The first step? Port the successfully cracked password to your list of password logins. Generally speaking, the longer the password and more characters, the harder it may be for someone to crack. Clearly, our password, which is only 5 characters long, will not be a problem, but what about our password, \"!ga23wid\" which is only 9 characters long?
This password is rather easy, so it shouldn't really be taking too much CPU time to crack. A few minutes later, we have cracked and successfully copied the password. And thankfully, we were right about our cracker not taking too much time. It only takes 3 seconds to crack our crackable password.
The cracker is now perfectly aware of our password list, and will quickly check as many passwords as possible to find the password dictionary file. No telling how many hours this can take, but for our purposes, it will only be between 5 and 45 minutes (it is estimated that each password takes 40 seconds to crack).
We have cracked the password with a bit of a linear time overhead but are rapidly decreasing that through brute-forcing. What does this mean? If we take a crackable password that's 45 characters long and have 20 minutes and 3 seconds to crack it, we'll be able to crack through it in less than 20 hours. I don't think that's too bad, really.
At the covert channel stage, we've captured and replicated the ACKs, but we don't know much about the padding of the frames. Therefore, we'll use a packet injection tool to fill the frame with a known packet. In this case, we'll inject a ping. The ICMP packet will have a zero and a one for the length.
Let's see if we can find a really good one. We've already had two in the last 24 hours, and it's only evening out. We should still be able to find a good password likely before 24 hours, at which point it will be a day..... If that happens, we can start getting more confident in how powerful this method is. For now, let's just graph what this is doing. 7211a4ac4a