Lab1_Password_Cracking
.docx
keyboard_arrow_up
School
University of Rochester *
*We aren’t endorsed by this school
Course
3710
Subject
Computer Science
Date
Feb 20, 2024
Type
docx
Pages
5
Uploaded by SargentFlagKomodoDragon15
CS 3710 Introduction to Cybersecurity
Term: Spring 2024
Lab Exercise 1 – Introduction to Password Cracking
Due Date: January 26, 2024 11:59pm
Points Possible: 7 points
Name:
By submitting this assignment you are digitally signing the honor code, “On my honor, I pledge that I have neither given nor received help on this assignment.”
Generative AI assistance is NOT permitted on this assignment.
1. Overview
This lab exercise will provide some hands-on experience with password strength analysis using command-line tools in Linux.
2. Resources required
This exercise requires a Kali Linux VM running in the Virginia Cyber Range. 3. Initial Setup
From your Virginia Cyber Range course, select the Cyber Basics
environment. Click “start” to start your environment and “join” to get to your Linux desktop login.
4. Tasks
Task 1: Introduction to password auditing.
On Linux systems, user accounts are stored in the /etc/passwd
file (world-readable text file) and passwords are hashed and stored in /etc/shadow
(a text file only readable by root). Click on the Terminal Emulator to open a command prompt. You will need to become an administrator on the system to see the shadow file. Type “
sudo su -”
and hit enter. You will notice your command prompt changed from a $
to a #
and your user changed from student to root. Go ahead and “cat” those
two password files to see what they look like.
Question #1: What hash type is used by your Cyber Range version of Linux? How can you determine that
by looking at the hashed passwords in /etc/shadow
?
(.5 point)
Yescrypt, since the password architecture begins with $y$ which indicates the hash type of Yescrypt.
Question #2: What are two other hash IDs and their types that you may see in /etc/shadow
? (The ID is the numbers/letters that identify the hash and the type is the name of the hash) (.5 point)
$1$ which corresponds to the type MD5, and $6$ which corresponds to the type SHA-512.
Question #3: What is password salting and why is it important
?
(.5 point)
It’s the second part of the hashed password which is made of some random data to make the password more unique. It can add complexity to the password to ensure its safety.
© 2024 Virginia Cyber Range. Created by David Raymond, Ph.D., CISSP, Virginia Tech. (CC BY 4.0)
Modified by Angela Orebaugh, Ph.D., CISSP, University of Virginia
CS 3710 Introduction to Cybersecurity
Term: Spring 2024
We’ll use a password auditing tool called John the Ripper (JTR), a very effective and widely known password cracker. JTR is available from www.openwall.com/john
. JTR is already installed in the virtual environment so you won’t need to download it.
Task 2
: Crack Linux passwords.
1. Create 2 new accounts, one with an easy to guess password (such as 1234) and one with a difficult to guess password. Question #4: Cut and paste or screen capture the commands you used to create the accounts and set the passwords. (.5 point)
2. Now let’s see which ones we can crack. Run john against the /etc/shadow file. You will need to use the -format:crypt command line option to crack this particular hash method.
JTR will attempt to crack the passwords and display any that it ‘cracks’ as it goes along. It starts in “single crack” mode, mangling username and other account information. It then moves on to a dictionary attack using a default dictionary, then with a hybrid attack, then brute force where it will try every possibly combination of characters (letters, numbers, and special characters) until it cracks them all. You may see several warnings about candidates buffered for the current salt and that is ok. You can ignore those warnings.
The account with the easy to guess password should be cracked rather quickly. Wait for a little bit for it to crack the difficult password, but don’t wait too long as it could take months or years to complete if your password is really strong! Press [CTRL]-[C] to stop execution if it doesn’t automatically complete and return to the command prompt.
Question #5: Provide a screenshot of your JTR cracked passwords (.5 point)
© 2024 Virginia Cyber Range. Created by David Raymond, Ph.D., CISSP, Virginia Tech. (CC BY 4.0)
Modified by Angela Orebaugh, Ph.D., CISSP, University of Virginia
CS 3710 Introduction to Cybersecurity
Term: Spring 2024
Question #6: Briefly describe how a dictionary based password attack works. (.75 point)
Dictionary based password goes through a list of words.Password cracking can take a long time since it requires hashing and comparing over and over.
