Phishing, Password Cracking & Keyloggers
This lesson covers three of the most frequently used attack techniques against end users and authentication systems. Together, they form a complete credential theft pipeline: phishing steals credentials directly through deception; password cracking attacks hashed or encrypted passwords computationally; keyloggers intercept credentials as they are typed.
---
Phishing — Mechanics and Variations
Phishing is a social engineering attack that uses disguised electronic communication (typically email) to trick recipients into revealing sensitive information, clicking malicious links, or downloading malware. The attacker masquerades as a trusted entity.
Step-by-Step Phishing Attack Flow:
- Target Selection: Attacker identifies target (individual, organization, industry sector)
- Research: Gathers information about the target — employer, colleagues, services used (LinkedIn, OSINT)
- Pretext Creation: Constructs a convincing story — urgent security alert, prize notification, invoice, delivery notice
- Infrastructure Setup: Registers lookalike domain (paypa1.com, amazon-security.com), creates fake login page
- Email Crafting: Designs email matching legitimate sender's branding, injects spoofed "From" address
- Delivery: Sends phishing email to target (or thousands of targets in mass phishing)
- Harvest: Victim enters credentials on fake page; attacker receives them in real-time
- Exploitation: Uses stolen credentials immediately for account takeover, lateral movement, or sells them
Types of Phishing:
| Type | Target | Method | Example | Sophistication |
|---|---|---|---|---|
| Mass Phishing | Anyone (random) | Generic bulk emails | "Your account has been compromised" | Low |
| Spear Phishing | Specific individual | Personalized email using researched info | Email appearing to come from colleague | Medium |
| Whaling | C-suite executives (CEO, CFO) | Highly researched attack on high-value target | Fake merger document for CEO | High |
| Clone Phishing | Recent email recipient | Exact copy of legitimate email with malicious link | Cloned IT security newsletter | Medium |
| Smishing | Mobile users | SMS-based phishing | "Your package is delayed. Click here" | Low–Medium |
| Vishing | Phone users | Voice call impersonating authority | "IRS calling about tax debt" | Medium |
| Pharming | All web users | DNS poisoning redirects to fake site | Bank website redirects to clone | High |
Exam Tip: Spear phishing is targeted at specific individuals using personal information. Whaling is spear phishing specifically aimed at high-level executives. Pharming manipulates DNS to redirect users without requiring them to click any link — more dangerous as the URL in the browser may look correct.
---
Password Cracking — Types and Techniques
Password cracking is the process of recovering passwords from stored or transmitted credentials. Attackers crack passwords to gain unauthorized access when direct credential theft (phishing) is not possible.
Why Password Cracking Works:
- Weak passwords: "password123", "123456" appear in billions of breach records
- Unsalted hashes: same password always produces same hash (rainbow table attack)
- MD5 / SHA-1 hashing (obsolete): can be cracked in seconds on modern GPUs
- Password reuse: cracking one service's database reveals passwords for others
Types of Password Cracking:
| Attack Type | Method | Speed | Best Against | Example Tool |
|---|---|---|---|---|
| Dictionary Attack | Tries words from a wordlist file | Very Fast | Common words, simple passwords | Hashcat, John the Ripper |
| Brute Force Attack | Tries every possible combination | Slow (exponential) | Short passwords with known charset | Hashcat, THC-Hydra |
| Hybrid Attack | Dictionary words with added numbers/symbols | Medium | Passwords like "password1!" | Hashcat |
| Rainbow Table Attack | Pre-computed hash lookup table | Instantaneous | Unsalted MD5/SHA-1 hashes | Ophcrack, RainbowCrack |
| Credential Stuffing | Uses previously breached username:password pairs | Fast | Password reuse across services | Sentry MBA, Snipr |
| Pass-the-Hash | Uses NTLM hash directly without cracking | N/A (no cracking) | Windows Active Directory | Mimikatz, PtH toolkit |
| Shoulder Surfing | Physical observation of typing | N/A | In-person scenarios | No tools needed |
Defense Against Password Cracking:
- Strong passwords: 16+ characters, mixed case, numbers, symbols
- Password salting: Adding a unique random value before hashing — defeats rainbow tables
- bcrypt/Argon2id: Purpose-built, slow hashing algorithms designed to resist GPU cracking
- Multi-Factor Authentication: Even if password is cracked, attacker needs second factor
- Account lockout policies: Lock account after N failed attempts
---
Keyloggers — Capturing Keystrokes
A keylogger (keystroke logger) is a tool that records every key pressed on a keyboard, capturing passwords, credit card numbers, messages, and all other typed information without the user's knowledge.
