This project is intended to be completed by running virtual machine that we have prebuilt for you. You can find the details of how to get it up and running HERE . You are welcome to install the virtual machine on inside your CS account, or anywhere you have access to a commputer that you can run virtualbox on. You can also install the software manually on any linux system you have administrative access to. Note: You can not run JTR directly inside your CS department account. The systems are running malware detection software which will flag your account as possibly compromised. Either run the VM or run the software directly on your own hardware.
Learn what makes a password secure
Gain knowledge of popular password cracking tools
Gain further intuition regarding the strength of passwords against modern computing power and algorithms.
Passwords are one of the main defenses protecting all personal information online. They help secure your bank accounts, school information, and much more. As computer scientists, it is your responsibility to learn how to store passwords securely and protect the information of those who use your software.
Throughout this project, I will refer to a few important terms. Here are brief explanations of each:
Hash
Storing passwords in plain text is insecure. If someone were to gain access to a password file, they would have all passwords readily available. Therefore, most organizations opt to store a transformed version of each password called a hash. Cryptographic hases are used to transform the password into something that we can store and compare later.
A good hashing algorithm will take the original password and change it in such a way that the result is randomly picked from the hashing algorithm's possible outputs. For example, if I used
password123as input to theMD5hashing algorithm, the output would be482C811DA5D5B4BC6D497FFA98491E38. This means we can test to see if someone knows a password by hashing their entry and comparing that with a saved hash. We can then see they know the password without storing the password - meaing that gaining access to the stored password hashes does not give an attacker access to the system itself.
Salt
Although hashing provides extra security, it is still vulnerable to certain attacks. Online, you can find databases of common passwords with their respective hashes. If a hacker were to steal a password file with hashed versions of each password, they could easily determine the original form of any common passwords.
To combat these databases of passwords and hashes, many organizations use salts along with their hashes. A salt is a random string of characters that gets created when a new password hash is stored. The salt is appended, prepended, or mixed in with the original password so that the resulting hash is different from any duplicate passwords. Therefore, a hashed and salted version of
password123would look different from another hashed and salted version ofpassword123.
Brute Force Attack
A brute force attack refers to when a hacker attempts to crack a hashed password by trying every possible combination. They would generate a new input, pass it through the hashing algorithm, then compare it with the target to see if they found a match (just like in the Hash Attack lab).
Dictionary Attack
A dictionary attack refers to when a hacker utilizes a dictionary/wordlist of common passwords to try to crack a hashed password. They may also include wordlist rules, which add variations to each word in the wordlist. These variations might include capitalizing the first letter, replacing
acharacters with@, or adding a number at the end. For example, a wordlist rule may changepasswordtoP@ssword1.
Here is a list of usernames and passwords to use as a hash file:
frank:9f9d51bc70ef21ca5c14f307980a29d8 albert:b8b6718e7b997beaef8354ee1a1375a9 susan:1f0d628aff498776c391d147d3f8d605 shaniqua:a54eb809d56e632a229a27507664b3bd lafawnda:8b6e10530f75d23c0a0eca4d5671db7d
Try brute forcing the provided hashes with either John the Ripper or Hashcat, both of which are popular password-cracking tools. Here is the documentation for each:
John the Ripper and Hashcat both accept password files formated like username:hash, with each entry on a different line.
To run John the Ripper for MD5 hashes, use this command:
john --format=raw-md5 <hashfile>
For Hashcat, use this command:
hashcat -m 0 -a 3 --username <hashfile>
Hashcat doesn't recognize username:hash by default, so you have to include the --username flag here
Let it run for about 30 seconds. You'll notice that it finds the first password almost immediately, but struggles finding the rest. Press CTRL C to stop the program.
You can see the results by adding --show to the command (for both tools).
Go read this small tutorial on how to create and use your own custom rule lists with JTR and Hashcat TUTORIAL
Now try a dictionary attack. Use the following wordlist:
avengers assemble batman drstrange ironman spiderman superman thor wonderwoman
Create some custom rules to add variation to this wordlist and crack the passwords.
To specify a wordlist, use
john --format=raw-md5-wordlist=
for John the Ripper and
hashcat -m 0 -a 3 --username-wordlist
for Hashcat.
Create 4 unique random passwords of increasing difficulty (easy, medium, hard, 16 character random alphameric). Encrypt each password twice, each time with a different salt. Put the resulting 8 hashes in a file and try to crack them using John the Ripper or Hashcat. Make sure they are in normal linux password file format e.g. $1$qsxI/VDi$ueW5zV5V5zj9CjwjyaR3f1. Make sure that you understand any new configuration you'll need for your password cracking program to crack hashes in this format.
Write about your experience. Were you able to crack them all? Which ones (if any) were you not able to crack? What effect does a new salt have on your hash and password guessing? Include your hashes and passwords in your writeup.
Here are some resources to help you generate password hashes: * DES and MD5 * Manually Generate Password for etc/shadow
frank:albert: susan: shaniqua: lafawnda:
c/s or H/s measurement from your experiments).Submit a pdf report to LearningSuite with the following:
- A summary of the project, the goal and the steps you took. Include enough detail that I could understand what the purposes of this project were, what steps you took and what your results were. The goal is that you will be able to go back, 2 years from now, and read this report to help you remember everything you did. You'll be telling a coworker "Hold on a second - I did a project 2 years ago using JTR cracking passwords - let me go back, read my report and refresh my memory how it works!"
- Your results and answers related to cracking your own hashes
- Your answers to the 7 questions
- Your custom rule(s) and an explanation of what they do
- Of course, like always, you need your name, the class, the date, etc on your report. Would graphs help anywhere on this report? Useful tables? Make it easy for me, and future you to understand.
- special thanks to Joshua Esplin for his work to prepare this material and the virtual machine environment for this lab.