CS3801 Lab - Password Cracking Solution

Introduction to Password Cracking
In class, we learned how the operating system stores passwords as hashes. Although cryptographic hashing is a one-way function, poorly chosen passwords, weak salting, and restrictive password policies can often lead to an attacker cracking the hash by calculating and comparing hashes against potential passwords.
Password Audit
A private company asked you to audit their password policies as a network penetration tester. After meeting with the CISO, he tells you his business has been under attack, and they believe weak passwords have enabled the attack. He permits you to audit his password policy. You ask for any documentation regarding the password policy and are provided with the emails below, and a list of hashed passwords. He asks if you can crack them.






John The Ripper Toolkit
John the Ripper (JTR) is a fast password cracker, currently available for many flavors of Unix, macOS, Windows, DOS, BeOS, and OpenVMS. [1] We will use it today to examine weak password schemes.
To run John, you need to supply it with a file of hashes (here shadow) and optionally specify a cracking mode or a list of potential passwords (foo.txt) to check. On your lab workstations, you will need to provide it the full path to execute.
john -wordlist=foo.txt shadow.txt
Using default input encoding: UTF-8
Loaded 3 password hashes with 3 different salts
Cost 1 (iteration count) is 5000 for all loaded hashes Press ’q’ or Ctrl-C to abort, almost any other key for status
letmein (root)
Hints
1. It will probably benefit you to create your new dictionary files. You are welcome to write scriptsto automate building your new dictionaries. For example, this would produce a new file containing passwords where the letter a has been replaced with a 4.

2. Password salts are used to introduce complexity into password cracking. Is there anything younotice about salts in the data set given to you by the CISO?
Lab Deliverables
1. Your lab report containing an overview, methodology, and results sections. You must discuss what passwords you were able to crack, why and o↵er insight on how the CISO could safeguard passwords better in the future. Consider salting, hashing algorithms, and policies in your response.
2. A list of the passwords your team cracked.
Extra Credit (+10)
The group with the most cracked passwords. - To be eligible for this, your group must submit your cracked passwords via Canvas within before the end of class.
References