CompTIA
Exam Vouchers
Save money on CompTIA exams
| Question of the day
Sign up to receive
interactive practice questions
for MCSE, CompTIA
Cisco and other exams
| TestKing
Get MCSE, MCSD, CCNA, CCNP,A+, N+ and many more | * ExamSheets *
Guide for Success!
Actual Questions & Answers
MCSE, MCSD, A+ ,CCNA, CCNP
Oracle 8i, Oracle 9i Online practice tests
Certification sites Online university Online college Online education Distance learning Software forum Server administration forum Programming resources
|
|  |
| Author |
I have a Question please help.
|
Williamd000
Member
M
Registered: Aug 2001
Location: USA
Country: United States
State:
Certifications: MCP ( Windows 2000 Pro ) and Security+
Working on: CEH, CISSP, MCSA + Security
Total Posts: 55
|
|
 I have a Question please help.
Hi I need help with this question i think i have the correct answer but i want to make sure that its correct. thanks.
What kind of attack are hased passwords vulnerable to?
1-Man in the middle
2-dictionary or brute force
3-reverse engineering
4-DOS attack.
I believe its 2.
Report this post to a moderator
|
|
 03-25-03 05:27 AM
|
|
RussS
radical dood
M
Registered: Sep 2002
Location: Hamilton
Country: New Zealand (Aotearoa)
State:
Certifications: MCP W2K Pro & Server, A+, Net+, NZQA L3 Computing
Working on: Security+, MCSA, Linux+
Total Posts: 955
|
|
|
hased ??? passwords - do you mean hashed?
interesting options, but if hashed I would say Brute Force if it was a 1 option answer.
Reasoning -
1, Man in the Middle - yes could intercept the hashed password, but would been to be decrypted.
2, Dictionary Attack uses a list of names and is usually sufficient to break most simple passwords. Brute force tries all combinations within a specified parameter.
3, Reverse Engineering is more the domain of pulling a program apart rather than decrypting a password.
4, DOS Attack - is this DoS as in Denial of Service or DOS as in attacking DOS?
__________________
Go hard or go home!
Report this post to a moderator
|
|
|
03-25-03 06:58 AM
|
|
Hacker
Moderator
Registered: Nov 2000
Location: USA
Country: United States
State:
Certifications:
Working on:
Total Posts: 382
|
|
|
Definitely 2. Reverse engineering, even if defined loosely to mean decoding the password is very unlikely. This is the reason for a hashing program--one way is easy to implement, does not need a lot of resources. However, to reverse, that is, to try to get to the original password, takes too much resources. Even if it were possible, it would take more resources than brute force cracking.
Hopes this helps.
__________________
FREE certification support from our many Certified Experts here!
Report this post to a moderator
|
|
|
03-25-03 08:13 AM
|
|
Williamd000
Member
M
Registered: Aug 2001
Location: USA
Country: United States
State:
Certifications: MCP ( Windows 2000 Pro ) and Security+
Working on: CEH, CISSP, MCSA + Security
Total Posts: 55
|
|
|
|
03-25-03 03:57 PM
|
|
117wik
Senior Member
M
Registered: Oct 2002
Location:
Country: New Zealand (Aotearoa)
State:
Certifications: MCSE, CCA, CCSE, CCNP, Linux+, Security+, NSA, Cisco Firewall Specialist, CEH, JNCIA-FWV, GCFW
Working on: ...
Total Posts: 115
|
|
|
why isn't it 1 ??? If you do 'man in the middle attack' and manage to get the 'message digest' and if it's using some sort of hash algorithm that's well known to others, then you can try to hash it with all sort of different values until you get the same 'message digest'.
If you do just dictionary attack or brute force how is that going help if you don't even know what the 'message digest' is like etc??
just my own opinion anwyay, am i wrong or??
