HARAMAYA UNIVERSITY

College of Computing and Informatics Information Technology Department

ITEC 553
INFORMATION ASSURANCE AND SECURITY (LAB MANUAL)

MODULE: ATTACKS AGAINTS OPERATING SYSTEM AND APPLICATION

Lab Guide 3: PASSWORD CRACKING

Dr. Patrick D. Cerna

INTRODUCTION

PASSWORD CRACKING

Access to most networks is restricted by user account and password combinations. Many networks have user account conventions that are easy to figure out, such as last name, first initial (for example, John Smiths user ID would be smithj). That being the case, the only obstacle to getting access to the network and to a users files is figuring out the users password. Despite all the network defenses that may be up, a compromised password can bypass them all. Of all the passwords that an attacker covets, he most covets the Administrator password. The Administrator password is the equivalent of the keys to the kingdom. With this password, a person is able to modify the machine in any way, access any information on the machine, and use that machine to get other passwords or attack other machines on the network. One way of getting passwords is to crack them. There are two steps to password cracking. First youhave to obtain the hash of the password that will be stored on the computer. The hash is a value that is calculated by processing the text of a password through an algorithm. With a good hashing algorithm, there should be no way to determine the password from the hash. The second step is to actually crack the password. Since there is no way to determine the password from the hash, you might wonder how a cracking program works. Although the cracking program does not know how to reverse the hash back to the password, it does know the algorithm to create a password from a hash. As such, it can process any word or combination of characters and generate its hash. It then compares the captured hash with the one it just generated. If the hashes match, then it has found the password. If the hashes do not match, the program continues. One popular way to generate hashes and search for passwords is with a dictionary attack, which uses a dictionary file that contains a list of words that are commonly used as passwords. Dictionary files vary in size. A password that is in a dictionary file can be cracked in seconds. A hybrid attack is an attack that uses other techniques in conjunction with a dictionary attack. This type of attack may attempt to combine words that are in the dictionary in order to get passwords that are made up of two or more dictionary words. Another type of attack is a brute-force attack, which tries every possible combination of characters that can be used in sequence. A brute-force attack can take days or even months, depending on the strength of the password and the processing power of the computer doing the cracking. Attackers can speed up the process by using a distributed password-cracking program. This type of cracking program divides the processing among two or more computers. The more computers involved in the attack, the faster the password will be cracked. Learning Objectives After completing this lab, you will be able to Create new user accounts with passwords of different strengths. Explain the steps necessary to crack a password. Explain how password hashes can be obtained. Explain how to perform a password-cracking attack.

LAB GUIDE 3A

HACKING WINDOWS PASSWORD USING PWDUMP AND JOHN THE RIPPER

In this lab you will create user accounts with different types of passwords. You will then use John the Ripper to try to crack various passwords from hash files.

Procedure:-

1. Open My computer and go to C:\Windows\system32 ,now place the Pwdump file which we download earlier 2. Now open command prompt and navigate to C:\Windows\system32 \Pwdump By Using the "cd " command and click enter Example :Cd C:\Windows\system32 \Pwdump 3. Now you can see a list of Pwdump commands as shown

4. Now enter pwdump - localhost >> destination of the output file (for 32 -bit computers) and pwdump -x localhost >> destination of the out put file (for 64- bit computers )

Example :Cd C:\Windows\system32 \Pwdump localhost >> C:\hash.txt (for 32-bit computers )

Cd C:\Windows\system32 \Pwdump -x localhost >> C:\hash.txt (for 64-bit computers)

5. Now open the Out put file (In my case its hash.txt )From c:/ you can see the names of the different users with password hashes Now copy the hashes corresponding to the admin account 6. Now make JTR (John the ripper ) crackable file by Opening a notepad and pasting the hashes which we copied in the previous step in the format given below Example:User:gyuJo098KkLy9 where "gyuJo098KkLy9" is the hash which we copied in the 5th step 7. Save the file as crackme.txt (just an example) and go to the prompt and type 'john crackme.txt' (with out quotes ). Now wait for a while ,the password hashes will be cracked .You can also use the Various options in John the ripper to make the cracking a little faster .

LAB GUIDE 3B

HACKING WINDOWS PASSWORD USING PWDUMP AND JOHN THE RIPPER

John the Ripper is probably the fastest, most versatile, and definitely one of the most popular password crackers available. It supports six different password hashing schemes that cover various flavors of Unix and the Windows LANMan hashes also known as NTLM (used by NT, 2000, and XP). It can use specialized wordlists or password rules based on character type and placement. The Process

Step 1: Download JTR. Step 2: Extract JTR. In windows use winzip. In unix type tar -xzf john-1.6.tar.gz Step 3: In windows open the command prompt. Go to the Start menu, click Run, type 'command' (no quotes) and press enter. You with me? Good. Go to whatever directory to have JTR in. Type 'john' and press enter. A whole list of options will come up: John the Ripper Version 1.6 Copyright (c) 1996-98 by Solar Designer

Usage: /WINDOWS/DESKTOP/JTR/JOHN-16/RUN/john [OPTIONS] [PASSWORDFILES] -single "single crack" mode -wordfile:FILE -stdin wordlist mode, read words from FILE or stdin -rules enable rules for wordlist mode -incremental[:MODE] incremental mode [using section MODE] -external:MODE external mode or word filter

