What is password cracking?

Password cracking typically refers to the process of recovering scrambled passwords. It can be used
to help a user get back a forgotten password or to help a system administrator check for weak
passwords. But more often, password cracking is used by bad actors to gain unauthorized access to
systems and resources.

As a cyber-attack vector, password cracking is incredibly varied. Threat actors use specialized tools,
multiple techniques and even blend complimentary tactics to boost their chances of success. To get a
clearer picture of how they all fit together, it helps to understand that attacks typically fall into two
categories:

Password guessing

Password cracking

Strictly speaking, password guessing and password cracking are not the same thing, even though the
terms are often conflated. Password guessing is an online technique where a bad actor uses various
combinations of characters in a process of trial and error. In contrast, password cracking refers to an
offline process where an attacker attempts to decipher plaintext passwords from their encrypted
forms. Because these techniques are typically lumped together, we’re covering both of them here.

5 Common password cracking techniques

While there are multiple ways that threat actors crack passwords, here are a few of the most common:

1. Brute-force attack

With this relatively old but effective attack method, bad actors use automated scripts to try out
possible passwords until the correct one works. Brute-force attacks can be very time consuming
because they take a systematic approach to trying all possible permutations of characters in a
sequence. The longer the password, the longer it takes.

Brute-force attacks are most successful when users have common or weak passwords, which can be
“guessed” by tools in a matter of seconds. Cracking a strong password might take a few hours or days.

Admins who want to defend against to these attacks have several options for password protection
including:

Limiting the number of times a password can be tried

Blocking an IP address after it has attempted—and failed—to enter the correct password after a
certain number of times

Locking accounts after a certain number of unsuccessful login attempts

Imposing a time delay between attempts

Increasing the level of effort, like adding a CAPTCHA or adding multifactor authentication

2. Dictionary attack

These attacks are similar to brute-force attacks, but they’re less about quantity and more about
quality. In other words, instead of trying every possible combination, bad actors start with the
assumption that users are likely to follow certain patterns when they create a password. So they will
home in on the most likely words rather than trying everything.
Some users pick easy to remember passwords, like “password” or “123abc.” Others follow predictable
patterns that can vary by region—users might pick words related to their favorite sports teams, local
landmarks, city names, and so on. So, for example, a New Yorker might choose “yankeefan1998.”
Attackers collect lists of likely passwords into attack dictionaries. Then, they augment likely passwords
with numbers, letters and characters for longer passwords.

While these lists aren’t as long as those used in brute-force attacks, they can be quite large. So
attackers use automated scripts to try each password on a username until they’re locked out.

3. Credential stuffing attack

With credential stuffing, bad actors take advantage the tendency for users to reuse the same
usernames and passwords for multiple accounts. As more credentials are exposed through data
breaches, the opportunity for these types of attacks is growing.

Here’s how it works. Pairs of compromised usernames and passwords are added to a botnet that
automates the process of trying those credentials on multiple sites at the same time. The purpose of
these attacks is to identify account combinations that work and can be re-used across multiple sites.

These attacks have a relatively low success rate, but the impact of a large-scale botnet attack is often
anything but small.

4. Hybrid attack

When users change their password, they’ll often add a few extra numbers, letters or characters at the
end. Hybrid attacks take advantage of this tendency.

Often, hybrid attacks are a mix of dictionary attacks and brute force. In this case, a bad actor may get
a user’s compromised password for one site. The user learns it has been compromised and changes
it. The attacker will now try out variations of the old password using a brute force method that
automates the additions of numbers, letters and more.

While this method is more time-consuming than a simple dictionary attack, it’s faster than a brute-
force attack.

5. Rainbow table attack

To keep passwords safe, any responsible organization that stores passwords won’t keep them in their
original plaintext form. Rather, they use a hashing algorithm to convert passwords into a string of
seemingly random letters and numbers. They might even hash this output a second time in a process
called “salting” to make the password even more difficult to crack.

But there are only a limited number of hashing algorithms. And they hash the same passwords the
same way every time. As a result, attackers can develop databases of common passwords that they’ve
been able to decode. Once they have deciphered a password, they store it in a database called a
rainbow table.

When attacker gets a new hashed password, they check to see if it matches any of the precomputed
hashes stored in their rainbow table. The downside to rainbow tables is that they take considerable
time and effort to create. And they often don’t work on passwords that have been salted.

