lab1

Lab 1 - Password Cracking Objective The objective of this lab is to introduce you to password cracking, and to demonstrate how devastating weak passwords can be for a system’s security. Specifically, you’ll be performing both online and offline attacks using dictionary and brute-force approaches. The result will be the complete compromise of a Linux system. Background Password cracking attacks can be broadly classified into two categories: online and offline attacks. Online Attacks: In an online attack, an attacker attempts to crack passwords of an online system using the same protocol as an authorized user. Online attacks continuously communicate with the victim’s system, therefore, they can be easily logged. As a consequence, online attacks can be more easily detected and blocked in comparison to an offline attack. Offline Attacks: In an offline attack, an attacker acquires the passwords hashes from a victim’s system through another compromise. They crack the passwords offline on their own infrastructure without further communication with the victim’s system. This requires more work by an attacker, but requires little communication with the system under attack. Ncrack is a powerful password cracking tool capable of launching online password attacks on many different protocols, like SSH and HTTP. You can read more about Ncrack here . John the Ripper is another powerful password cracking tool capable of launching an offline password attack given a password hash file. You can read more about John the Ripper here . Setup Login to the Linux VM that you used in the previous tasks. 1. You will be attacking a Docker container created specifically for this lab. This container is called comp3611/password and is installed on your Linux VM. Start this container by typing the following command in a terminal on your Linux VM. docker run --detach --name lab1 comp3611/password 2. Install Ncrack and John the Ripper on your Linux VM by typing the following command in the terminal. sudo apt-get install ncrack john 3. The docker run command will start the Docker container at the IP address 172.17.0.2 . This container has a user called student with the same password as your Linux VM. Ensure that you’re able to SSH to this IP address before proceeding to part 1. Note that you do not have sudo privileges on this container and wouldn’t be able to run commands as root . Part 1 - Online Password Cracking In this part, you will use Ncrack to gain unauthorized access to the Docker container by cracking weak SSH passwords. 1. As you are already logged into the container with the student account, make a list of all the users on the container by reading the /etc/passwd file. Also, make a list of all the users that have sudo privileges by reading the /etc/group file. 2. With the above knowledge, use Ncrack on your Linux VM to crack the SSH passwords of the sudo users (use -vv to display cracked passwords directly in terminal). You can use the dictionary at 1

/usr/share/dict/words as your word-list. Take a screenshot of the command and the passwords for the report. Note that you should be able to crack one password, and it may take about 5-10 minutes . 3. Once you have cracked the password for a sudo user, SSH into the Docker container using their credentials. Use their account to acquire the passwords hashes of all the users on this container. This can be done by using the unshadow command of John the Ripper to combine /etc/passwd and /etc/shadow files. Install john inside the container, and then type the following command to acquire the password hashes. sudo unshadow /etc/passwd /etc/shadow > lin_passwd_docker.txt 4. Move the lin_passwd_docker.txt file to your Linux VM to execute an offline attack. Part 2 - Offline Password Cracking In this part, you will use John the Ripper to crack the acquired password hashes offline. Before starting the attacks, go over some examples on how to use different modes in john . You will use the following two attack modes: dictionary and brute-force. 1. Dictionary attack : In a dictionary attack, the tool uses a dictionary of words as an input, hashes the words to the same format as the password hashes and then compares the hashes. Note that john auto-detects the hash algorithm to use from the acquired file. Perform a dictionary attack on the password hashes using the same word-list that you used in the online attack. If you crack any passwords, take a screenshot of the command and the passwords for the report. 2. Brute-force attack : In a brute-force attack, the tool tries all possible combinations of the character set to crack the password hashes. Perform a brute-force attack on the password hashes. Note that this attack takes a lot of time to crack all the passwords (in the order of years for strong passwords). You may want to stop the attack after it has executed for 3-4 hours. If you crack any passwords, take a screenshot of the command and the passwords for the report. If you were unable to crack any passwords using the above modes, re-check the commands that you used. Email the instructor / post on Piazza if the problem persists. Cleanup Stop and remove the container by typing the following command in a terminal on your Linux VM. docker stop lab1 && docker rm lab1 Lab Report For this lab, each student must submit a report with the following information: 1. Submit the Linux password file that you acquired from the Docker container. 2. Submit all screenshots and the list of cracked passwords. For each password, also mention the attack (online / offline, dictionary / brute-force) used to crack the password. 3. Based on your observations, what recommendations do you have for protecting against online password attacks? 4. Based on your observations, what recommendations do you have for protecting against offline password attacks? 5. Submit the cracker source code and setup instructions if you attempted the extra credit. Grading • 25 points - Successfully cracked a sudo user account using an online attack • 15 points - Successfully acquired the password hashes from the container • 50 points - Successfully cracked other user accounts using an offline attack • 10 points - Answers to the remaining questions 2