Question #7: Briefly describe how a brute force password attack works. (.75 point)
Brute force password is the most effective one. Since it tries every possible combination of numbers, characters, special characters, it could take millions of trillion of time to crack such passwords. John uses the following files to manage execution. Most are all stored in the /usr/share/john
folder on your Kali virtual machine (john.pot is stored elsewhere as indicated):
- password.lst
is john’s default dictionary. You can cat
this file to look at it. You can specify another wordlist on the command line using the --wordlist=
directive (for example # john --wordlist=/usr/share/dict/american-english /etc/shadow
- john.conf
is read when JTR starts up and has rules for dictionary mangling for the hybrid crack attempt
- john.rec
is used to record the status of the current password cracking attempt. If john crashes, it will start where it left off instead of starting again from the beginning of the dictionary.
- /root/.john/
john.pot
lists passwords that have already been cracked. If you run john again on the same shadow file, it won’t show these cracked passwords unless you delete this file first using rm /root/.john/john.pot.
Task 3. More password cracking.
John the Ripper’s default dictionary is a short list of common passwords. Sometimes a standard English dictionary is a better option. In this exercise we will 1) download a new Linux shadow file that contains a
© 2024 Virginia Cyber Range. Created by David Raymond, Ph.D., CISSP, Virginia Tech. (CC BY 4.0)
Modified by Angela Orebaugh, Ph.D., CISSP, University of Virginia
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Related Questions
TO: All Staff
FROM: Jake Ryan, Director, Product Development
DATE: October 23, 2018
SUBJECT: Launch of Product XYZ
Due to extensive customer feedback, and the results of current testing, I wanted to inform you that Product XYZ will be delayed from its original launch date of November 15th, until Q1 2019.
We are confident that time for additional testing will serve to make XYZ more effective in fighting security breaches that customers are facing. For those customers that you believe will now consider a competitor's product, the marketing department is developing a promotional offering, which sales reps can share with their customers to help reduce those who will now go to our competitors.
As disappointing as this news may be, we are confident in our employees, and know the additional time will serve this company well by creating a more successful product.
arrow_forward
A security policy is a document that provides employees with clear instructions about acceptable use of company confidential information, explains how the company secures data resources and what it expects of the people who work with this information. Most importantly, the policy is designed with enough flexibility to be amended when necessary.
You are working in organization X, and you are supposed to develop an issue-specific security policy, you can pick one issue from Table.1 [1] (In the photos)
Your Task is:
To develop the different sections of your policy and adequate procedure(s), you can refer to SANS Policy Templates [2].
References:
[1] Developing an Information Security Policy: A Case Study Approach, Fayez Hussain Alqahtani. 4th Information Systems International Conference 2017, ISICO 2017, 6-8 November 2017, Bali, Indonesia.
[2] https://www.sans.org/information-security-policy/
arrow_forward
Have you ever seen someone being harassed or bullied by someone else over the internet? When you initially learned of the issue, what was the very first thing that went through your head? How did you get at the conclusion that the individual had been the target of bullying conduct prior to your intervention? In other words, how did you come to that conclusion?
arrow_forward
To complete this assignment, you will need to do some research and produce a report that addresses the following issues regarding digital fingerprinting:
You should concentrate on the following issues:
What exactly is Digital Fingerprinting, and why is it employed in the first place?
What is the operation of the fingerprinting algorithm? Explain how it works on a fundamental level.
To achieve the intended result—either blocking, deleting, or authorizing the use of content—a series of actions must be taken.
Fingerprinting, according to several cybersecurity experts, is abusive and exposes users' privacy concerns. Some browsers have included specific methods to prevent browser fingerprinting from occurring. Describe the safeguards used by any of the browsers to protect themselves against fingerprinting.
List two common Fingerprinting Algorithms that are used nowadays.
arrow_forward
- A policy conundrum
Your organization has the following statements regarding phishing/social engineering in the employee manual:
All employees are required to complete annual security awareness training as provided by the Information Security team. Employees must successfully complete the training and achieve an established minimum score on any quizzes associated with the training.
The organization will conduct routine evaluations of the effectiveness security awareness training through simulated phishing tests. Employees that incorrectly identify simulated phishing emails must complete additional security awareness training and their manager will be notified. If an employee incorrectly identifies 3 or more simulated phishing emails, additional action may be taken by the employee’s manager, up to and including termination.
Employees are required to report any suspicious emails to the organization’s Information Security team using the Suspicious Mail button located in the…
arrow_forward
Casual Observer Software’s main product is a program that monitors and analyzes user keystrokes and mouse clicks to learn more about the way employees use their computer systems. The problem is that some users feel this is an unwarranted intrusion into their privacy, and they prefer not to be observed. Some even fear that the data would be used for other reasons, including performance appraisal. You are a consultant who has been hired by a client firm that is trying to decide whether or not to use this software. Before you advise the client, remember the Hawthorne effect, which suggests that employees might behave differently when they know they are being observed. Finally, think about the ethical issues that might be involved in this situation. What will you advise your client, and why?
arrow_forward
Casual Observer Software’s main product is a program that monitors and analyzes user keystrokes and mouse clicks to learn more about the way employees use their computer systems. The problem is that some users feel this is an unwarranted intrusion into their privacy, and they prefer not to be observed. Some even fear that the data would be used for other reasons, including performance appraisal. You are a consultant who has been hired by a client firm that is trying to decide whether or not to use this software. Before you advise the client, go back to Chapter 4 and consider the Hawthorne Effect, which suggests that employees might behave differently when they know they are being observed. Finally, think about the ethical issues that might be involved in this situation. What will you advise your client, and why?
arrow_forward
The term "responsibility" refers to the act of determining whether or not a person is responsible for his or her own actions. Which of the following is the most secure option? It is critical that you provide an explanation for your behavior.
arrow_forward
if you will be assigned as one of the authorized body to create the "robotics Code', give at least five areas or stipulations that you want to focus on the code and why?.
minimum of 250 words
arrow_forward
What measures of self-defense should you take when confronted with the possibility of harm coming your way?
arrow_forward
This is Final Warning ⚠️ Don't post AI generated answer or plagiarised answer. If I see these things I'll give you multiple downvotes and will report immediately.
arrow_forward
Can you think of an example of online bullying or harassment that you witnessed? How did you react when you first heard about the situation? After all, you didn't know the person had been bullied until after you intervened.
arrow_forward
Instructions: Each student shall provide his own answers to the following questions. Similarity in the
students' answers will be classified as CHEATING cases.
The Operations Security Process consists of the following steps:
Step 1: Identification of Critical Information
Step 2: Analysis of Threats
Step 3: Analysis of Vulnerabilities
Step 4: Assessment of Risks
Step 5: Application of Countermeasures
If you were the information security manager of University of Hafr AIBatin, and you were asked to apply
the five steps of Operations Security Process to the university. Explain how should you apply these steps
and what are your expected outcomes for each step?
arrow_forward
▾ Topic 1
(Refers to Lesson #1) Discuss how the definition of privacy that is commonly used (freedom from observation) may differ from the
definition of privacy from the information security perspective (freedom from unsanctioned intrusion).
Topic 2
▸ Topic 3
8
f
ion_topics/2947715?module_item_id=12935597#
Q Search
S
T
Q Search entries or author
G
H
N
& 7
M
Unread
hp
3
K
fo
↑
©
E
fo
F11
P
alt
112
C
**
ļ
Insert
ctn
E
pause
10:14
10/30/20
backspace
arrow_forward
Make sure you submit your proposal for a security education program. Artifacts that have been finished and polished are supposed to have all their parts. The input that was used to create it should be reflected in its final form. The proposal will include an executive summary, a communication plan, an introduction, the proposal's policies and procedures, the proposal's main body, the proposal's main body, the policies and procedures, the recommended remedies to security weaknesses, and the strategies to constantly monitor the company for hostile conduct.
arrow_forward
Do you have a practical understanding of the various rules and regulations that apply to the conduct of interviews?
arrow_forward
Please use this project link below to answer the questions above thoroughly
Software Development Risk Management Model- a goal-driven approachhttps://www.google.com/url?sa=t&source=web&rct=j&url=https://d-nb.info/1011414708/34&ved=2ahUKEwin18bR6Lb9AhWrUjABHQHiDtIQFnoECBAQAQ&usg=AOvVaw0vmiH-3fSabjozkKO5TIaj
arrow_forward
q21- Several well-known software vulnerabilities are the result of not adequately checking program input. Briefly explain why secure programming requires input sanitisation and give one example of an attack or vulnerability that is a result of such a flaw.
