Assignment 2

Password Cracking with John the Ripper

What you will need to submit: a report (one document) answering all the
questions with including all the screenshots from commands you perform on
this assignment. Questions are highlighted with yellow.

Before working on this lab, make sure to understand the idea of dictionary
attacks and who and why passwords are stored in OS.

Note that the there is an appendix at the end of this assignment about the
shadow file in unix as well as salting passwords.

Goals:
1. Familiarize with Linux filesystem and known files and directories storing
information related to passwords.
2. Use John The Ripper password cracking for simple dictionary attacks.

Preliminary Information:

Passwords help to secure systems running Linux and UNIX operating systems.
If an attacker is able to get the root password on a Linux or UNIX system,
they will be able to take complete control of that device. The protection of
the root password is critical.

passwd – User accounts on a Linux system are listed in the passwd file which
is stored in the /etc directory. The passwd file has less restrictive permissions
than the shadow file because it does not store the encrypted password hashes.
On most Linux systems, any account has the ability to read the contents of
the passwd file.
shadow – The shadow file also stores information about user accounts on a
Linux system. The shadow file also stores the encrypted password hashes and
has more restrictive permissions than the passwd file. On most Linux systems,
only the root account has the ability to read the contents of the shadow file.

auth.log – This log file tracks SSH, or Secure Shell, connections. It provides
information such as IP addresses, and date and time stamps. It also tracks
other events related to security, such as the creation of new user's accounts
and new group accounts.

John the Ripper – John the Ripper is an extremely fast password cracker
that can crack passwords through a dictionary attack or through the use of
brute force.

When it comes to cracking passwords, there are three types of attacks:

Dictionary Attack: In this mode, John the Ripper takes text string samples
(usually from a file, called a wordlist, containing large number of words,
phrases and possible passwords derived from previously leaked data dumps
or breaches), hashing it in the same format as the password being
examined, and comparing the output to the hashed string. Dictionary words
could also be altered in a randomized manner to check if they work this way
Brute Force Attack: In this type of attack, John the Ripper goes through all
the possible plaintexts, hashing each one and then comparing it to the input
hash. John uses character frequency tables to try plaintexts containing more
frequently used characters first. The process can be effective but
excruciatingly slow, sometimes it takes years to do this. That’s exactly why
that security professionals suggest choosing a long and complex password
that consists of a combination of different character types. However, this
positive point is also significant that this method could identify those
passwords having no existence in a dictionary.
Rainbow tables: In this way, a pre-computed list of password hashes (derived
from commonly set passwords) is compared against an existing data dump to
find the correct password in its plaintext form. This way is faster than brute-
forcing, but this way will be ineffective when password hashes are salted and
salt values are too large, all of which increases the overall complexity.
For this assignment, first we need a dictionary to attack with. The easiest to
acquire is rockyou.txt. rockyou.txt is a set of compromised passwords from
the social media application developer RockYou. Note: you can download
rockyou.txt.gz from here, if you’re not using Kali Linux.
On Kali, unzip the rockyou.txt.gz file with the following commands:
$sudo gunzip /usr/share/wordlists/rockyou.txt.gz
$wc -l /usr/share/wordlists/rockyou.txt

Let us start with the assignment:

