Password Cracking Date Assigned: mm/dd/yyyy Date Due: mm/dd/yyyy by hh:mm Educational Objectives This lab will introduce you to network security issues involving password cracking and continue to view methods of network sniffing. Lab Environment The following machines are needed for this lab: Windows: o Win7 o Windows Server 2012 Linux: o Red Hat (RHEL6.3, Red Hat Enterprise Linux 6.3) o Fedora (Fedora 18 (FC18) or Fedora 11 (FC11)) All of the computers must be networked and accessible to each other. Background Read: http://www.linuxtopia.org/online_books/rhel6/rhel_6_security_guide/rhel_6_security_chap-Security_GuideSecuring_Your_Network.html Section 1 – John the Ripper **OS Used in this section: Fedora 11, RHEL6.3 1.1. Installing and Running John the Ripper on the Linux system On the Fedora 11 machine, you will be installing and using the software “John the Ripper”, which can be found at http://www.openwall.com/john/ to crack the passwords stored on a Linux system. This is a great tool to use within your network to check the strength and uniqueness of your organization’s passwords. ***NOTE: As always, remember that you must have permission (written) from the organization to conduct this password analysis. Method 1: You can download the software from the website and compile it from scratch: http://www.openwall.com/john/ Q1.1.1: What is the difference between a "development", “stable" and “pro” release? (of any software, not just John the Ripper) 1 http://www.openwall.com/john/j/john-1.8.0.tar.gz Save the file in a temporary location Untar the tarball using the command: # tar xvfz john-1.8.0.tar.gz Read: /dump/john-1.8.0/doc/README Q1.1.2: What are the steps to install John the Ripper from source? Method 2: Install a pre-compiled binary # yum search ripper # yum install john Q1.1.3: What are the advantages and disadvantages to downloading, compiling and installing from source? Q1.1.4: What are the advantages and disadvantages to installing pre-compiled packages using a package manager (like yum)? 1.2 Creating additional user accounts on your RHEL6.3 Machine: Create the following user accounts on your RHEL6.3 machine using the command line: **NOTE: Ignore password warnings [Username] User1 User2 User3 User4 User5 User6 User7 [Password] farout 123 Bach Dragon Secretshazam pirateplato i!h@d@M$!wbr Q1.2.1: Where are the usernames and encrypted passwords stored? 1.3: Running John the Ripper on FC18: 2 Go into the john-1.8.0/run directory. To look at the password file that comes with John, type vi password.lst Q1.3.1: Do you see any passwords that were just created on the RHEL6.3 machine? Now, copy the file that you defined in Q1.2.1 from your RHEL6.3 machine to your Fedora 11 machine. A good method to use is 'scp'. For example: # scp -r root@[RHEL6.3IP]:/etc/shadow /dump/passwordstobecracked.txt Q.1.3.2: In your own words, what does the command above do? View the password file. Q.1.3.3: What is the hashing algorithm that is used for the passwords? How can you tell on the hash what algorithm is used? Now run John the Ripper on the shadow password file you just copied over. Q.1.3.4: What command did you use? Some passwords should be cracked quickly and others taking much longer. The more complicated passwords might take hours or days to crack. Pressing the spacebar will show the passwords being tried. Hit it several times to see the way the password combinations are tried. Stop the program after some time using Ctrl-C. Q.1.3.5: Write down how many passwords has been cracked and what passwords they were. Section 2 - fgdump *OSs Used in this section: Win7 and Server2012 2.1. Installing and running fgdump and John the Ripper in Windows In this section, you will use fgdump to remotely transfer hash files from a Server2012 box (which is often the configuration point of user accounts on an enterprise domain) to a Win7 machine. Create the following accounts from Local Users and Groups on Server2012 located at: Server Manager -> Tools -> Computer Management [Username] [Password] 3 User1 User2 User3 User4 User5 User6 User7 farout 123 Bach Dragon Secretshazam pirateplato i!h@d@M$!wbr 2.2. Running fgdump from Win7: See: http://www.foofus.net/~fizzgig/fgdump/ The first step to cracking passwords is to get the password hashes. Get the password hashes across the network with fgdump. You must have the administrator password to extract the hashes. Download, extract, and install fgdump on your Win7 machine. Use the command line and go to the fgdump directory cd c:\dump\fgdump-3.0.0-exeonly Now execute the fgdump command: fgdump –v –h <TARGET IP> -u administrator –p P@ssw0rd Hint: You may have to enable file sharing for this to work properly. Q.2.2.1: In your own words describe the above command: Note: you should receive ‘Summary’ response when the transfer is successful. Now view the file <TARGET IP>.pwdump. Each line of the file is the user account, user id, and password hash separated by a colon. Q.2.2.3: Looking at the hashes is there any similarities between