Northeastern University

CS 4740/6740 - Network Security

Lab: Password Cracking

In this lab, you will recover passwords using two different techniques: dictionary attack and precomputation attack. Recovering a password, known as password cracking, can be a devastating attack, especially since most users will reuse the same password on different systems. You will learn to use tools that allow you to crack passwords on both your Windows and Linux machines.

Late submissions will result in a 10% penalty per day (e.g., 2.5 days late result in 25% penalty)

1. Accessing the Password Hashes

In modern systems, you need elevated access, such as root or Administrator, to access the password hashes. You already have the appropriate access. First you will dump the Window's LM Hash passwords, then you will copy the Linux passwords.

  1. Log in to your Windows server and use a browser to download pwdump6 and pscp from http://strawman.nslab/lab6. Save pscp.exe in C:\WINNT\system32, so that it will be in your PATH. You may extract the pwdump6 zip file anywhere you like, but be sure to remember the path for later.

  2. Review the documentation included with pwdump6. In a cmd shell, cd to the directory containing the PwDump.exe binary and run the command to extract your Windows system's user password hashes. Be sure to use your system's hostname instead of localhost. Write the output to a file and then use pscp to copy them to your Linux router.

  3. Log into your Linux router. John the Ripper has already been installed. The configuration file is located at /etc/john/john.conf, and the character set definitions and other supporting files at /usr/share/john.

  4. Use the unshadow program to combine your /etc/password and /etc/shadow files. Most of the account information is stored in /etc/passwd, but in modern Unix systems the password hashes are stored in the protected file /etc/shadow. Your command line should look something like:

    		unshadow /etc/passwd /etc/shadow > router-passwd.txt
    		
  5. Next, prune out the unnecessary lines from both of the password files you just generated. Remove all accounts except those of your team's users and the team/root account.

  6. Obtain two additional sample password files from http://strawman.nslab/lab6/. Be sure to download and save both the Linux password file, and the Windows SAM dump. These files should be saved in a directory of your choice on your Linux router, along with the two password files you created earlier.

2. Dictionary Attack

Use john to execute a dictionary attack against all four password files. In order to do this, you may use your Linux system's built-in spellcheck dictionary, located at /usr/share/dict/words, or you may download a larger dictionary from some other source. Just be sure to observe the dictionary format requirements.

This documentation may be helpful. Please refer to /usr/share/doc/john/doc/ for documentation specific to your version, or simply type john for a short description of command line options.

If you successfully crack any passwords in the provided password files, record these passwords for your report. If you successfully crack any passwords from the files you generated, record them and have your users change their password to something more secure.

3. Precomputation Attack

With a good dictionary and some simple permutations, a dictionary attack can crack many typical user passwords. Unfortunately, this method of has its limits. Even relatively short random passwords can thwart it. When dictionary attacks fail, crackers will generally resort to a brute-force attacks, where all possible passwords are tried. This can take a great deal of time. Against good hashing mechanisms, it is usually infeasible.

Weaker hashing mechanisms can be quickly brute-forced using pregenerated rainbow tables. Rainbow tables are one implementation of time-memory tradeoff used to greatly speed up password cracking. They are particularly effective when password hashes are not salted.

For the next few steps, you will be using RainbowCrack to attack Windows LM hashes. Review the online documentation for RainbowCrack, and learn how to generate a rainbow table based on a desired character set and password length.

We are providing you with the last Linux version of RainbowCrack, slightly modified to be compilable in your system. Download it to your linux machine and unzip it in /usr/local/src. Follow the instructions provided in the directory you just extracted to compile rainbocrack. You will use rtgen to generate a rainbow table for all 1 to 6 character LM passwords using the alpha-numeric character set. You will likely need to copy the sample character set configuration file from /usr/local/src/rainbowcrack-version-src/src/charset.txt to your current directory.

  1. Generating these tables will use a significant amount of disk space. Use df -h to determine which partition has enough room for your tables before you begin. In addition, you should use the following table parameters to keep your table size reasonable:

    rainbow_chain_length=2100,rainbow_chain_count=2000000

    Also note, that this may take several hours to complete. rtgen will print periodic status updates as it runs.

  2. Optional. In case you need more space, you can add an extra disk space to your VM by doing the following:

    • Turn your linux machine off.
    • Right-click on the linux VM icon on the main VirtualBox window and choose Settings.
    • On the storage section, Add a Hard Disk (create new disk) at the SATA Controller. Keep the default values in the subsequent dialog boxes. This will create an 8GB disk. If you succeeded, NewHardDisk1.vdi will show as part of your machine's storage.
    • Turn on your virtual machine and log in with your credentials.
    • Run cfdisk /dev/sdb as root.
    • Use the menus to create a new primary partition in the disk. Use the suggested size. The new partition should have name sdb1 and should not be bootable.
    • If the above is correct and you received no errors, write the partition table. If not, delete all partitions in sdb and start over.
    • Run mkfs.ext4 /dev/sdb1 to format the new partition.
    • Run mkdir -p /mnt/extra as root.
    • Edit the file /etc/fstab as root. Add an entry at the end of the file that looks like:
            /dev/sdb1     /mnt/extra     ext4    defaults   0   0
            
    • Run mount -a as root to mount all the filesystems specified in /etc/fstab
    • Run chmod 1777 /mnt/extra to make the new space writable. You can place your rainbow tables in /mnt/extra

  3. Once the tables are generated, use rtsort to sort your tables. You may want to make a backup copy of your sorted tables.

  4. Use rcrack along with your rainbow tables to attack both your Windows password files. Once again, record any successfully cracked passwords and change your team's passwords if they were cracked.

Report

For this lab, your team must submit a report with the following information:

  1. Include a copy of the four password files.

  2. Include a list of all passwords that you cracked, where each row should have the username, the password hash, and the cleartext password.

  3. Name at least three reasons why LM hashes are easier to crack than salted SHA-1 hashes.

  4. How do you disable LM hashes from being stored on your Windows machine? Why are LM hashes still available by default?

  5. Suppose a user selects a random, 8 character password from the set of characters [A-Za-z0-9]. The password is stored as an unsalted SHA-1 hash. If an attacker wished to precompute all possible 8 character password hashes of this character set and store the pairs in a simple list, how many megabytes of disk space would this require at a minimum?

    Assume that the passwords are stored as 8-bit ASCII characters and that the pairs of password/hash are separated by a single ASCII character.

Grading

Your grade for this lab will be composed of: