There are many ways to get a password. Some of them do not require special skills. Here are the ways of the most common and most frequently used:
[1]. Social Engineering
[2]. KeyLogger
[3]. Web Spoofing
[4]. Block Email
[5]. Password Cracking
[6]. Session Hijacking
[7]. Being a Proxy Server
[8]. Use Browser Features
[9]. Googling
[1]. Social Engineering
Social Engineering is the name of a technique of collecting information by utilizing the gap victim psychology. Or maybe it should also be said as "fraud". Social Engineering requires patience and caution to the unsuspecting victim. We are required to be creative and able to think like the victim.
Social Engineering is the art of "force" others to do things according to your expectations or desires. Of course "coercion" does not explicitly or outside the normal behavior is typical of the victim.
Humans tend to believe or easily swayed toward someone who has a big name, never (or are trying) to help, and have the words or a convincing performance. This is often used principal social engineering to ensnare his victims. Often the perpetrator make a condition that we have some addiction to victim.Yeah, we unknowingly he conditioned us on an issue and make (as if - if only) that he can overcome that problem. Thus, we would tend to do what he instructed without feeling suspicious.
Social Engineering is sometimes a serious threat. It seems there is no connection with technology, social engineering but still skeptical as feasible can be fatal for your system. Why?? Because after all a computer still can not get away from humans. Yes, there is no any single computer system on earth that can escape from human intervention. your defense as much as anything, if you are already controlled by the attacker through social engineering, then maybe you are the one who opened the entrance to the attacker.
[2]. KeyLogger
KeyLogger is a software that can record user activities. The results were used to record stored in the form of text or images. KeyLogger work by tapping the keyboard user. This application is able to identify sensitive forms such as a password form.
There is a safe way to avoid keyloger:
1. Use a password with special characters such as !@#$%^&*(){}[]. Most keyloger will ignore these characters so that the perpetrator (keyloger installer) will not get the actual password.
2. Prepare your password from home, save in the form of text. We want to enter a password, copy-paste tingal ajah. Keyloger will read your password by tapping the keyboard. But this risky way. Why? because when you make a copy, your data will be stored on the clipboard. We have found many free software that can display data in the clipboard.
[3]. Web Spoofing
Still remember the case of a customer's account pecurian Bank BCA? Yes, that's one good example of Web spoofing. The essence of this technique is to use a user error when typing a website address into the address bar. Basically, Web Spoofing is an attempt to deceive the victim into thinking he is accessing a particular site, but it's not.
In the case of BCA, the perpetrator makes the site very similar and identical to the original site so that the victim will not be fooled in doubt fill in sensitive information such as user name and password. In fact, because the site is a scam site, then all this valuable information recorded by the fake Web server, which is owned by the perpetrator.
[4]. Block Email
Block email? Yes, and very easy to do this. One way is to use mailsnarf contained in dsniff utilities. How it works is by blocking Mailsnarf data packets through the Internet and arranged them into an email intact.
Mailsnift is Dsniff and software work on the basis of WinPcap (equivalent to the Linux libcap) is a library that captures data packets. Packets captured will be stored in a file by Windump, while MailSnarf act Dsniff and further analyze the data packets and display the password (dsniff) or email content (mailsnarf).
[5]. Password Cracking
"Hacking while sleeping." Was the phrase commonly used by people who make password cracking. Why? Because in general takes a long time to perform password cracking. Could for hours, even for days - days! It all depends on the target, whether the target using a common password, password length unusual character, or a combination of passwords with special characters.
One of the commonly used software to do this is by using Brutus, one of the remote password cracker software is quite popular. Brutus works with technical dictionary attack or bruce-force attack on http ports, POP3, ftp, telnet, and NetBIOS.
Dictionary attacks try to work with words in the dictionary passwords. While brute - force attacks try to work with all combinations of letters, numbers, or characters.
Brute Force Atack working very slow and takes a long time depending on the type of computer specifications and character length password. We have had many sites that closed access to access to the login attempt constantly to no avail.
If you want to do Cracking passwords, please choose - choose their own applications on page Member - spyrozone.tk.
[6]. Hacking Session
Session hijacking is more widespread today among the attackers. Session Hijacking usually done by doing imitation cookies. So in essence, we must be able to imitate the victim's cookies to get their login session.
So how do I get the victim's cookies?
1. By analysis Cookies.
This method is relatively difficult to do.
2. Stealing Cokies.
For example The Attacker wants to obtain the account A. The Attacker can easily make some script that inserted Java script in the email to be sent to the email korban.Saat the victim opened it, subconsciously stolen and cookies will be recorded onto a Web server using a PHP script.