-stdout[:LENGTH] no cracking, just write words to stdout -restore[:FILE] restore an interrupted session [from FILE] -session:FILE set session file name to FILE -status[:FILE] print status of a session [from FILE] -makechars:FILE make a charset, FILE will be overwritten -show show cracked passwords -test perform a benchmark -users:[-]LOGIN|UID[,..] load this (these) user(s) only -groups:[-]GID[,..] load users of this (these) group(s) only -shells:[-]SHELL[,..] load users with this (these) shell(s) only -salts:[-]COUNT load salts with at least COUNT passwords only -format:NAME force ciphertext format NAME (DES/BSDI/MD5/BF/AFS/LM) -savemem:LEVEL enable memory saving, at LEVEL 1..3

You wont need most of these options. In fact, you don't really need any of these options. You can simply type 'john [filename]'. The filename must include the .txt extension. This is the regular crack. It will use bruteforce to decrypt all of the passwords in the file. If you're an impatient ass you can use a word list. This is not as effective but it's quicker (more on that later).

How to make a crackable file: Let's say that for some reason you have a DES encrypted password but no file. If you want to crack it (why else would you be here?) you need to make your own file. Just create a text file and paste in the password. Now put a username (just any old name will do) in front of it with a colon separating the two. It should look something like this: User:gyuJo098KkLy9 Save the file as crackme.txt (just an example) and go to the prompt and type 'john crackme.txt' (no quotes obviously). Now you just have to wait. Options Here are a list of the options and what they do. single: Single crack mode. This is only recommended for weak passwords as it includes only a few rules and a small wordlist. Usage: john -single crackme.txt wordfile: Uses a wordlist (basically a dictionary attack). What this does is tries every word in the list until it finds a match or you reach the end of the list. This is quicker than the default (bruteforce) attack, but I don't recommend this because it doesn't always find a match. More notes on wordlists below. Usage: john -wordfile:password.lst crackme.txt

rules: Lets you define the rules for using wordlists. I don't use wordlists, so if you want to use this option I wont help you. Ok, ok, I'm just lazy. Shoot me. incremental: I like this method. It allows you to do a bruteforce attack under certain modes. Usage: john -incremental:alpha crackme.txt (only letters) john -incremental:digits crackme.txt (only numbers) john -incremental:lanman crackme.txt (letters, numbers, and some special characters) john -incremental:all crackme.txt (all characters) external: This is a little complicated, so if you are lame don't mess with it. Basically this calls the options that are defined in the configuration settings. You can change these yourself, but I wouldn't recommend it unless you know what you're doing. No, I wont tell you how, go away. Usage: john -external:[MODE] crackme.txt (replace MODE with whatever the name of your mode is). restore: Ok, let's say that you need to stop the crack in the middle. Press crtl+break. A file will be created in the JTR directory named 'restore' (no quotes doofus, and yes, no file extentionfilename. Usage: john -restore:restore session: Use this if you know that you will have to stop JTR in the middle of a crack. It allows you to create a new file that holds the data of your session. You can then restore your session later. Usage: john -session:[save to filename] crackme.txt status: Shows how far you got before stoping a crack (provided you used the -session option). Usage: john -status:[filename] show: Shows how many passwords have been cracked in a file and how many are left. Usage: john -show crackme.txt test: Shows how fast JTR will work on your computer. Usage: john -test users: Cracks the password only for the user or users you tell it to. Usage: john -users:User crackme.txt groups: Cracks the passwords only for the group or groups you tell it to. Usage: john -group:lamers crackme.txt shells: Cracks the passwords only for the shell or shells you tell it to. Usage: john -shells:shelly crackme.txt salts: Cracks the salts that have at least the number of passwords you specify. Usage: john -salts:2 crackme.txt

format: JTR can decrypt many from many different formats, not just DES (but this is the most widely used one). Use this to force JTR to try a certain format. Usage: john -format:DES crackme.txt (force DES) john -format:BSDI crackme.txt (force BSDI) john -format:MD5 crackme.txt (force MD5) john -format:BF crackme.txt (force BF) john -format:AFS crackme.txt (force AFS) john -format:LM crackme.txt (force LM) savemem: this tells JTR to automatically save your process at whatever level you specify from one to three. Usage: john -savemem:1 crackme.txt (save at level 1) john -savemem:2 crackme.txt (save at level 2) john -savemem:3 crackme.txt (save at level 3) How to use a wordlist with JTR: I'll assume you already have a wordlist in the JTR directory (it comes with password.lst, if you want to make your own I'll tell you how later). Go to the prompt and type 'john -wordfile:password.lst crackme.txt' (no quotes, damnit). If the password is in the wordlist, it will work. Otherwise, you deserve it for using a wordlist when you have bruteforce capabilities, shame on you. How to create a wordlist to use with JTR: First I will include a few lines of the wordlist supplied with JTR: #!comment: Common passwords, compiled by Solar Designer. 12345 abc123 password passwd 123456 The top line is a comment (duh). If you want to make a comment in your wordlist just follow the example. The other lines are passwords that the program will try when you use the wordlist. Put each password on a new line. In the event that you are too lazy to write your own wordlist you can download one (once again, I'm far too lazy to give you a link). It may or may not already be the right file format (.lst). If it isn't, just go to the prompt. Assuming the filename is lazy.txt, type 'rename lazy.txt lazy.lst' Piping Output: Remember the -show option? You can get JTR to save that output to a file. Just type 'john -show crackme.txt > crackinfo.txt'