CIS 8630
Business Computer Forensics and Incident Response
Lab Protocol 06: Password Cracking with Cain and Abel
Purpose: Ensure every student gains first-hand experience with password cracking tools. Students
will also develop first-hand knowledge in distinguishing brute-force versus dictionary attacks.
Students will also experience the distinction between the security of various password parameters
such as password length and character set.
Materials required: (all downloadable files) passwordHash.txt, dict.zip, ca_setup.exe
Deliverable: This lab protocol with answers. Be sure your name and team name is on the material
delivered.
1. If you are using your own Windows machine, Download Cain and Abel from
http://www.oxid.it/cain.html. It may be necessary to override your Internet security.
Download lastest version for Windows NT/2000/XP onto your desktop.
2. If you are using your VM machine, use windows explorer to open the directory,
C:\dayspace\Tools\Password Cracking.
3. Run the installer (casetup.exe). Note that your virus checker’s active scanner is likely to issue
warnings that a password cracker is being accessed. If possible, dismiss the messages without
deleting or blocking the files. Be sure to also install the winpcap packet driver when the CA
installer prompts.
4. If you are using your own Windows machine, go to http://lastbit.com/dict.asp, download the
medium sized dictionary (dict.zip) onto your desktop. Unzip the contents (DICT.TXT) onto
your desktop.
5. If you are using your VM machine, unzip C:\dayspace\Tools\Password Cracking\dict.zip onto
your desktop.
6. Prior to running the Cain program on your own machine, it may be necessary to suspend the
virus checker’s active scanning.
1 of 9
7. Run Cain using the desktop icon. ( Ignore message “Windows firewall is enabled. Some
features will not work correctly if received).”
8. Click on the cracker tab (if users are listed, right-click and delete them).
2 of 9
9. right click in the blank area and chose add to list
10. Now you can add hashes that you want to crack. For now, choose import hashes from local
system. Check Include Password History Hashes
11. Answer the following questions:
a. How many user accounts are there on your machine?
__________________
3 of 9
b. Did you find your user account?
_____ _____________
c. Which accounts have you never used before?
___ _______________
__________________
__________________
__________________
__________________
12. If you are using your own Windows achine, download the file
http://cis.gsu.edu/rbaskerville/cis8630/labs/passwordHash.zip. Unzip the file to your desktop.
13. If you are using your VM machine, copy the file C:\dayspace\Tools\Password
Cracking\dict.zip onto your desktop
14. This file contains the hashes from another system.
15. In Cain and Abel, right click in main pane and select remove all, to take the current
information out. Right click again and select add to list like before. This time, choose import
hashes from a text file and browse for the file you just saved. Click next
16. The program should now look like the screen below
4 of 9
17. Select all the rows then right click and choose brute force attack and then, NTLM hashes. The
other options are for other types of password hashes.
5 of 9
18. For now, leave the default settings in the form. Look at the options you have to change the
predefined character sets, password lengths, and start point. Click on start and let the program
run for about a minute.
19. Answer the following questions
a. How many hashes were you able to crack in 1 minute?
b. Write down the plain text passwords here (you may have more or less)
_____ _____________
_____ _____________
_____ _____________
_____ _____________
_____ _____________
_____ _____________
__________________
__________________
__________________
c. How many characters were in the longest plain text password?
____ ______________
d. Are the plain text passwords secure or not? Why?
____ ______________
20. After stopping the cracker, experiment with the optional settings and see how they affect the
keyspace. Answer the following questions.
a. What is the keyspace for a 6 digit password made up of numbers only?
6 of 9
___________________
b. What is the keyspace for a 6 digit password made up of lower case letters only?
___________________
c. What is the keyspace for a 6 digit password made up of upper and lower letters,
numbers, symbols and everything else in the last predefined character set?
___________________
d. What do you recommend systems allow in their passwords?
_____ ______________
e. What do you recommend systems require in their passwords?
21. Pretend you listen when someone logs into a machine and you hear them type 5 characters
when they enter their password. Adjust the settings and run the cracker again.
22. Select the largest character set and then adjust the max and min length to equal 5. Click start
and write below the estimated time left. Do this again with the max and min equal to 6, 7, 8
and 9.
5 ______ ____
6 ______ ____
7 ______ ____
8 ______ ____
9 ______ ____
a. What recommendations do these results imply for password policies?
23. Exit the brute force cracker
24. Right click and remove all, then reload the hash file. (right click, add to list, import hashes
from text file)
25. Select all the accounts (right click, select all)
26. Right click on the hashes and select the dictionary attack, then NTLM hashes
7 of 9
27. The dictionary attack dialog box will open. Right click on the (empty) Dictionary listing at
the top of the box, and select “Add to list”. Open the DICT.TXT file that you earlier extracted
to your desktop.
28. Leave the defaults and click start
29. Answer the following questions.
a. How does the speed of the dictionary attack compare with the brute force attack?
________ __________
8 of 9
b. What is the longest password found?
______ ____________
c. Which of the passwords cracked in the brute force attack were discovered in the
discovered in the dictionary attack and vice-versa
Brute Force Attack Passwords
Dictionary Attack Passwords
d. What are the advantages and disadvantages of dictionary attacks?
e. What recommendations do these results imply for password policies?
9 of 9