Tips to protect your organization against password attacks

Safe passwords may seem like a trivial piece of your cybersecurity strategy. But passwords are the
most common way that cyber criminals gain unauthorized access to confidential data and systems.
That makes strong passwords essential to keeping your organization safe. All types of businesses,
organizations and institutions can benefit from these password best practices:

Create strong password policies. Users don’t typically have the best password hygiene. Consider a
password policy that requires a minimum passphrase length (ideally greater than 20 characters),
requires the use of special characters, and forces users to reset their passwords regularly.

Use multifactor authentication. When MFA is used, password cracking is mostly neutralized (though a
growing number of attacks employ MFA-bypass techniques). An attacker might figure out a user’s
password, but in many cases, they still won’t have access to the secondary authentication method.

Encrypt, hash and salt passwords. Both encrypting and hashing exponentially increase the effort and
the computing power that’s required for attacks. And salting makes the process that even harder.

Update systems regularly. When systems aren’t updated, malware that tracks users’ keystrokes can
infect emails, files and applications. In these so-called keystroke attacks, bad actors gather user
credentials and other sensitive information. Updated systems can prevent these attacks.

By implementing these measures, organizations can effectively stop sensitive information from ending
up in the wrong hands.

The future of password security

There’s no doubt that passwords have security issues. That’s why the popularity of password-less
authentication is on the rise.

Password-less authentication is generally believed to be more secure than standard passwords. It

works by enabling users to prove they are who they say they are by matching them with something
unique to them, like their voice or a security token. These security methods are commonly used with
two-factor authentication (2FA). Here are a few examples:

Biometrics. With this method, a user’s unique characteristics, like their fingerprint, palmprint, voice
or face, are saved and encrypted. When a user wants to log in, they verify who they are by
resubmitting their biometrics.

Time-based one-time password (TOTP). This a temporary passcode is generated by an algorithm. They
are typically six characters long and change after 30 or 60 seconds. Google Authenticator and
Microsoft Authenticator are two good examples. In another variation, the user scans a QR code using
a specific smartphone application—and then that app generates the TOTP for the user.

One-time pin (OTP). When a user attempts to login, an OTP—typically a six-digit code—is sent to their
cell phone number via short message service (SMS) or email. The user has a limited amount of time
to enter that code in the system. In another variation, a unique hyperlink is sent to the user who then
clicks that so-called magic link to login.

Push notifications. This method authenticates a user by sending a message to a secure application on
their mobile device. When the user gets the notification, they can approve or deny access or view
more details.

Password-less authentication is resistant to most password cracking methods. Plus, it alerts users if
something is wrong. The disadvantages are that it’s more complex and often requires outside systems
to function. So while the future of password security is moving towards being more secure, it’s not
necessarily more user-friendly.

Keystroke Logger?

A keystroke logger is a software or hardware device that records all keystrokes on an electronic device.
It takes the information to a Command and Control server, where someone analyzes it and detects
usernames or passwords to get into an otherwise secure device, computer, application, or program.

Types of Keylogger Software

There are hardware-based and software-based keyloggers. These two types of keyloggers vary by the
way they log keystrokes.

Hardware Keyloggers

Hardware keyloggers require physical access to the target device. They are embedded within the
computer hardware, such as the computer cabling, keyboard, or USB. Hardware keyloggers don’t
leave any traces, making them hard to detect.

Keystrokes logged by a hardware keylogger are stored in the device’s internal memory. Because of
this, they are rarely used for cyberattacks and device monitoring.

Software Keyloggers

Software keyloggers do not require physical access to the device. They can be easily installed as
malicious software that you download intentionally or as part of malware. Software keyloggers do not
infect the computer with a virus but run in the background collecting keystrokes.

There are various types of software keyloggers:

Keystroke Keyloggers

These keyloggers capture every keystroke on a keyboard. They include:

API-Based Keyloggers

API-based keyloggers are the most common. This is because they use the keyboard API to record
keystrokes. API stands for Application Programming Interface. This type of keylogger allows the
software to communicate with the keyboard. They intercept all keystrokes that you input into the
program you’re typing into.

API keyloggers are also called user-mode keyloggers. They intercept keyboard and mouse
movements. They are the easiest to create and also the easiest to detect since they are known within
the Win32 API.

Form-Grabbing Keyloggers

Form-grabbing keyloggers intercept web form submissions. They record the data you enter into a field,
such as login credentials. The keylogger malware is deployed on a website, like a prompt asking you
to enter your credentials such as name, email address, phone number, credit card number, etc. The
information you input is submitted when you hit “Enter” or “Submit.”