These days most often the target of a Friendster account. There are inserting a Scipt through testimonials, there is a paste in his own profile to steal the victim's cookies and so forth. I have tips for this:
1. Do not use the Internet Explorer browser
We want to open other people's profiles, do not use Internet Explorer. Write down the address you want to come along the profile view, first logout of your account and remove all cookies, then open your Friendster profile goals.
2. Check the source code
When receiving testimonials, please check your source code. Is there are foreign script or word which is identical with such counterfeiting:
"HACKED", "defaced", "Owned" .. etc. ..
If in doubt ... .... Just Reject
3. LOGOUT suddenly.
Alert when without a good reason suddenly you logout automatically from your account. When you are asked to enter a username and password, your addressbar preview! whether you are on the proper or not. Check the source code on the form tersebut.Lihat page action, where the information you will be sent.
Actual session hijacking can be prevented if only the service provider notice the following things:
1. Assign a unique session identifier
2. Define the random pattern identifier system
3. Session identifier is independent
4. Session identifier that can be mapped to the connection
client side.
Another phenomenon is that, until now this article was published, it is often found that users who do not sign out after opening the account. Thus, people who use the computer and open the same website that has been opened by the first person will be automatically logged into the victim's account.
[7]. Being a Proxy Server
We can gather information with a proxy server for the victim to be able to surf. With a proxy server, the identity of the surfer can be ours.
[8]. Failure to take advantage of the user in the use of features
browser
Each browser must have features intended for convenience and comfort of users in the surf. Among them is the existence of the cache and Password Manager.
On the Internet of course a lot of websites whose content is not changed within a few days (for example spyrozone.tk;) Well, for a site like this cache be very useful. Cache will store the files so that future browsing if you come back to that site browsers do not need to download a second time from the server so that every page of your site that has previously opened will open more quickly. All that is usually governed by the header time to live.
Well, what about the sites of news providers are always up to date? For such sites, live-time to his will be set = 0 so that later you will continue to download every time a visit.
Not comfortable enough? Yes, but the threat began to emerge. Try now you explore the options related to the cache in your browser. Of course you can see that there are facilities to determine how much temporary files that can be stored on disk. Search also the location where the files will be saved.
Try to open the folder, you will see html files & image files from sites you've visited. In the IE browser, you can see the location of the cache files by exploring the Tools menu -> Internet options -> Settings
Then what can be found?? anyway just the files "trash"?? Hmm ... you are now trying to copy all the files there into a folder. Then open one of htmlnya file. If the public computer, you can see what sites have been accessed by the person before you.
Hmm .. just by looking at your temporary files can even see the password and etc.. I met lots of sites that store passwords and display them on the url. Of course you also must have often read in many tutorials.
Most current browsers have the facility to store passwords. For example when meggunakan Mozilla Firefox, you'll often receive a confirmation dialog box asking if you want your password saved or not by PasswordManager. Alomst users tend to choose the YES option, either knowingly, or did they not know (read: do not want to know ) what the purpose of the dialogue box.
Others who then use the browser that can very easily get the password by entering the victim's Tools menu -> Options -> Security -> Saved passwords.
Another example is the password wand facilities owned by the Opera browser. When you enter a user name and password in a form and pressing the submit button, an opera by default will be asked to confirm to you whether you want the browser to save your id and password or not. Again and again ... most netter careless, they tend to select the option "YES".
So?? Others who then use a browser that can see what sites have been accessed by the user, point your browser to the site, place the cursor on a form the user name, press [ALT] + [ENTER] and BOOOMM!! Do not be surprised yet!! Hehehe .. it will automatically login with your user name filled in full with the victims password :D(It's fun enough ..;D)
This is only a small example, the features explore other browsers!
[9]. Googling
Google.com. Many sites have collapsed, passwords and numbers - credit card numbers stolen from the behavior of people who abused his power;) In the past, it's easy to do. Only by typing in certain keywords associated with the user name and password, you can harvest hundreds of user passwords through google. But now it seems you have to bite the fingers if you use the above :D
Do not be sad before because Google has just spawned a new product, the Google Code Search. New threat began to emerge, "the smart" is now able to crawl up to the archive files that are in a public web server directory. Be careful who had a habit to store important information in it (passwords, and other valuable information) should begin now eliminated the habit. Always protect folders sensitive to your site can live longer. If not, there are people who take advantage of this new product to dredge google sensitive information from the web server. and if it had happened ... so be prepared .. "The Site" you will be taken over by it ..
Sorry, I'm bad english. Forgive me if it were the wrong words
Read more »
.jpg)
