# 3 Password Audits
Class Lab 8-3 Password Audits
COUNTERMEASURES AGAINST CYBERATTACKS
**ASYMMETRIC CRYPTOGRAPHY**
***INTRODUCTION TO PASSWORD AUDITING LAB***
**Lab Description:** This laboratory exercise will provide some hands-on experience with password strength analysis using command-line tools in Linux. Password creation involves hashing, which is explored as well.
**Lab Environment:** This **Partner** Lab uses Kali Live from the bootable Thumbdrives
#### **ENVIRONMENT SETUP**
On one of your PC’s - plug the thumbdrive into the USB port. Reboot the computer - and press F10 as the Intel NUC screen appears
* Select UEFI Vendor Product Code
* Then Select ”Live Kali (amd64)” to boot to Kali
**EXERCISE 1: INTRODUCTION TO PASSWORD AUDITING**
On Linux systems, user accounts are stored in the **/etc/passwd** file (world-readable text file) and passwords are hashed and stored in **/etc/shadow** (a text file only readable by root). You have administrative (root) access on your Kali virtual machine – go ahead and “cat” those files to see what they look like.
**$ sudo su –**
**# cat /etc/passwd**
**# cat /etc/shadow**
Take a look at the kali entry (that’s who you are logged on as) and you can see the hashed password. (picture is showing a user named student- so you can use “grep kali” instead)
Note: Explore[ https://en.wikipedia.org/wiki/Passwd](https://en.wikipedia.org/wiki/Passwd). You’ll notice that the hashed passwords are stored in the shadow file, which is only readable by users with administrative privileges (that’s why you had to type in “**sudo su –**” first. On Windows systems, hashed passwords are found in the Security Account Manager (SAM) database file found in **c:\windows\system32\config**. This file is not a simple text file – you need special tools to read it. Because of that, we will work in Linux to understand password creation and strength.
We’ll use a password auditing tool called John the Ripper (JTR), probably the most effective and most widely known password cracker. JTR is available from[ https://www.openwall.com/john](https://www.openwall.com/john). You can pay for the “pro” version or select the “official free version” for your operating system of choice. Windows and Unix/Linux executables are available.
JTR can be run in various modes, to include dictionary and hybrid modes, both of which use a “dictionary” (or listing of passwords) provided by the user. Dictionaries are compiled from widely used passwords, words scraped from a company’s website, and other places. A good password dictionary listing is something that many cybersecurity professionals work to create over *years*!
#### **EXERCISE 2: CREATE USERS WITH PASSWORDS**
Here we’ll create a couple of new accounts on our Linux VM, one with a good password and one with a poor one:
1\. Make sure you are at a ‘root user’ prompt (ends with **#** instead of **$**).
If you have a standard user prompt (**$**), use the sudo command to execute the **su** (switch user) command to become “root” as follows:
**$ sudo su –**
\[You might be prompted for your ‘**sudo’** password. Use the standard Kali account password “kali”]
2\. Create 3 accounts as follows, one with a bad password and one with a good one.
Add a Linux user account:
**# adduser \**
\- When prompted, enter the user password **12345**:
**New password: 12345**
**Retype new password:12345c/**
\- Remember that you will not see the password as you type.
Then add a second user with a password 8 characters or less and is a somewhat common word
**# adduser \**
**New password:\**
**Retype new password:** \
Finally add a third user with a hard-to-guess password. This password should NOT be a dictionary word, and include numbers, special characters, etc.
**# adduser \**
**New password:** \
**Retype new password:** \
#### **EXERCISE 3: CRACK LINUX PASSWORDS**
Now let’s see which ones we can crack. Copy the **/etc/shadow** to a text file, and run JTR against it:
\- Copy the shadow file to the root home folder
**# cp /etc/shadow ./pass.txt**
\- See the usernames and encrypted passwords.
**# cat pass.txt**
Scroll down and find the three users that you added, and note that they have a password hash next to their entries.
\- Let’s start cracking!
**# john –format=crypt pass.txt**
**This should find the “12345” password - and may find your other word. If it doesn’t find you account with the common word, try:**
**# john –format=crypt --wordlist=/usr/share/dict/american-english pass.txt**
JTR will attempt to decipher the passwords and display any that it ‘cracks’ as it goes along. It starts in “single crack” mode, mangling username and other account information. It then moves on to a dictionary attack using a default dictionary, then with a hybrid attack, then **brute force** where it will try every possible combination of characters (letters, numbers, and special characters) until it cracks them all.
The password for the account with the “weak” password should be cracked rather quickly. Don’t wait for John to crack your ‘good’ password for the third user in brute force mode. If you have given a strong password for the third user, it won’t be easily cracked. JTR will switch modes to incremental. This could take days or months to crack, if at all. Once JTR output says “Proceeding with incremental:ASCII”, then you can stop execution. Press \[CTRL]-\[C] to stop execution
**Submission 3-1:** Take a screenshot of your terminal window using john on **pass.txt** showing the one or two passwords that have been cracked. Also, run the command “john --show pass.txt” to output the cracked passwords..
John uses the following files to manage execution. Most are stored in the **/usr/share/john** folder on your Kali virtual machine (john.pot is stored elsewhere as indicated):
\- **password.lst** is john’s default dictionary. You can specify another wordlist on the command line using the **--wordlist=** directive (for example **# john --wordlist=/usr/share/dict/american-english /etc/shadow**
\- **john.conf** is the configuration file read when JTR starts up and has rules for dictionary mangling for the hybrid crack attempt
\- **john.rec** is used to record the status of the current password cracking attempt. If john crashes, it will start where it left off instead of starting again from the beginning of the dictionary.
**- /root/.john/john.pot** lists passwords that have already been cracked. If you run john again on the same shadow file, it won’t show these cracked passwords unless you delete this file first.
To show the passwords cracked and stored, run the command:
**# john –show Shadow*****FileCracked***
In our case, it would be.
**# john --show pass.txt**
### ***WHAT TO SUBMIT***
There were three screenshots you were asked to take during the course of this lab, include those in your submission, responses to the questions asked in the lab, and responses to the questions below.
**Submission 3-1:** Take a screenshot of your terminal window using john on pass.txt.
### Steps in reverse order from finish to start.
#### John cracking the pass.txt file.
#### Copying the output of the etc/shadow directory to ./pass.txt
#### Adding the two new users
#### a. How many of the passwords were revealed this time?
Only one password was cracked, this was the test1 password which was a simple array of numbers 12345. The other account test2, had a much more complex password with uppercase letters, numbers, and symbols.
#### b. Why was the password you couldn't crack more effective?
Because it had uppercase letters, numbers, and symbols.
**Reflection Questions:**
**1. Explain the significance of hashing as it relates to the lab you just completed.**
Hashing is important if an attacker gets access to these types of directories or password stores. If they are encrypted it's harder to decrypt them and gain access to the accounts.
**2. If you were performing this audit on a device on behalf of your employer, what would the ethical implications be for the passwords that you were able to crack?**
Have employees of the corporation reset their passwords to a more complex password. Require multiple password reset periods were employees make new passwords.
