CIS 458 Lab 3: Password Cracking

This lab assignment should be done alone. While you may discuss with other students, your work should be your own.

Objective: The purpose of this lab is to gain an understanding of password strengths, and common tools used for offline password attacks

Grading: Each question in parts 1 and 2 are worth one point. Each question in part 3 is worth two points.


Intro

The program "John the Ripper" is a popular program for cracking passwords (It is available for free from www.openwall.com/john if you would like a copy on your own computer). Before using it, you must make a copy of its configuration files, which must be present in the directory you are running the program from. The configuration files are located in /usr/local/john-1.8.0-jumbo-1/run/ on the eos computers. If you wanted to copy these to a directory called john the command to use would be "cp -r /usr/local/john-1.8.0-jumbo-1/run/ john". After making this copy, run all commands in this lab from the john directory.

What to turn in: Answers to the questions below.

Follow the steps below, answering the questons as you go:


Part 1: Brute Force Cracking

Download the files part1.txt and part1a.txt. These files contain salted hashed md5 passwords, which is the format used to store them in many old Linux systems.

  1. The mode John the Ripper uses for brute force is called "Incremental". John the ripper stores cracked passwords in a pot file. To run John on the part1.txt file, you should run the command john --nolog --pot="john.pot" --session=john --incremental=alnum --max-run-time=180 part1.txt. How many passwords were cracked in 180 seconds? (if all were cracked, how long did this it take to crack all the passwords? )
  2. If we have prior knowledge of the password format, we can make this process a bit quicker, by using a variation in incremental mode that only checks certain formats. Specifically, in the john.conf file, edit the incremental alnum mode to only check passwords of length 1-5. Now, remove the john.pot file and run the same command again. How do your results differ?
  3. Now, run the same commands above, using the part1a.txt file instead (and removing the john.pot file each time). Notice that the recovered passwords are the same, but it took less time to recover the passwords. Look closely at the output. Why did it take less time to recover the passwords this time?

Part 2: Using Wordlists

  1. Download the file part2.txt, and try running John in incremental mode on this file (be sure to remove the =alnum from the command line, since we edited that to only work on short passwords). However, change the run time to be 5 minutes. This can be done by editing the max-run-time on the command line to say --max-run-time="300". How many passwords was John able to crack in the new file?
  2. Obviously, the incremental mode is not so great for more complex passwords. To make some passwords easier, John has a wordlist mode. By default it uses the dictionary in password.lst, although other wordlists can be downloaded. The command to use wordlist mode on part2.txt is john --nolog --pot="john.pot" --session="john" --wordlist part2.txt. Run the above command. How long does it take and how many passwords are found? Explain the difference between these results and those of the previous question.
  3. John is also capable of doing simple transformations on the wordlist. This can be done by adding the --rules option to the command. How do the results form this command (time and number cracked) differ from the previous one? Should someone trying to crack passwords always use --rules with a wordlist? Explain.

Part 3: Investigating password strength:

  1. We can change the rules John uses to create new potential passwords from the wordlist. Download rules.conf. Make John use the rules from the myrules section of this file by adding the options --rules=myrules --config=rules.conf. Use John to try to crack more passwords, using these new rules. Are any more found? What are they? Why were these hard to find before?
  2. What effect does character set size have on brute force attacks? Design an experiment (using John with different modes from John.conf or designed on your own) to find out the difference in security between numerical passwords and alphanumerical passwords. What specifically did you do? What were the results?