3 Password Audits
Class Lab 8-3 Password Audits
COUNTERMEASURES AGAINST CYBERATTACKS
ASYMMETRIC CRYPTOGRAPHY
INTRODUCTION TO PASSWORD AUDITING LAB
Lab Description: This laboratory exercise will provide some hands-on experience with password strength analysis using command-line tools in Linux. Password creation involves hashing, which is explored as well.
Lab Environment: This Partner Lab uses Kali Live from the bootable Thumbdrives
ENVIRONMENT SETUP
On one of your PC’s - plug the thumbdrive into the USB port. Reboot the computer - and press F10 as the Intel NUC screen appears
Select UEFI Vendor Product Code
Then Select ”Live Kali (amd64)” to boot to Kali
EXERCISE 1: INTRODUCTION TO PASSWORD AUDITING
On Linux systems, user accounts are stored in the /etc/passwd file (world-readable text file) and passwords are hashed and stored in /etc/shadow (a text file only readable by root). You have administrative (root) access on your Kali virtual machine – go ahead and “cat” those files to see what they look like.
$ sudo su –
# cat /etc/passwd
# cat /etc/shadow
Take a look at the kali entry (that’s who you are logged on as) and you can see the hashed password. (picture is showing a user named student- so you can use “grep kali” instead)
Note: Explore https://en.wikipedia.org/wiki/Passwd. You’ll notice that the hashed passwords are stored in the shadow file, which is only readable by users with administrative privileges (that’s why you had to type in “sudo su –” first. On Windows systems, hashed passwords are found in the Security Account Manager (SAM) database file found in c:\windows\system32\config. This file is not a simple text file – you need special tools to read it. Because of that, we will work in Linux to understand password creation and strength.
We’ll use a password auditing tool called John the Ripper (JTR), probably the most effective and most widely known password cracker. JTR is available from https://www.openwall.com/john. You can pay for the “pro” version or select the “official free version” for your operating system of choice. Windows and Unix/Linux executables are available.
JTR can be run in various modes, to include dictionary and hybrid modes, both of which use a “dictionary” (or listing of passwords) provided by the user. Dictionaries are compiled from widely used passwords, words scraped from a company’s website, and other places. A good password dictionary listing is something that many cybersecurity professionals work to create over years!
EXERCISE 2: CREATE USERS WITH PASSWORDS
Here we’ll create a couple of new accounts on our Linux VM, one with a good password and one with a poor one:
1. Make sure you are at a ‘root user’ prompt (ends with # instead of $).
If you have a standard user prompt ($), use the sudo command to execute the su (switch user) command to become “root” as follows:
$ sudo su –
[You might be prompted for your ‘sudo’ password. Use the standard Kali account password “kali”]
2. Create 3 accounts as follows, one with a bad password and one with a good one.
Add a Linux user account:
# adduser <specify username>
- When prompted, enter the user password 12345:
New password: 12345
Retype new password:12345c/
- Remember that you will not see the password as you type.
Then add a second user with a password 8 characters or less and is a somewhat common word
# adduser <specify username>
New password:<a somewhat common word>
Retype new password: <same as above>
Finally add a third user with a hard-to-guess password. This password should NOT be a dictionary word, and include numbers, special characters, etc.
# adduser <specify username>
New password: <non-dictionary word with numbers, special chars, etc.>
Retype new password: <same as above>
EXERCISE 3: CRACK LINUX PASSWORDS
Now let’s see which ones we can crack. Copy the /etc/shadow to a text file, and run JTR against it:
- Copy the shadow file to the root home folder
# cp /etc/shadow ./pass.txt
- See the usernames and encrypted passwords.
# cat pass.txt
Scroll down and find the three users that you added, and note that they have a password hash next to their entries.
- Let’s start cracking!
# john –format=crypt pass.txt
This should find the “12345” password - and may find your other word. If it doesn’t find you account with the common word, try:
# john –format=crypt --wordlist=/usr/share/dict/american-english pass.txt
JTR will attempt to decipher the passwords and display any that it ‘cracks’ as it goes along. It starts in “single crack” mode, mangling username and other account information. It then moves on to a dictionary attack using a default dictionary, then with a hybrid attack, then brute force where it will try every possible combination of characters (letters, numbers, and special characters) until it cracks them all.
The password for the account with the “weak” password should be cracked rather quickly. Don’t wait for John to crack your ‘good’ password for the third user in brute force mode. If you have given a strong password for the third user, it won’t be easily cracked. JTR will switch modes to incremental. This could take days or months to crack, if at all. Once JTR output says “Proceeding with incremental:ASCII”, then you can stop execution. Press [CTRL]-[C] to stop execution
Submission 3-1: Take a screenshot of your terminal window using john on pass.txt showing the one or two passwords that have been cracked. Also, run the command “john --show pass.txt” to output the cracked passwords..
John uses the following files to manage execution. Most are stored in the /usr/share/john folder on your Kali virtual machine (john.pot is stored elsewhere as indicated):
- password.lst is john’s default dictionary. You can specify another wordlist on the command line using the --wordlist= directive (for example # john --wordlist=/usr/share/dict/american-english /etc/shadow
- john.conf is the configuration file read when JTR starts up and has rules for dictionary mangling for the hybrid crack attempt
- john.rec is used to record the status of the current password cracking attempt. If john crashes, it will start where it left off instead of starting again from the beginning of the dictionary.
- /root/.john/john.pot lists passwords that have already been cracked. If you run john again on the same shadow file, it won’t show these cracked passwords unless you delete this file first.
To show the passwords cracked and stored, run the command:
# john –show ShadowFileCracked
In our case, it would be.
# john --show pass.txt
WHAT TO SUBMIT
There were three screenshots you were asked to take during the course of this lab, include those in your submission, responses to the questions asked in the lab, and responses to the questions below.
Submission 3-1: Take a screenshot of your terminal window using john on pass.txt.
Steps in reverse order from finish to start.
John cracking the pass.txt file.
Copying the output of the etc/shadow directory to ./pass.txt
Adding the two new users
a. How many of the passwords were revealed this time?
Only one password was cracked, this was the test1 password which was a simple array of numbers 12345. The other account test2, had a much more complex password with uppercase letters, numbers, and symbols.
b. Why was the password you couldn't crack more effective?
Because it had uppercase letters, numbers, and symbols.
Reflection Questions:
1. Explain the significance of hashing as it relates to the lab you just completed.
Hashing is important if an attacker gets access to these types of directories or password stores. If they are encrypted it's harder to decrypt them and gain access to the accounts.
2. If you were performing this audit on a device on behalf of your employer, what would the ethical implications be for the passwords that you were able to crack?
Have employees of the corporation reset their passwords to a more complex password. Require multiple password reset periods were employees make new passwords.
Last updated