Report this post to a moderator
|
|
|
03-26-03 11:20 PM
|
|
RussS
radical dood
M
Registered: Sep 2002
Location: Hamilton
Country: New Zealand (Aotearoa)
State:
Certifications: MCP W2K Pro & Server, A+, Net+, NZQA L3 Computing
Working on: Security+, MCSA, Linux+
Total Posts: 955
|
|
|
Refer back to my post above for the reasoning and relate it to the question.
What kind of attack are hashed passwords vulnerable to?
One can consider the Man In the Middle as the Attack and the EXPLOIT as the Brute Force Attack, however I am not certain this would be the thrust of that particular question. I think when Tcat passes through he can agree or kick me in the butt .. lol
__________________
Go hard or go home!
Report this post to a moderator
|
|
|
03-27-03 12:47 AM
|
|
hershal
Junior Member
Registered: Mar 2003
Location:
Country: USA
State:
Certifications: A+, Net+, CIW, MCP, MCSA 2K, MCSE 2K, MCT, Security+
Working on: MCI,MCSE 2003
Total Posts: 13
|
|
Number 2:
Man in the middle.
A "Man-in-the-middle" attack is where the the attacker interposes himself between two hosts to gain access to their data tranmissions. The attacker intercepts data transmitted from a source machine and responds to the data as if it were the destination machine. It then forwards the data to the intended destination and then intercepts and responds to the reply as if it were the original source computer.
The problem is that the password is still Hashed. Hashing means that it is encrypted. So the password, Even if caught in a man-in-the-middle, does not authenticate the attacker.
The Question states "hashed Password". Only the password is encrypted. That means that is is a simple process to "guess" (with a dictionary program or Brute Force) the password.
Last edited by hershal on 03-28-03 at 03:30 PM
Report this post to a moderator
|
|
|
03-28-03 02:28 PM
|
|
nadeemrafi
Junior Member
M
Registered: Jul 2002
Location:
Country: Pakistan
State:
Certifications: MCSE, MCSA, A+ , Security+,Other
Working on: CCNA, CISSP, GSEC
Total Posts: 13
|
|
|
As it is clear that password is hashed then how attacker can use it even after getting the hashed value, unless he bf the password.
__________________
Knowledge is Power
Report this post to a moderator
|
|
|
04-09-03 11:53 AM
|
|
Hacker
Moderator
Registered: Nov 2000
Location: USA
Country: United States
State:
Certifications:
Working on:
Total Posts: 382
|
|
|
quote:
Originally posted by 117wik
why isn't it 1 ???
just my own opinion anwyay, am i wrong or??
It cannot be (1) because even if you hijack and retransmit the password, you first have to decode the password in the first place, which is hashed. Using bruteforce takes less effort than to reverse engineer a one-way hash.
__________________
FREE certification support from our many Certified Experts here!
Report this post to a moderator
|
|
|
04-11-03 12:14 AM
|
|
Tarzanboy
Senior Member
Registered: Mar 2002
Location:
Country: United States
State:
Certifications: A+, N+, Sec+, MCP, MCSA2k, MCSE2k
Working on: 70-214, 70-292
Total Posts: 1013
|
|
|
#2
a. Using a dictionary and the same hash function can provide the results to a hash algorithm.
b. Hash algorithms are vulnerable to Birthday attacks, which are a form of Brute Force attack.
Incorrect answers:
#1 Reading a hash does not entail knowing the contents of the hash.
#3 The same key used to encrypt cannot decrypt
#4 Prevents access to the system, not solving/cracking the hash.
Cheers,
TB
Report this post to a moderator
|
|
|
04-13-03 03:08 AM
|
|
|
Click here for list of Security+
study guides and order yours now!
CompTIA exam notes
Security+ exam details
Forum Rules:
Who Can Read The Forum? Any registered user or guest.
Who Can Post New Topics? Any registered user.
Who Can Post Replies? Any registered user.
Changes: Messages can be edited by their author.
Posts: HTML code is OFF. Smilies are ON. vB code is ON. [IMG] code is OFF. |
|
ExamNotes forum archive
|
