70 million passwords,"
in 2012 IEEE Symposium on Security and Privacy, 2012, pp. 538-552.
[10] N. Gelernter, S. Kalma, B. Magnezi, and H. Porcilan, "The password reset mitm attack," in 2017
IEEE Symposium on Security and Privacy (SP), 2017, pp. 251-267.
[11] K. W. Mahmoud, "Elastic password: A new mechanism for strengthening passwords using time
delays between keystrokes," in 2017 8th International Conference on Information and
Communication Systems (ICICS), 2017, pp. 316-321.
[12] D. Stiawan, M. Idris, R. F. Malik, S. Nurmaini, N. Alsharif, and R. Budiarto, "Investigating Brute
Force Attack Patterns in IoT Network," Journal of Electrical and Computer Engineering, vol. 2019,
2019.
[13] Y. Xiao, C.-C. Li, M. Lei, and S. V. Vrbsky, "Differentiated virtual passwords, secret little functions,
and codebooks for protecting users from password theft," IEEE Systems Journal, vol. 8, pp. 406-
416, 2014.