Kernel-Based Keyloggers
Kernel-based keyloggers work at the core of a computer’s operating system. These keyloggers use
filter drivers that intercept keystrokes as they pass through the kernel. Thus, they have admin-level
permissions to everything entered into a computer system.

A kernel mode keylogger is more advanced and challenging to execute. Because of this, it is also
difficult to detect within a system. In addition, it can change the internal dynamics of Windows.

Kernel mode keyloggers are distributed in various ways, including:

opening email attachment;

rootkits;

malicious software bundles;

running a file through a P2P network;

drive-by download attack.

JavaScript-Based Keyloggers

A JavaScript-based keylogger is written in JavaScript code and injected into a website. This keylogging
software can run scripts that record all keystrokes a website’s users enter. A JavaScript keylogger may
require only one line of code to capture all keystrokes, including tabs backspace and carriage
returns entered onto a website.

Once the RAT is on the computer, someone can send commands to the computer and receive data
from that computer.

Web-Based Keyloggers

These are keyloggers that help you log user data and other keystrokes online. They are mainly used
for parental and employee monitoring. Web-based keyloggers can display keystrokes logged in real-
time. They can also show a history of the keystrokes logged on that particular browser. You can use
these apps to read text messages from another phone without them knowing.

Wireless Keyloggers

Wireless keyloggers capture data sent and received between a wireless keyboard and its receiver. The
wireless keylogger can be connected to the target computer or wirelessly using a disguised device like
a wall charger.

Firmware Keyloggers

A computer BIOS handles keyboard events and can be reprogrammed to record keystrokes before
processing them.

Privilege Escalation?

Privilege escalation is a cyberattack technique where an attacker gains unauthorized access to higher
privileges by leveraging security flaws, weaknesses, and vulnerabilities in an organization’s system. It
is the attempt to elevate access permissions by exploiting bugs, system flaws, human behaviors,
configuration oversights, or weak access controls. In most cases, the first penetration attack attempt
is not enough to gain the required level of access to data. Attackers then resort to privilege
escalations to gain deeper access to networks, assets, and sensitive information.
Privilege escalation attacks are performed to jeopardize business operations by exfiltrating data and
creating backdoors. The goal of privilege escalations is to gain complete control over the system or
network, with a malicious intent of security breaches, data theft, etc. Threat actors performing these
attacks can be external hackers or insiders who start by carrying out a social engineering attack like
phishing to gain access to computer networks and systems through credential theft.

As privilege escalation attacks can impact business reputation and continuity, strategic measures
should be implemented for prevention, early detection, and mitigation.

Types of Privilege Escalations

There are two types of privilege escalations are mentioned below.

Vertical privilege escalation

Horizontal privilege Escalation

Vertical privilege escalation, or privilege elevation attack, is hacking into a system to gain elevated
privilege access beyond what the attacker already has.

Horizontal privilege escalation or account takeover is gaining access to the rights of lower-level
accounts with similar privileges, mainly performed to increase the attacker’s sphere of access.

Vertical vs. Horizontal Privilege Escalation

Often confused, vertical and horizontal privilege escalations refer to different methods of obtaining
higher privileges within a system or a network. Horizontal privilege escalation means obtaining access
to the same level of privileges as a user. In contrast, vertical privilege escalation refers to obtaining a
higher level of privileges than the user.

In case of a horizontal privilege escalation, a low-level employee with access to sensitive data may use
that access to gain the same privileges as a higher-level employee, such as a manager. This enables
the attacker to perform actions with the same level of authority as the compromised employee.

On the other hand, vertical privilege escalation refers to the process of gaining higher privileges than
the user currently has. For example, a low-level employee may exploit a vulnerability in the system to
gain administrative privileges, thus obtaining the ability to perform actions with a much higher level
of authority.

Common Types of Privilege Escalation Techniques or Methods

There are various types of privilege escalation techniques that attackers can use to compromise a
system. Some of them are discussed below.

Social engineering-
In this technique, an attacker tricks a user into giving away their credentials or performing actions that
grant the attacker elevated privileges. This can include phishing attacks, where an attacker sends an
email posing as a trusted entity to trick the recipient into giving away their credentials, thereby giving
the attacker access to the system.
Pass-the-Hash/Rainbow table attacks- Another technique is the pass-the-hash (PtH) attack, which
aims at impersonating a user by using a stolen password hash to create a new session on the same
network. To defend against this attack, modern systems must employ robust password management
solutions to keep the hash unique between two sessions.