them? 2.3 John the Ripper in Win7 4 John the Ripper is a password-cracking tool that is capable of performing a dictionary, hybrid, or brute force attack. There are also versions that can perform a distributed attack. Your goal is to attempt to decipher the passwords from the hashes we have already captures with fgdump6. Download the Windows binary of john the ripper from: http://www.openwall.com/john/g/john179j5w.zip Extract the files Using the command prompt: cd into the “run” folder Note: Before running john on the password file you will need to modify it to replace the NO PASSWORD section with a USERID: User4:NO PASSWORD*********************:70B82AA7D1208ABBDA1F08DB8B5FE5B1::: change it to this... User4:1000::70B82AA7D1208ABBDA1F08DB8B5FE5B1::: Q.2.3.1: Why does this need to be changed? Type john and then press Enter and observe the output Q.2.3.2: What option would you use if you wanted to use a dictionary attack? Q.2.3.3: If you interrupt John while running and you want to continue where it left off, what option would you use? At the command line, type: john --wordlist=password.lst <TARGET IP>.pwdump --format=nt2 Q.2.3.4: What passwords were found? Before running another rule, you must first delete the john.pot file since it contains the passwords found (del john.pot) Now try running a hybrid attack. Q.2.3.5: What command did you use? 5 Q.2.3.6: Did it find more or less passwords? Now run a full-out attack (dictionary, hybrid, and brute-force). Q.2.3.7: What command did you use? Let it run for about 10 minutes Q.2.3.8: How many more did it find than the hybrid attack? Q.2.3.9: How would you protect yourself from password cracking utilities? Provide adequate explanation. Section 3 – Cain & Abel *OSs Used in this section: Win7 and Server2012 3.1. Installing Cain & Abel Utility Cain & Abel is a utility package available from www.oxid.it/cain.html. It is actually 2 separate utilities as the name indicates. Cain is used on the host computer to crack passwords, sniff network traffic to include Remote Desktop traffic, and install/connect to the Abel utility. This utility set can also be used to record VoIP traffic, view protected storage such as cached passwords in Internet Explorer, Monitor messages from routing protocols such as OSPF, and it can also crack Cisco type 7 passwords. More information about the features of Cain & Abel can be found at http://www.oxid.it/ca_um/ This section will also display another utility that can be used to help audit your network. Again, it is important to conduct these audits to make certain that passwords are not easily readable by attackers using programs such as this. Install Cain & Abel on your Win7 machine: Download Cain & Abel (v.4.9.46) Run the ca_setup.exe file, located within the Cain and Abel folder on your Win7 machine. Accept the defaults for the Cain & Abel install After the Cain & Abel install is complete, the setup for WinPcap will launch Click install and accept the defaults for this install Username and Password Creation: Create usernames and passwords for your Win7 machine. [Username] User1 [Password] farout 6 User2 User3 User4 User5 User6 User7 123 Bach Dragon Secretshazam pirateplato i!h@d@M$!wbr Import Password Hashes into Cain: Open the Cain program as the Administrator. Click on the Cracker tab Click in the Main area of the window below the header bars (User Name, LM Password, etc). Once you click in the Main area the + sign on the menu bar should go from grayed out to blue. Click on the + sign, make sure “Import Hashes from local system” is selected and click next. Password information from users on the local computer should now be visible in the window. 3.2. Cracking Passwords Cain has many different options available for cracking passwords. They include dictionary attacks, brute-force attacks, and cryptanalyst attacks. Dictionary Attack: Now that you have imported the hashes from the local system we can perform a dictionary attack in an attempt to access a password. Right-click on the user account that has a dictionary password you configured above. Select Dictionary Attack → NTLM Hashes In Dictionary Attack window, the information window at the bottom it should show how many hashes are loaded. Select the Add To List function by right clicking in the Dictionary Section. o Word file is Located in C:\Program Files\Cain\Wordlists\Wordlist.txt o The word file will then be shown in the Dictionary section at the top of the Dictionary Attack window. You will notice that you can also select different options to run during the dictionary attack in the options section of the windows. For this test we will just use the default options, so click the Start Button. The test will run for a few minutes and should return the password for the user account. NOTE: One thing to remember when completing a dictionary attack is to reset the dictionary. You need to do this because Cain will save its position in the dictionary for the next attack if you do not reset the dictionary. This is accomplished by right clicking on the dictionary file and selecting “reset initial file positions” 7 Brute-Force Attack: Before beginning this section, reload the password hashes from the local system. This is accomplished by: 1. Right-Click in the Main windows (on a password hash or a blank section) 2. Select Remove All from the popup menu 3. Select Yes when prompted. 