Lab: Password Cracking
In this lab, you will recover passwords using two different techniques: dictionary attack and precomputation attack. Recovering a password, known as password cracking, can be a devastating attack, especially since most users will reuse the same password on different systems. You will learn to use tools that allow you to crack passwords on both your Windows and Linux machines.
Late submissions will result in a 10% penalty per day (e.g., 2.5 days late result in 25% penalty)
1. Accessing the Password Hashes
In modern systems, you need elevated access, such as root or Administrator, to access the password hashes. You already have the appropriate access. First you will dump the Window's LM Hash passwords, then you will copy the Linux passwords.
Log in to your Windows server and use a browser to download
pscpfrom http://strawman-fedora.nslab.ccs.neu.edu/labs/lab4/. Save
C:\WINNT\system32, so that it will be in your PATH. You may extract
pwdump6-1.7.2-exe-only.zipanywhere you like, but be sure to remember the path for later.
Review the documentation included with
pwdump6. In a
cdto the directory containing the
PwDump.exebinary and run the command to extract your Windows system's user password hashes. Be sure to use your system's hostname instead of
localhost. Write the output to a file and then use
pscpto copy them to your Linux router.
Log into your Linux router and use the
unshadowcommand (which comes with John the Ripper) to combine your
/etc/shadowfiles. Most of the account information is stored in
/etc/password, but in modern Unix systems the password hashes are stored in the protected file
/etc/shadow. Your command line should look something like:
unshadow /etc/passwd /etc/shadow > router-passwd.txt
Next, prune out the unnecessary lines from both of the password files you just generated. Remove all accounts except those of your team's users and the Administrator/root users.
Obtain two additional sample password files from http://strawman-fedora.nslab.ccs.neu.edu/labs/lab4/. Be sure to download and save both the Linux password file, and the Windows SAM dump. These files should be saved in a directory of your choice on your Linux router, along with the two password files you created earlier.
2. Dictionary Attack
john to execute a dictionary attack against all
four password files. In order to do this, you may use your
Linux system's built-in spellcheck dictionary, located at
/usr/share/dict/words, or you may download a larger
dictionary from some other source. Just be sure to observe the
dictionary format requirements.
may be helpful. Please refer to
/usr/share/doc/john-1.6/ for documentation specific to your
version, or simply type
john at the command line and press
enter for a short description of command line options.
If you successfully crack any passwords in the provided password files, record these passwords for your report. If you successfully crack any passwords from the files you generated, record them and have your users change their password to something more secure.
3. Precomputation Attack
With a good dictionary and some simple permutations, a dictionary attack can crack many typical user passwords. Unfortunately, this method of has its limits. Even relatively short random passwords can thwart it. When dictionary attacks fail, crackers will generally resort to a brute-force attacks, where all possible passwords are tried. This can take a great deal of time. Against good hashing mechanisms, it is usually infeasible.
Weaker hashing mechanisms can be quickly brute-forced using pregenerated rainbow tables. Rainbow tables are one implementation of time-memory tradeoff used to greatly speed up password cracking. They are particularly effective when password hashes are not salted.
For the next few steps, you will be using RainbowCrack to attack Windows LM hashes. Review the online documentation for RainbowCrack, and learn how to generate a rainbow table based on a desired character set and password length.
You need to download the Linux version from RainbowCrack.
You need to unzip it in /usr/local/src.
You will use
rtgen to generate a rainbow table for all
1 to 6
character LM passwords using the
character set. You will likely need to copy the
sample character set configuration file from
your current directory.
Generating these tables will use a significant amount of disk space. Use
df -hto determine which partition has enough room for your tables before you begin. In addition, you should use the following table parameters to keep your table size reasonable:
Also note, that this may take as long as an hour or two to complete.
rtgenwill print periodic status updates as it runs.
Once the tables are generated, use
rtsortto sort your tables. You may want to make a backup copy of your sorted tables.
rcrackalong with your rainbow tables to attack both your Windows password files. Once again, record any successfully cracked passwords and change your team's passwords if they were cracked.
For this lab, your team must submit a report with the following information:
Include a copy of the four password files.
Include a list of all passwords that you cracked, where each row should have the username, the password hash, and the cleartext password.
Name at least three reasons why LM hashes are easier to crack than salted SHA-1 hashes.
How do you disable LM hashes from being stored on your Windows machine? Why are LM hashes still available by default?
Suppose a user selects a random, 8 character password from the set of characters
[A-Za-z0-9]. The password is stored as an unsalted SHA-1 hash. If an attacker wished to precompute all possible 8 character password hashes of this character set and store the pairs in a simple list, how many megabytes of disk space would this require at a minimum?
Assume that the passwords are stored as 8-bit ASCII characters and that the pairs of password/hash are separated by a single ASCII character.
Your grade for this lab will be composed of:
30% - Copy of the four password files.
40% - Cracked the expected passwords.
30% - Answered the rest of the questions.