Vulnerabilities and exploits- Exploiting vulnerabilities in software and operating systems is another
popular method of privilege escalation. Here, attackers exploit unpatched software
vulnerabilities, buffer overflow issues, or other backdoors to gain privilege escalation.

Misconfigurations- In this attack, the attacker takes advantage of misconfigured systems to escalate
their privileges. This can include weak passwords, unsecured network services, open ports, authentic
failures, and other misconfigured systems.

Kernal exploits- In this technique, the attacker exploits zero-day vulnerabilities in the operating system
kernel to escalate their privileges. This poses a serious threat as the kernel gets complete control over
the system and can bypass security measures.

Best Practices to Prevent Privilege Escalation Attacks

Privilege escalation attacks can have severe consequences, including theft of sensitive information,
disruption of operations, and reputational damage. By implementing strong passwords, restricting
access, regularly updating systems, monitoring activity, and having a clear response plan,
organizations can reduce their risk of falling victim to privilege escalation attacks. Below are some best
practices that must be adopted to prevent and mitigate such attacks:

Principle of least privilege- This measure is required to limit access to sensitive systems, applications,
and data to only those who need it.

Patch and update software regularly- Keeping all systems, software, and applications up to date with
the latest security patches is essential in fixing known vulnerabilities.

Vulnerability scanning- Attackers find it harder to enter the network when all the IT infrastructure’s
components are routinely scanned for weaknesses. Before potential attackers can take advantage of
them, vulnerability scans identify misconfigurations, undocumented system changes, unpatched or
unsecured OSes and programs, and other problems.

Implement strong passwords- Encourage users to use strong and unique passwords that are more
challenging to guess or crack.

Security awareness training- Conducting security awareness training is essential to prevent people in
organizations from unintentionally assisting a privilege escalation attack by opening malicious links
and attachments. It is also essential to emphasize the hazards and perils of sharing accounts and
passwords.

Incident response plan- It is imperative to have a clear incident response plan that outlines the steps
to swiftly respond to detected incidents and prevent further exploitation.

Sniffing?
Sniffing is a process of monitoring and capturing all data packets passing through given network.
Sniffers are used by network/system administrator to monitor and troubleshoot network traffic.
Attackers use sniffers to capture data packets containing sensitive information such as password,
account information etc. Sniffers can be hardware or software installed in the system. By placing a
packet sniffer on a network in promiscuous mode, a malicious intruder can capture and analyze all of
the network traffic.

There are two types:

Active Sniffing:

Sniffing in the switch is active sniffing. A switch is a point to point network device. The switch regulates
the flow of data between its ports by actively monitoring the MAC address on each port, which helps
it pass data only to its intended target. In order to capture the traffic between target sniffers has to
actively inject traffic into the LAN to enable sniffing of the traffic. This can be done in various ways.

Passive Sniffing:

This is the process of sniffing through the hub. Any traffic that is passing through the non-switched or
unbridged network segment can be seen by all machines on that segment. Sniffers operate at the data
link layer of the network. Any data sent across the LAN is actually sent to each and every machine
connected to the LAN. This is called passive since sniffers placed by the attackers passively wait for
the data to be sent and capture them.

Sniffing, spoofing, and phishing are all cybercriminal activities that involve stealing sensitive
information, but they are different in how they are carried out:

There are various types of sniffing attacks such as

LAN Sniff – The sniffer attacks the internal LAN and scans the entire IP gaining access to live hosts,
open ports, server inventory, etc. A port-specific vulnerability attack happens in LAN sniffing.

Protocol Sniff – The sniffer attacks occur based on the network protocol used. Different protocols such
as ICMP, UDP, Telnet, PPP, DNS, etc., or other protocols might be used.

ARP Sniff – ARP Poisoning attacks or packet spoofing attacks occur based on the data captured to
create a map of IP addresses and associated MAC addresses.

TCP Session stealing – TCP session stealing is used to monitor and acquire traffic details between the
source & destination IP address. All details such as port number, service type, TCP sequence numbers,
data are stolen by the hackers.

Application-level sniffing – Applications running on the server are attacked to plan an application-
specific attack.

Web password sniffing – HTTP sessions created by users are stolen by sniffers to get the user ID,
password, and other sensitive information.

IP spoofing?
IP spoofing is the creation of Internet Protocol (IP) packets which have a modified source address in
order to either hide the identity of the sender, to impersonate another computer system, or both. It
is a technique often used by bad actors to invoke DDoS attacks against a target device or the
surrounding infrastructure.

Sending and receiving IP packets is a primary way in which networked computers and other devices
communicate, and constitutes the basis of the modern internet. All IP packets contain a header which
precedes the body of the packet and contains important routing information, including the source
address. In a normal packet, the source IP address is the address of the sender of the packet. If the
packet has been spoofed, the source address will be forged.

IP Spoofing is analogous to an attacker sending a package to someone with the wrong return address
listed. If the person receiving the package wants to stop the sender from sending packages, blocking
all packages from the bogus address will do little good, as the return address is easily changed.
Relatedly, if the receiver wants to respond to the return address, their response package will go
somewhere other than to the real sender. The ability to spoof the addresses of packets is a core
vulnerability exploited by many DDoS attacks.

DDoS attacks will often utilize spoofing with a goal of overwhelming a target with traffic while masking
the identity of the malicious source, preventing mitigation efforts. If the source IP address is falsified
and continuously randomized, blocking malicious requests becomes difficult. IP spoofing also makes
it tough for law enforcement and cyber security teams to track down the perpetrator of the attack.

Spoofing is also used to masquerade as another device so that responses are sent to that targeted
device instead. Volumetric attacks such as NTP Amplification and DNS amplification make use of this
vulnerability. The ability to modify the source IP is inherent to the design of TCP/IP, making it an
ongoing security concern.

Tangential to DDoS attacks, spoofing can also be done with the aim of masquerading as another device
in order to sidestep authentication and gain access to or “hijack” a user’s session.

How to protect against IP spoofing (packet filtering)

While IP spoofing can’t be prevented, measures can be taken to stop spoofed packets from infiltrating
a network. A very common defense against spoofing is ingress filtering, outlined in BCP38 (a Best
Common Practice document). Ingress filtering is a form of packet filtering usually implemented on
a network edge device which examines incoming IP packets and looks at their source headers. If the
source headers on those packets don’t match their origin or they otherwise look fishy, the packets are
rejected. Some networks will also implement egress filtering, which looks at IP packets exiting the
network, ensuring that those packets have legitimate source headers to prevent someone within the
network from launching an outbound malicious attack using IP spoofing.

Layer 2 Attacks Overview

Layer 2 attacks, also known as Data Link Layer attacks, target vulnerabilities in the second layer of the
OSI model. This layer handles the addressing of devices using MAC addresses and controls access to
the physical transmission medium.

ARP Poisoning

Address Resolution Protocol (ARP) poisoning, also referred to as ARP spoofing, is a common Layer 2
attack that exploits the trust inherent in ARP. ARP is responsible for mapping IP addresses to MAC
addresses, allowing devices to communicate on a local network.

How ARP Poisoning Works

In an ARP poisoning attack, the attacker leverages the stateless and trusting nature of ARP protocol.
When a device on the network wants to communicate with another device, it sends an ARP request
to get the MAC address associated with the target’s IP address. The target device responds with its
MAC address, and the requesting device caches this mapping for future use. The attacker sends
falsified ARP responses to both the victim and the target, associating their own MAC address with the
target’s IP address. As a result, both devices update their ARP tables, directing traffic intended for the
target to the attacker’s system.

The attacker then becomes a middleman, intercepting and potentially modifying the communication
between the victim and the target. This can lead to sensitive information leakage, unauthorized
access, and even the injection of malicious content.

Example:

Let’s consider a scenario where there are three devices on a network: A (192.168.1.1), B (192.168.1.2),
and C (192.168.1.3). A wants to communicate with B. Normally, A sends an ARP request asking for B’s
MAC address. B responds with its MAC address, and A and B can communicate. In an ARP poisoning
attack, the attacker sends ARP responses claiming to be B, associating their MAC address with B’s IP
address. As a result, when A wants to communicate with B, it sends data to the attacker’s MAC
address, and the attacker can manipulate the data.

MAC Flooding

MAC flooding is another Layer 2 attack that exploits the behavior of network switches. Switches use
MAC address tables to determine the appropriate port to forward traffic. When a MAC address isn’t
in the table, the switch broadcasts the traffic to all ports, flooding the network.

How MAC Flooding Works

In a MAC flooding attack, the attacker aims to overwhelm the switch’s MAC address table, causing it
to operate in a degraded mode where it starts broadcasting traffic to all ports, instead of just the
appropriate one.

