CS 450/650 Fundamentals of Integrated Computer Security

Fall 2013

Lab 2 : Password Cracking

Due on Thursday, Oct 24 at 1:00 pm


In this lab you will use a tool called "John the Ripper" to crack the passwords stored in a file. They were obtained from a Unix computer. Unix stores hashes of all its accounts' passwords in a single file. On old systems the file was /etc/passwd; on new ones it is /etc/shadow instead. The passwords themselves are never stored, but gaining their hashes is a matter of copying the containing file. Given the file, an attacker can try at his leisure to figure out what the original passwords were. That's what John the Ripper does. It has three techniques that you will use in this lab: dictionary attack, hybrid attack, and combination attack. There are John the Ripper versions for linux and Windows.

1. Install needed software and files

If John the Ripper is not already on the system, download it from http://www.openwall.com/john/.

Save the file holding the passwords to your disk. Its name is "crack-these-please.zip". Save it to disk and place it in the same folder as the john the ripper. Unzip it, to yeild a file named "crack-these-please". This file contains passwords for 50 users, with names crack01 through crack50. The passwords are various, some chosen to be simple and easy and others complex and hard.

2. Executing a dictionary attack

John the Ripper is a command line tool.

A dictionary attack uses a word database, and tries it repeatedly. John the Ripper has this capability. Enter dir and see that there is a file called password.lst. Dump the file's contents to the screen by giving the command:

more  password.lst

Press the spacebar, or hold it down, to make the display advance to the end of the file. You see that it is a list of potential passwords. There are about 3000 of them. You can order a wordlist of 40 million. Enter the following command to launch a dictionary attack:

john-386 -w:password.lst  crack-these-please

Note how many of the 50 passwords it was able to crack, what they are, and the time it took. John has created a list of solved passwords called john.pot. Dump to the screen by executing the command:

more john.pot

You see the same passwords you did before. But previously they were displayed along with the users who own them, now with their hashed versions. The hashed versions were the input to John's process; it is they that got cracked.

3. Executing a hybrid attack

A hybrid attack checks for variations of a word or a combination of dictionary words. Launch a hybrid attack by executing:

john-386  -w:password.lst   -rules  crack-these-please

Note the passwords it was able to crack and the time it took. How many more passwords did the hybrid attack crack?

4. Executing a combination attack

In default usage John the Ripper executes dictionary, hybrid, and bruteforce attacks in combination. Launch a combination attack by executing:

john-386   crack-these-please

While john is working, examine the CPU utilization of your computer.

Let John run long enough to do some more cracking. Note the time it took and how many additional passwords it was able to crack. Also note what the passwords are. The "simpler" ones should have been cracked in the earlier attempts, and these should be "less simple." What proportion of the cracked passwords could be found in the dictionary? How about a foreign language dictionary? How many of the cracked passwords contain varied combinations of letters, symbols, numerals, and case? Do the cracked passwords tend to be long or short?

Getting all the passwords could take forever, so if it is taking too long, you can hit CTRL-C to stop the run.

5. Create your own linux password file and try to crack it

In a linux system where you have root access add the following users.

At the command prompt, execute:

useradd user1

At the next command prompt, execute:

passwd user1

You will be prompted for a password. Enter hello as the password. You will be given a message saying the password is a weak password, but you will be allowed to use it because you are user root (who has special privileges). Reenter the password when prompted. Create the following additional users with these corresponding passwords:















Further, add some more of your own. Choose whatever you like. It would be interesting to test some passwords you actually use in the world to see whether they're weak or strong. Test your real-world passwords with John-the-Ripper at your own system . The passwords you have entered are in /etc/shadow. You can copy the file to your working directory to crack the passwords.

The assignment:

1. When applied to the file crack-these-please, how many of its 50 passwords were cracked at each phase:

    a. dictionary attack solved __________ of the passwords

    b. hybrid attack solved __________ of the passwords

    c. combination attack solved __________ of the passwords

    d.  __________ of the passwords were never solved within the time spent

2. The password-holding file is /etc/shadow for linux. Where are passwords stored for Windows Systems?

3. Use the Mandylion "Brute Force Attack Estimator" Excel spreadsheet (slightly modified version). Suppose you want a password that requires the rest of your life for a PC to crack. You have 50 years to live. How many days (live each to the fullest) is that? In the spreadsheet, consider passwords consisting of numerals ("Numbers") only.

a) the length of the numbers-only password that requires at least 50 years to crack, according to the spreadsheet, is _________ characters?

b) account for Moore's law. It says computing power doubles every 2 years. The spreadsheet is created on 2002. It reflects the computing power of 8 years ago . For today, you need to multiply its computing power assumptions with 2^4. Do so by entering 16 as the "Special factor" in cell G1 (which is applied in the "computing power" cell, E24, as a multiplier). Thus, with today's computing power, the length of the password that requires at least the rest of your life to crack is __________ characters.

c) account for Moore's law's continued operation. If Moore's law doesn't stop, today's isn't the right computing power for the upcoming 50 years' calculations. Assumuing on average (less near term, more far term) that computing power is 2.5 million times today's (approximately). With that as your future computing power, the length of the password that requires at least 50 years to crack is now __________ characters. (Multipy the current special factor by yet a further 2.5x10^6) 

d) if you now allow mixed random characters (spreadsheet's "PURELY Random Combo of Alpha/Numeric/Special") instead of confining your password to numerals only you should be able to use a shorter password with equal effect. The shortest "mixed character" password that'll last 50 years is __________ characters.

Acknowledgement: The assignment is modified from David Morgan.

What to turn in: A softcopy of your solutions (could be a scanned version of the hard copy of the solutions) to be uploaded to WebCT.