4. Repeat the steps from import hashes from above. We will be comparing two different types of brute-force attacks for this section. First, try a LM hashes attack and then a NTLM Hashes attack. Brute-force attacks in Cain are performed almost the same way dictionary attacks are. For the LM Hashes attack do the following: Right-Click on a user account you created in the last section Select Brute-Force Attack → LM Hashes Select the predefined charset drop down menu and choose the set of characters with only lowercase letters. Run for 5 minutes and stop the attack Q.3.2.1: How long is the initial crack estimate? Exit the Brute force attack window and clear the hashes from the Cain window. Next, try the NTLM Hashes attack. Q.3.2.2: How long is the initial attack estimate? Stop the attack after 2 minutes Q.3.2.3: Why is the NTLM attack so much longer than the LM attack? 3.3. Acquiring Remote Desktop Passwords Cain is also able to acquire remote desktop passwords stored in *.rdp files. To acquire a stored Remote Desktop password from a file, complete the following procedure. Create a saved Remote Desktop file on your Win7 machine: Open the Remote Desktop program Expand the windows by clicking the options button In the computer box enter the ip address of you Server2012 machine 8 Enter the administrator user name and password for you Server2012 machine Check the Save my password box Select the Save As… button in the window Save the file as “Server2012” on the Desktop Close the Remote Desktop program Decrypt the RDP stored password 1.Launch the Cain utility 2.Select Tools → Remote Desktop Password Decoder 3.Click the … (browse) button in the top right corner of the window 4.Browse to the RDP file you created above and open it 5.You should now see the username, domain name, encrypted password, and decrypted password associated with this RDP file. Q3.3.1: How long did it take to crack the password? Q3.3.2: How can you avoid compromising .rdp files? Section 4 - Bonus ~ 2 Additional Points Since this lab focuses on the vulnerabilities associated with passwords and demonstrates how passwords can be compromised through both Windows and Linux machines, to earn bonus points on this lab, I would like you to create a comparison document that illustrates and describes how Unix/Linux structured/organizes password files and how Windows structures/organizes password file and the pros and cons of each. This comparison must be detailed and list the directory structure and file specifics of each OS. Compare the OS data you have collected to how perimeter routing devices (which are accessible from the public network) handle their passwords, how the files they are stored, and the vulnerabilities with the passwords on these devices. You may choose one vendor, such as Cisco or Juniper, to conduct this research. 9 Answer Sheet Q1.1.1: What is the difference between a "development", “stable" and “pro” release? (of any software, not just John the Ripper) Q1.1.2: What are the steps to install John the Ripper from source? Q1.1.3: What are the advantages and disadvantages to downloading, compiling and installing from source? Q1.1.4: What are the advantages and disadvantages to installing pre-compiled packages using a package manager (like yum)? Q1.2.1: Where are the usernames and encrypted passwords stored? Q1.3.1: Do you see any passwords that were just created on the RHEL6.3 machine? Q.1.3.2: In your own words, what does the command above do? Q.1.3.3: What is the hashing algorithm that is used for the passwords? How can you tell on the hash what algorithm is used? Q.1.3.4: What command did you use? Q.1.3.5: Write down how many passwords has been cracked and what passwords they were. Q.2.2.1: In your own words describe the above command: Q.2.2.3: Looking at the hashes is there any similarities between them? Q.2.3.1: Why does this need to be changed? Q.2.3.2: What option would you use if you wanted to use a dictionary attack? Q.2.3.3: If you interrupt John while running and you want to continue where it left off, what option would you use? Q.2.3.4: What passwords were found? Q.2.3.5: What command did you use? Q.2.3.6: Did it find more or less passwords? Q.2.3.7: What command did you use? Q.2.3.8: How many more did it find than the hybrid attack? 10 Q.2.3.9: How would you protect yourself from password cracking utilities? Provide adequate explanation. Q.3.2.1: How long is the initial crack estimate? Q.3.2.2: How long is the initial attack estimate? Q.3.2.3: Why is the NTLM attack so much longer than the LM attack? Q3.3.1: How long did it take to crack the password? Q3.3.2: How can you avoid compromising .rdp files? 11