Switches typically maintain a MAC address table that associates MAC addresses with their
corresponding switch ports. When a device sends data to the switch, the switch learns which port is
associated with that MAC address and forwards data only to that port. However, these tables have a
limited capacity, and once the table is full, the switch behaves differently.

The attacker initiates a MAC flooding attack by sending a large number of Ethernet frames to the
switch, each containing a unique source MAC address. The switch attempts to learn these MAC
addresses and adds them to its table. However, when the table is full, the switch starts broadcasting
incoming frames to all ports, as it can’t determine the appropriate port for certain MAC addresses.
This behavior creates a flood of traffic that can be intercepted by the attacker, enabling them to
capture sensitive information or disrupt network operations.

Example:

Imagine a network with a switch and three devices: X, Y, and Z. The switch’s MAC address table is
initially empty. Device X wants to send data to device Y. The switch learns that X’s MAC address is on
port 1 and Y’s MAC address is on port 2. Now, an attacker floods the switch with frames, each claiming
to be from a different MAC address. The switch’s MAC address table becomes full and can’t
accommodate any new entries. When X wants to send data to Y, the switch broadcasts the data to all
ports, allowing the attacker to intercept it.

MAC Address Cloning

MAC address cloning is yet another technique that attackers can use to compromise network security.
A MAC address is a unique identifier assigned to a network interface card (NIC). Cloning involves
copying the MAC address of a legitimate device and applying it to the attacker’s device.

How MAC Address Cloning Works

MAC address cloning involves configuring a network interface to use a MAC address that is not
originally assigned to it. The attacker identifies a legitimate device on the network and captures its
MAC address, often through sniffing network traffic or reconnaissance. Once the attacker has the MAC
address, they can modify their own device’s network settings to use the captured MAC address.

By cloning a legitimate device’s MAC address, the attacker gains the ability to impersonate that device
on the network. This can lead to several security issues, including unauthorized access, bypassing MAC
address filtering, and evading network monitoring tools.

Example:

Suppose there is a network with a router and two devices: Device A and Device B. The router
recognizes Device A by its MAC address. An attacker clones the MAC address of Device A and
configures their own device to use the cloned MAC address. When the attacker’s device
communicates with the router, it appears as if it’s Device A. This can enable the attacker to intercept,
manipulate, or redirect traffic intended for Device A.

Mitigation Strategies

To counteract Layer 2 attacks, including ARP Poisoning, MAC Flooding, and MAC Address Cloning,
various mitigation strategies can be employed:

Encryption: Use encryption protocols like SSL/TLS for securing communication. Encryption ensures
that even if an attacker intercepts the data, they cannot understand its contents.

Network Monitoring: Employ network monitoring tools to detect unusual patterns or unexpected
behavior. Intrusion detection systems (IDS) and intrusion prevention systems (IPS) can help identify
and block attacks.

Strong Authentication: Implement strong authentication mechanisms, such as two-factor

authentication (2FA) or multi-factor authentication (MFA), to prevent unauthorized access.

ARP Spoofing Detection: Utilize tools that can detect ARP spoofing attacks by comparing received ARP
responses with expected ones and flagging inconsistencies.
Port Security: Configure switches to limit the number of MAC addresses allowed on a port, reducing
the effectiveness of MAC flooding attacks.

MAC Address Filtering: Implement MAC address filtering on the network to only allow authorized
devices to communicate. This can mitigate the risk of MAC address cloning.

Different modes of Wireless cards

Monitor mode

Used to monitor wireless networks, monitor mode allows a computer to capture all traffic on a
wireless channel without associating with an access point. Monitor mode is also known as RFMON
(Radio Frequency MONitor) mode.

Promiscuous mode

Can be used on both wired and wireless networks, promiscuous mode allows a computer to read all
frames that pass through a network interface card (NIC). This includes frames intended for other
devices. Promiscuous mode is often used to diagnose network connectivity issues.

Non-promiscuous mode

In non-promiscuous mode, a NIC only receives frames that are addressed to its MAC address, or are
broadcast or multicast frames.

Here are some other things to know about monitor mode and promiscuous mode:

Promiscuous mode requires support from the NIC, operating system, and any associated driver.

Many operating systems require superuser privileges to enable promiscuous mode.

Network switches are used to combat malicious use of promiscuous mode.

Sniffing

An attacker intercepts and captures unencrypted network traffic to steal sensitive

information. Sniffers are used by network administrators to monitor network traffic, but attackers can
also use them to steal data.