How Keyloggers Work:
- Malware installs itself on victim's device (via phishing, drive-by download, physical access)
- Keylogger hooks into the OS input system at the driver or API level
- Records all keystrokes with timestamps and active window titles
- Periodically sends captured data to attacker via email, FTP, or C2 server
Types of Keyloggers:
| Type | Category | Mechanism | Detection Difficulty | Example |
|---|---|---|---|---|
| API-based | Software | Hooks Windows API (SetWindowsHookEx) | Low–Medium | Many commercial spyware products |
| Kernel-based | Software | Operates at OS kernel level as a driver | High | Rootkit-embedded keyloggers |
| Form Grabber | Software | Intercepts browser form submissions before encryption | High | Zeus banking Trojan |
| Memory Injection | Software | Injects code into browser process memory | Very High | Advanced banking malware |
| Hardware (USB) | Hardware | Physical device between keyboard and PC | Very High (invisible to AV) | KeyGrabber USB, KeyCarbon |
| Acoustic | Hardware | Analyzes sound of keystrokes to deduce keys | High | Research-level attack |
| Electromagnetic | Hardware | Captures keyboard EM emissions | Very High | Tempest attacks (NSA) |
| Optical | Hardware | Camera recording keyboard | Medium (physical placement needed) | CCTV-based attacks |
Exam Tip: Keyloggers are classified as software (API-based, kernel-based, form grabbers) and hardware (physical devices). Hardware keyloggers CANNOT be detected by antivirus software since they are physical. Software keyloggers operating at the kernel level (rootkit keyloggers) are very difficult to detect with standard AV.
---
Study Deep: Phishing, Password Attacks & Keyloggers
- Phishing bypasses all technical controls: You can have the best firewall, IDS, and antivirus — if an employee clicks a convincing phishing link and submits credentials on a fake page, all technical defenses are bypassed. This is why security awareness training is considered the single most important security investment. Annual phishing simulation exercises (KnowBe4, Proofpoint Security Awareness) measurably reduce click rates from 25% to under 5%.
- Have I Been Pwned (HIBP) reveals password exposure: Troy Hunt's database at haveibeenpwned.com contains over 12 billion breached credentials. Organizations and individuals can check if their email/passwords appear in known breaches. Microsoft and Google automatically check if users' passwords appear in breach databases.
- Rainbow table attacks are defeated by salting: A salt is a random string appended to a password before hashing:
hash(salt + password). Because each password has a unique salt, pre-computed rainbow tables become useless — the attacker must compute hashes for every possible salt+password combination, making the attack computationally infeasible. Modern password storage uses bcrypt (cost factor adjustable), scrypt, or Argon2id.
- Keyloggers in banking malware: The Zeus banking Trojan (2007) combined keylogging with form grabbing and man-in-the-browser attacks to steal online banking credentials from millions of victims. It caused $100M+ in banking fraud. Its source code was leaked in 2011, spawning dozens of variants (SpyEye, GameOver Zeus).
- Browser password managers reduce keylogger risk: Password managers (Bitwarden, 1Password, LastPass) auto-fill credentials directly into form fields without keyboard input — potentially defeating traditional keystroke keyloggers. However, advanced form grabbers that intercept the browser API call at the point of form submission still capture these credentials.