Lab Assignment 2 : due 3/10 Monday

Task: Password Cracking
As a system administrator, you can test your users’ password strengths with a password cracker. “John the
Ripper” is one of the popular password crackers. The program “john” guesses passwords with certain
algorithm and tests if the “login” attempts are successful by comparing it with the password file.
John the Ripper (JtR) is available from Ubuntu repository (version 1.7.3), but only the latest versions (>1.7.6)
supports SHA-512 hash which is adopted by Ubuntu 8.10 or later version. In this lab, we will install version
1.7.9 from source.
1.
Download JtR source codes
$wget http://www.openwall.com/john/g/john-1.7.9.tar.gz
2.
Unzip and compile the program
$tar -zxvf john-1.7.9.tar.gz
$cd john-1.7.9/src
$make linux-x86-sse2
You should have “john” in ../run directory.
3.
Create some user accounts with weak passwords.
a) Create an account with a password of 4 digits, e.g., 1357
b) Create an account with a common word (no more than 5 letters) as the password, e.g., apple
c) Create an account with a relevant password. E.g., user ID is jay and the password is jay123, or the
registered full name is John Smith and the password is jsmith2000.
d) Create an account with a short but strong password (3 characters)
4.
Run the cracker
a) Get all the hashed values
On Ubuntu, the actual password is /etc/shadow rather than /etc/passwd. This file is not readable
to normal users. Enter
b)
c)
JtR’s “run” directory and execute
$sudo ./unshadow /etc/passwd /etc/shadow > passwd.txt
Prune the file passwd.txt and only keep the lines that contain the four accounts you just created
(remove the line for your login username).
Regularly, you can execute “./john passwd.txt” to start cracking. (don’t execute the command at
this point)
Press any key for progress (including the time spent so far), CTRL-C for interruption.
To resume cracking from interruption: $./john --restore
To show the cracked password(s): $./john --show passwd.txt
Here, we’ll try some command options to speed up the process. The online document at
http://www.openwall.com/john/doc/EXAMPLES.shtml may be helpful.
1) First try ‘single crack’ mode. It’s a quick process, but only works for some simple patterns of
weak passwords.
$./john --single passwd.txt
If you observe a cracked password, press any key to show status and record the time
information.
2) Next, we will try to crack the password with all digits. Open the configuration file john.conf
and find the section “[Incremental:Digits]”. Set both “MaxLen” and “MinLen” to 4. Then
execute the following command which specifies a “digits mode”. The program will try 10 digits
(0~9) only.
$./john -i=digits passwd.txt
You don’t have to wait until the program terminates. Once the digits password is cracked, you
can record the time spent and then stop the program. Note: this process may take some time
depending on the password you chose. You can keep reading the rest instructions or start task
2 while the cracking program is running.
3) Another important mode is “wordlist” mode which launches dictionary attack. With ‘-w’
option we can specify a wordlist for the cracking program to use. JtR embeds a small list of
common words (“password.lst”). Ubuntu has a longer list at /usr/share/dict/words.
Try the following command to see whether it can crack the word password you picked.
$./john -w=password.lst passwd.txt
Again, you don’t have to wait until the program terminates. Once the word password is
cracked, you can record the time spent and stop the program.
4) Finally, let us try to crack the short but strong password. Open the configuration file john.conf
and find the section “[Incremental:All]”. Set both “MaxLen” and “MinLen” to 3.
$./john -i passwd.txt
Questions:
1. Include a copy of passwd.txt in your report
2. List the four accounts you created (user ID and password).
3. Report which accounts were cracked, at which round, and roughly how much time was spent? (After you
observe a cracked password, press any key to show the time information).