Spoofing

An attacker impersonates a trusted source, such as a business, colleague, or other contact, to gain
access to sensitive information. Spoofing can be done in a number of ways, including email spoofing,
IP spoofing, and caller ID spoofing.

Phishing

An attacker sends an email that appears to be from a legitimate source, but is actually intended to
steal sensitive information.
Wi-Fi authentication method?

The best Wi-Fi authentication method depends on the specific needs and security requirements of the
organization or individual using the Wi-Fi network. There are several different authentication methods
available, each with its own strengths and weaknesses. Here are some common Wi-Fi authentication
methods and their characteristics:

WPA2-PSK (Wi-Fi Protected Access II - Pre-Shared Key): This method uses a shared passphrase that is
used to encrypt wireless traffic. It is a commonly used method for home and small business networks,
but it can be vulnerable to brute-force attacks if the passphrase is weak or easily guessable.

WPA2-Enterprise: This method uses an authentication server, such as RADIUS (Remote Authentication
Dial-In User Service), to authenticate users and devices. It provides stronger security than WPA2-PSK,
but it can be more complex to set up and manage.

Open Authentication: This method does not require any authentication, and anyone can connect to
the Wi-Fi network. It is generally not recommended for security reasons, as it leaves the network
vulnerable to unauthorized access and attack.

Captive Portal: This method requires users to log in or provide credentials before they can access the
Wi-Fi network. It is commonly used in public Wi-Fi networks, such as those in airports and cafes, but
it can be vulnerable to phishing attacks if users are not careful about the information they provide.

Bypassing WLAN authentication is when a user attempts to access a wireless network without
entering the correct credentials or by exploiting a vulnerability in the network:

Using incorrect credentials: A user tries to access the network by entering the wrong credentials.

Exploiting a vulnerability: A user exploits a vulnerability in the network, such as a weak authentication
schema or a vulnerability in WPA2-enabled devices.

Uncovering hidden SSIDs: A user uncovers hidden SSIDs on the network.

Beating MAC filters: A user beats the MAC filters on the network.

Bypassing Open Authentication: A user bypasses Open Authentication on the network.

Bypassing Shared Key Authentication: A user bypasses Shared Key Authentication on the network.

Bypassing authentication for a subset of devices is not recommended because it can allow rogue
devices to access the internal network. However, in certain situations, it may be acceptable to bypass
authentication for some devices.

WLAN Flaws:

Wireless local area networks (WLANs) can be vulnerable to a number of encryption flaws, including:

Weak encryption

Many public access points are not secure and do not encrypt traffic. This puts sensitive information
like passwords and credit card numbers at risk.

Key Reinstallation Attacks (Krack Attacks)

A flaw in the WPA2 encryption protocol that allows hackers to intercept sensitive information. The
flaw was discovered in 2017 by researchers at KU Leuven University.

Wired Equivalent Privacy (WEP)

WEP only supports 64-bit or 128-bit encryption key sizes, which can be more easily decrypted than
larger key sizes. WEP is also limited to hexadecimal characters, which only allow for numbers 0–9 and
the letters A–F.

Other common vulnerabilities in WLANs include:

Rogue access points

Default or weak passwords

Misconfigured devices

Unauthorized devices

Sniffing and spoofing

Unlawful interception

Eavesdropping

Hacking

Denial of service attacks

To counter these threats, you can:

Configure your WLAN correctly

Enable security features such as encryption, standard authentication, and access control mechanisms

Ensure that all the access points you connect to use at least WPA2 encryption

Access point attacks can include rogue access point attacks, deauthentication attacks, and captive
portal attacks:

Rogue access point attacks

An unauthorized wireless access point is set up to provide unauthorized connectivity. This can lead to
a range of security risks, including data interception, malware distribution, and network
disruption. Rogue access points can be set up by devices like printers, media devices, or personal
routers.

Deauthentication attacks

A type of denial of service attack that targets communication between a user and a Wi-Fi access point.

Captive portal attacks

A rogue network is created to gather the targeted access point's password. The network has a similar
SID and disconnects all users from the targeted access points. Phishing attacks are then used to trick
users into providing passwords.

To protect against access point attacks, you can:

Configure access points securely by using strong passwords, enabling encryption, and disabling unused
features.

Use the latest security protocols and firmware updates.

Conduct regular security audits.

Implement advanced security technologies, such as intrusion detection systems and network access
control.

Wireless Network Attacks?

