Labs on Passwords
Table of Contents
1 Educational Objectives
Objectives: To help you gauge the level of security offered by the typical password systems. The goal is to crack as many passwords as possible in the inputs described below. This can take hours on fast laptops/ desktops in 2017, if you do not take advantage of multiple cores or GPU. Our goal in cloud computing is to crack as fast as possible.
Students should be able to
- Recognize the limitations of the typical password schemes
- Sketch the cracking algorithms, and use cracking tools
2 Background: Required Reading
- Password Cracking Ideas
- Some Well Known Cracking Tools
- ./Word-Lists and Hash-Dumps
- The following are readily available "word lists" in the context of choosing good passwords. This is obviously not an exhaustive list. Note also that some files are populated at multiple sites.
- https://github.com/danielmiessler/SecLists/ is the security tester's companion. It is a collection of multiple types of lists used during security assessments. List types include usernames, passwords, URLs, sensitive data grep strings, fuzzing payloads, and many more. It includes a collection of password lists. It includes the RockYou lists.
/usr/share/wordlists/*
of the Kali Linux distribution.- http://contest-2010.korelogic.com/wordlists.html wordlists used in "Crack Me If You Can" contest of DEFCON 2010.
- https://wiki.skullsecurity.org/Passwords Passwords that were leaked or stolen from sites.
- http://gdataonline.com/downloads/
- http://www.justpain.com/ut_maps/wordlists/
- http://weakpass.com/lists
- http://www.adeptus-mechanicus.com/codex/hashpass/hashpass.php
3 Lab: Cracking Specific Password Hashes
3.1 SubLab #1 Crack the Three User Names and Passwords
- MD5 examples shown from machine M1 in the
/etc/shadow
file format. Just three entries.student:$1$l67ia9iK$x80ABcEExHYMVpMx.Bls5.:13749:0:99999:7::: jsmith:$1$Y4.kjoQ2$GIuEZcnQVPYi7RPWrQRTE.:14036:0:99999:7::: jtripper:$1$WH2SxqnX$rL0J6JYshB3wl6yBm90Bd1:13887:0:99999:7:::
- Crack the passwords of student, jsmith, and jtripper.
3.2 SubLab #2 Example #2 from a Real Linux Machine Setup
- ./Linux/etc/830-2009-shadow.txt file is taken from lab accounts from a previous term. Uses salted MD5. User names are of the form CEG830nn.
- Crack the passwords of CEG830nn.
3.3 SubLab #3 Example #3: SHA512 Password Hashes
- Since MD5 is considered "broken", Linux distributions have moved to
using salted SHA512 password hashes (crypt id 6, i.e.,
$6$
), which are several orders of magnitude more difficult to brute-force or generate rainbow tables for. Example lines from machine M2:root:$6$vPVevCXV$Pj2yIpQhprsMifm7i4X7F6IioqAQxJCyrhNjH4zK0fGYUc2gWjGJjobIwRp7wT5spTlLEywDW0ySmgB0XkVBs/:15401:0:99999:7::: ceg442091:$6$03bKILGu$pgsg2fOTpYyhcPGSaJZfbVEFPgyle5YtGR1wY2ChuxSv7C4lEfdES26qAXa9UHqt04ap5v0AXF0DuWMXdeaWY0:15295:0:99999:7::: ceg235013:$6$T6Yj4GYP$MjioJv3VqkU5WOx5gruV2fSHgitkSHMLvSx5M.KL5JCDsVIVKqf3uo0DGTV.CLar0dW4eV5VYTzbfSi9rA1g8/:15398:0:99999:7:::
- The lines below are the same as above but split into muliple lines
for readability:
root:$6$vPVevCXV$Pj2yIpQhprsMifm7i4X7F6IioqAQxJCyrhNjH4zK0fG YUc2gWjGJjobIwRp7wT5spTlLEywDW0ySmgB0XkVBs/:15401:0:99999:7::: ceg442091:$6$03bKILGu$pgsg2fOTpYyhcPGSaJZfbVEFPgyle5YtGR1wY2Ch uxSv7C4lEfdES26qAXa9UHqt04ap5v0AXF0DuWMXdeaWY0:15295:0:99999:7::: ceg235013:$6$T6Yj4GYP$MjioJv3VqkU5WOx5gruV2fSHgitkSHMLvSx5M.KL5JCDs VIVKqf3uo0DGTV.CLar0dW4eV5VYTzbfSi9rA1g8/:15398:0:99999:7:::
- Crack the passwords of root, ceg442091, ceg235013.
4 Lab: Password Cracking Locally
- Crack the encoded passwords of (i) /etc/shadow file, taken from our OSIS Lab accounts from a previous term, (ii) MD5 examples shown from machine M1 and (iii) SHA512 examples shown from machine M2. See how many pass words the two programs can crack and how fast. This can take hours.
- You may want to construct your own examples of the passwd and shadow files, where you know the passwords you used.
- Tabulate the results.
- Design a password that is not crackable by any of the tools (at least the two you used).
- Record how many pass words can be cracked and how fast. Try (i) John the Ripper and (ii) one other of your own choice.
5 Lab: Password Cracking Using Cloud Services
Objectives: Gauge the computational power of your (i) Android device versus (ii) laptop/desktop versus (iii) cloud computing. Consider the following Java programs. Build/ revise them so that they are usable on (i), (ii) and (iii).
- http://blog.nullmode.com/blog/2015/03/22/36-core-aws-john/ "To get hashcat and john up and running with multi-core is a little fiddly (it’s not download and crack) …"
- https://hashcat.net/hashcat/
- Past collections of broken password databases
- http://blog.nullmode.com/blog/2015/03/22/36-core-aws-john/ "To get hashcat and john up and running with multi-core is a little fiddly (it’s not download and crack) …"
- https://hashcat.net/hashcat/
- http://blog.nullmode.com/blog/2015/03/22/36-core-aws-john/ 2015 Password Cracking With Amazon Web Services
6 Lab: Password Rainbow Tables
6.1 Objectives
To help you gauge the computational power of your (i) Android device, versus (ii) laptop/desktop, versus (iii) cloud computing. Consider the following Java programs. Build/ revise them so that they are usable on (i), (ii) and (iii).
6.2 Background
- Required Reading: ./rainbow-tables.html
- There are many free or commercial collections of rainbow tables.
- We wish to build our own both to gain experience and to specialize the table.
- We should have an understanding of these tables. I find many explanations unsatisfactory, including the Wikipedia one. http://kestas.kuliukas.com/RainbowTables/ is a better explanation among what I have seen. Yet, its diagrams, and sentences are misleading.
6.3 Programs
- https://github.com/lakka/MD5Crack This Java program "cracks MD5-hashes and generates rainbow tables. The program also has a hash table implementation." TBD sloccount
6.4 Task
- Build a rainbow table for a word list of your choice.
7 Lab: Design an Uncrackable Password
- Design a password that is not crackable. Do your best. Defend your design.