1. Start up your Kali VM.

2. To view the contents of the passwd file, type: cat /etc/passwd

3. View the permissions on the /etc/passwd file by typing the following

command: ls -l /etc/passwd

4. Explain these permissions in your own words in your report.

5. To view the contents of the shadow file, type: cat /etc/shadow

6. To create a new user named yoda, type the following command in the
terminal: root@bt:~# useradd yoda

7. To create a new user named chewbacca, type the following command

in the terminal: root@bt:~# useradd Chewbacca

8. Now, view the changes made to the passwd file by typing the
following: root@bt:~# tail /etc/passwd

9. Explain the fields of /etc/passwd in your report

10. Next, examine the alterations to the shadow file by typing the
following: root@bt:~# tail /etc/shadow

11. Why is there a “!” in place of a password for the new users?

12. Examine the entries in the auth.log related to account changes

by typing: root@bt:~# tail /var/log/auth.log

13. What information does this log give you about the new users?

14. Set yoda’s password to green by typing green, followed by Enter

twice after using the command: root@bt:~# passwd 12345

15. Set chewbacca’s password to green by typing green, followed by

Enter twice after using the command: root@bt:~# passwd 12345

16. Next, examine the alterations to the shadow file by typing the
following: root@bt:~# tail –n 2 /etc/shadow

17. Why are the two hashes different even though the passwords are
the same?

18. Examine the entries in the auth.log related to account changes

by typing: root@bt:~# tail /var/log/auth.log

19. To look for specific information about password changes within

auth.log, type: root@bt:~# cat /var/log/auth.log | grep changed

20. Now it is time to use John the Ripper!

 21. Lookup the command that will crack the /etc/shadow file.

22. Where are the passwords stored? (Hint: default John software
file. Read the preliminary background for this assignment)

24. Now use a wordlist like rockyou or wordlist to crack /etc/shadow. The
wordlist is in a specific folder in your Kali distribution (find this! Do not
download it again!) If you see $y$ in the etc/shadow file, then that indicates
the passwords are hashed with yescrypt. This means that John the ripper
tool needs a little help with detecting the hash format, so you would need to
change your command to let John the Ripper knows they type of hash (Read
the Man command for John the ripper and do research on google to identify
that)

Appendix: More on Understanding /etc/shadow file fields/format

Basically, the /etc/shadow file stores secure user account information. All
fields are separated by a colon (:) symbol. It contains one entry per line for
each user listed in /etc/passwd file.
An entry in /etc/shadow file looks like following.

john:$6$iTEFbMTM$CXmxPwErbEef9RUBvf1zv8EgXQdaZg2eOd5uXyvt4sFzi6
G4lIqavLilTQgniAHm3Czw/LoaGzoFzaMm.YwOl/:17707:0:90:14:::

Field Description
John This is the username.
$6$iTEFbMTM$CXmxPwErbEef9 This is the encrypted password. Password: It is
your encrypted password.
RUBvf1zv8EgXQdaZg2eOd5uXyvt4sFzi6G4lI
The password should be minimum 8-12
qavLilTQgniAHm3Czw/LoaGzoFzaMm.YwOl/ characters long including
special characters, digits, lower case
alphabetic and more.
 Usually password format is set to
$id$salt$hashed value of the salt and the user
password,

The $id is the algorithm used On GNU/Linux as

follows:
$1$ is MD5
$2a$ is Blowfish
$2y$ is Blowfish
$5$ is SHA-256
$6$ is SHA-512
17707 John last changed his password on 25 June
2018.
0 If require, John can change his password
immediately
90 John can use this password till 30 September
2018. (90 + 7 grace days).
14 After 15 September 2018 whenever John will
login in CLI terminal, he will get a
warning message to change his password.
[bank field] John account will not be disabled even if his
password is expired.
[blank field] John account will never expire.
Reserve filed is omitted.

As you can see, the salt is added to the password and then stored on the
shadow file. So, what will happen if there is no salt value at all?
1-Imagine that there is no salt value applied before storing passwords in
linux. A rainbow table-based attacks with common word lists will become
much easier to do. As you find in this assignment (Q17), due to the salting,
the two hashes of the stored password are different although the same
password was used. Thus, when salting is done, you will be unable to
perform a rainbow table attack. Instead, you will need to perform a
dictionary or brute force attack. You cannot use a rainbow table attack
against a hash that has been salted.

2-An attacker cannot easily guess that two users are using same passwords.
Because even if the attacker has somehow gained access to the shadow file,
he cannot say looking at two encoded passwords, that they are using the
same password. This is because both of them will be having different salt
values.
Sources:
http://lpc1.clpccd.cc.ca.us/lpc/mdaoud/CNT7501/NETLABS/Ethical_Hacking_Lab_08.pdf