What is an Offline Attack? (Types and Working)

Cyber SecurityAnti VirusSafe & Security

Offline attacks are executed from a location other than the actual PC where passwords reside or were used. Offline attacks frequently need total access to the PC and duplicate the framework's secret key document onto external media. The programmer then transfers the record to another PC to accomplish the split.

Even though it takes a lot more work, an offline assault is typically easier to execute than an online strike and has a greater chance of going unnoticed. An attacker attempting to extract clear text credentials from a password hash dump is known as an offline attack. Attackers conduct offline and widespread network attacks using pre-computed hashes from rainbow tables.

Types of Offline Attacks

Offline attacks can be of the following types −

  • Offline Cracking
  • Rainbow Table Attack
  • Mask Attack
  • Dictionary Attacks
  • Brute Force Attacks

Let us discuss each of these offline attacks in detail.

Offline Cracking

Offline Password Cracking is recovering one or more passwords from a password storage file obtained from a target machine. On Windows, this would be the SAM file, whereas, on Linux, it would be the /etc/shadow file.

In most situations, Offline Password Cracking necessitates an attacker gaining administrator/root level capabilities on the system to access the storage mechanism. However, the password hashes might have been retrieved directly from a database via SQL injection, an unencrypted flat text file on a web server, or another vulnerable source.

Offline password cracking is 1000–1,000,000 times quicker than internet password cracking. Offline Password Cracking leaves no trace on the victim's machine after recovering the credential storage method.

Rainbow Table Attack

When a password is saved on the system, it is encrypted using a cryptographic alias or hash. A hacker won't be able to figure out the original password because of the encryption. The attacker must save and distribute folders holding passwords and their hashes created from earlier intrusions to get around this. This procedure shortens the time it takes for hackers to access the system.

The rainbow table employs the hash technique and produces a list of all potential encrypted password plain text forms. If a hacker finds an encrypted password in a corporate system, they can compare it to the rainbow table's list of encrypted passwords. If most of the calculation is completed before the attack, starting an attack will be faster and easier than using other approaches.

Mask Attack

This attack is narrow in scope. The guess in a mask attack is based on numbers or characters. If a password begins with a number, for example, and the hacker is aware of this, they may tweak the mask to only test passwords that start with numbers. Special characters, character arrangement, frequency of repeated single characters, password length, and other criteria are used to configure the masks. A mask attack aims to eliminate extraneous characters from a password and speed up the cracking process.

Dictionary Attacks

Hackers can cycle existing words in a dictionary instead of guessing random combinations of characters. People frequently add terms to their passwords to make them more memorable, making hacking more straightforward. Brute force software may even alter dictionary passwords to improve success rates. An attacker uses a dictionary attack to test a given password hash against each word in a list of common, well-known passwords. Each word in the list is hashed (with the salt from the password hash to be cracked) and compared to the hash. If the word from the list matches, either the original password or another password can generate the same hash.

Brute Force Attacks

A brute force attack involves guessing login information, encryption keys, or locating a hidden web page by trial and error. Hackers try all conceivable combinations in the hopes of making the right guess. These attacks are carried out using excessive force, as the name implies. Although this is an older attack method, it remains efficient and popular among hackers. Because breaking a password can take a few seconds to several years, depending on its length and complexity.

A Brute Force assault employs all possible password combinations of a particular character set up to a certain password length. A Brute Force assault, for example, may try to break an eight-character password that contains all 95 readable ASCII characters. This means there are 95^8 potential password combinations. An eight-character password would take 210 years to crack using a Brute Force assault at a pace of 1 million guesses per second.

How Does an Offline Attack Work?

Let us now find out how an offline attack is carried out.

Sniffing on the Network

When we connect to shared drives to access the file you require, you must first verify that you have permission to read the file. Over the network, the shared drive will send you a challenge, and you will calculate a new value using your hashed password and the challenge and transmit it back to the server for authorisation. An attacker can take them offline and attempt a password attack if they can sniff the network and obtain both the challenge and the response.

Shoulder Surfing

Shoulder surfing is a method of stealing passwords by hanging near genuine users and watching them type in their passwords. Attackers just observe users' keyboards or displays as they log in, and see if they ask for written passwords or mnemonics, for example, from an object on their desks. Shoulder surfing is only possible in close proximity to the goal.

Dumping Memory Contents

An attacker can dump memory contents, including the SAM file, once they have administrator access to a single server or application. An attacker with administrative privileges can dump this file, exposing the hashes of all local accounts on the system. An attacker can also dump the user table, which may contain password hashes, if they obtain access to a database.


The attacker can access the NTDS files if they obtain domain administrator credentials and access the domain controller. This file contains the hashed passwords for all domain users. This is the worst-case situation for a company and a gold mine for attackers wanting to start offline password assaults.

Social Engineering

It refers to a non-technical intrusion that takes advantage of human behavior. It usually depends on human interaction, and it occasionally involves duping individuals into violating regular security measures. A social engineer plays a "con game."

An attacker utilising social engineering to break into a network, for example, might try to acquire the trust of someone who is permitted to access the network, then extract information that undermines network security. An attacker can impersonate a user or supervisor to get a user's password. People often try to establish friendly ties with their friends and coworkers. This is where social engineers profit.

Updated on 04-May-2022 13:46:43