Wireless network attacks are deliberate and malicious actions aimed at exploiting vulnerabilities in
wireless communication systems to gain unauthorized access, intercept sensitive data, disrupt
network operations, or compromise the security of devices and users connected to the network. These
attacks target weaknesses in the protocols, configurations, or encryption mechanisms of wireless
networks, taking advantage of their inherent nature of broadcasting signals over the airwaves.

Types of Wireless Network Attacks

Wireless networks have undoubtedly revolutionized the way we communicate and conduct business,
offering unparalleled convenience and mobility. However, with this freedom comes the lurking threat
of malicious attackers seeking to exploit the vulnerabilities inherent in wireless technology. Here are
some of the common types of wireless network attacks:

1. Wireless Eavesdropping (Passive Attacks)

Attackers use tools like packet sniffers to intercept and monitor wireless communications between
devices. By capturing data packets transmitted over the air, they can potentially obtain sensitive
information, such as login credentials, financial data, or personal information.

2. Wireless Spoofing (Man-in-the-Middle Attacks)

In these attacks, the attacker positions themselves between the wireless client and the legitimate
access point, intercepting and manipulating data transmissions. The attacker may then relay the
information back and forth, making it appear as if they are the legitimate access point. This enables
them to snoop on data or perform other malicious actions unnoticed.

3. Wireless Jamming (Denial-of-Service Attacks)

Attackers flood the wireless frequency spectrum with interference signals, disrupting legitimate
communications between devices and access points. By creating excessive noise, they can render the
wireless network unusable for legitimate users.

4. Rogue Access Points

Attackers set up unauthorized access points, mimicking legitimate ones, to deceive users into
connecting to them. Once connected, the attacker can eavesdrop, capture data, or launch further
attacks on the unsuspecting users.

5. Brute-Force Attacks

Attackers try various combinations of passwords or encryption keys in rapid succession until they find
the correct one to gain unauthorized access to the wireless network.

6. WEP/WPA Cracking

Attackers exploit vulnerabilities in older wireless security protocols like Wired Equivalent Privacy
(WEP) and Wi-Fi Protected Access (WPA) to gain unauthorized access to encrypted wireless networks.

7. Evil Twin Attacks

Attackers create fake access points with names similar to legitimate ones, tricking users into
connecting to the malicious network. Once connected, the attacker can intercept sensitive data or
execute further attacks.

8. Deauthentication/Disassociation Attacks

Attackers send forged deauthentication or disassociation frames to wireless devices, forcing them to
disconnect from the network, leading to service disruptions or potential vulnerabilities when devices
automatically reconnect.

Preventing Wireless Network Attacks: Safeguarding Your Digital Domain

Protecting your wireless network from potential threats is paramount, and we have compiled a
comprehensive list of preventive measures to ensure your digital domain remains secure. Follow these
essential tips to fortify your wireless network against attacks:

1. Update your computer often

Regularly update your operating system and applications to ensure you have the latest security
patches and fixes. Timely updates help address discovered vulnerabilities, making it harder for
attackers to exploit known weaknesses.

2. Use MAC filtering

Enable MAC filtering on your wireless router to control access to your network. By specifying which
devices are allowed to connect based on their unique MAC addresses, you can prevent unauthorized
access and enhance your network’s security.

3. Disable SSID broadcasting

Turn off SSID broadcasting to make your wireless network invisible to casual observers. This prevents
your network from being easily discoverable and adds an extra layer of obscurity for potential
attackers.

4. Use WPA2 encryption

Utilize WPA2 encryption, the latest and most secure protocol, to safeguard your data as it travels
between devices and access points. Encryption ensures that even if intercepted, your data remains
unintelligible to unauthorized entities.
5. Change the default SSID

Customize your router’s SSID to something unique and unrelated to personal information. Avoid using
common names like “Linksys” or “default” to deter attackers from identifying and targeting your
network.

6. Disable file sharing

Turn off file sharing on your network to prevent unauthorized users from accessing your sensitive files.
If file sharing is necessary, ensure you set up secure passwords to limit access to approved users only.

7. Enable WEP encryption (only if using an older router)

If your router doesn’t support WPA2, use WEP encryption as a fallback option. However, keep in mind
that WEP is less secure than WPA2 and should only be considered if absolutely necessary.

By implementing these preventive measures, you significantly bolster your wireless network’s
security, thwarting potential attackers, and safeguarding your sensitive information and digital
activities. Stay one step ahead in the ever-evolving landscape of cybersecurity, and let your wireless
network become a fortress of protection for all your digital endeavors.