arrow_forward
g. Illicit Cryptomining Create a presentation to discuss a certain abuse assigned to you. The discussion/presentation must focus on the following: 1. Nature of the abuse (types, operation, tools, etc.) 2. Actual case/news 3. Causes of abuse (reasons for committing the crime) 4. Effect/damages 5. Ways to avoid
arrow_forward
SEE MORE QUESTIONS
Recommended textbooks for you
Fundamentals of Information Systems
Computer Science
ISBN:9781305082168
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Related Questions
- TO: All Staff FROM: Jake Ryan, Director, Product Development DATE: October 23, 2018 SUBJECT: Launch of Product XYZ Due to extensive customer feedback, and the results of current testing, I wanted to inform you that Product XYZ will be delayed from its original launch date of November 15th, until Q1 2019. We are confident that time for additional testing will serve to make XYZ more effective in fighting security breaches that customers are facing. For those customers that you believe will now consider a competitor's product, the marketing department is developing a promotional offering, which sales reps can share with their customers to help reduce those who will now go to our competitors. As disappointing as this news may be, we are confident in our employees, and know the additional time will serve this company well by creating a more successful product.arrow_forwardA security policy is a document that provides employees with clear instructions about acceptable use of company confidential information, explains how the company secures data resources and what it expects of the people who work with this information. Most importantly, the policy is designed with enough flexibility to be amended when necessary. You are working in organization X, and you are supposed to develop an issue-specific security policy, you can pick one issue from Table.1 [1] (In the photos) Your Task is: To develop the different sections of your policy and adequate procedure(s), you can refer to SANS Policy Templates [2]. References: [1] Developing an Information Security Policy: A Case Study Approach, Fayez Hussain Alqahtani. 4th Information Systems International Conference 2017, ISICO 2017, 6-8 November 2017, Bali, Indonesia. [2] https://www.sans.org/information-security-policy/arrow_forwardHave you ever seen someone being harassed or bullied by someone else over the internet? When you initially learned of the issue, what was the very first thing that went through your head? How did you get at the conclusion that the individual had been the target of bullying conduct prior to your intervention? In other words, how did you come to that conclusion?arrow_forward
- To complete this assignment, you will need to do some research and produce a report that addresses the following issues regarding digital fingerprinting: You should concentrate on the following issues: What exactly is Digital Fingerprinting, and why is it employed in the first place? What is the operation of the fingerprinting algorithm? Explain how it works on a fundamental level. To achieve the intended result—either blocking, deleting, or authorizing the use of content—a series of actions must be taken. Fingerprinting, according to several cybersecurity experts, is abusive and exposes users' privacy concerns. Some browsers have included specific methods to prevent browser fingerprinting from occurring. Describe the safeguards used by any of the browsers to protect themselves against fingerprinting. List two common Fingerprinting Algorithms that are used nowadays.arrow_forward- A policy conundrum Your organization has the following statements regarding phishing/social engineering in the employee manual: All employees are required to complete annual security awareness training as provided by the Information Security team. Employees must successfully complete the training and achieve an established minimum score on any quizzes associated with the training. The organization will conduct routine evaluations of the effectiveness security awareness training through simulated phishing tests. Employees that incorrectly identify simulated phishing emails must complete additional security awareness training and their manager will be notified. If an employee incorrectly identifies 3 or more simulated phishing emails, additional action may be taken by the employee’s manager, up to and including termination. Employees are required to report any suspicious emails to the organization’s Information Security team using the Suspicious Mail button located in the…arrow_forwardCasual Observer Software’s main product is a program that monitors and analyzes user keystrokes and mouse clicks to learn more about the way employees use their computer systems. The problem is that some users feel this is an unwarranted intrusion into their privacy, and they prefer not to be observed. Some even fear that the data would be used for other reasons, including performance appraisal. You are a consultant who has been hired by a client firm that is trying to decide whether or not to use this software. Before you advise the client, remember the Hawthorne effect, which suggests that employees might behave differently when they know they are being observed. Finally, think about the ethical issues that might be involved in this situation. What will you advise your client, and why?arrow_forward
- Casual Observer Software’s main product is a program that monitors and analyzes user keystrokes and mouse clicks to learn more about the way employees use their computer systems. The problem is that some users feel this is an unwarranted intrusion into their privacy, and they prefer not to be observed. Some even fear that the data would be used for other reasons, including performance appraisal. You are a consultant who has been hired by a client firm that is trying to decide whether or not to use this software. Before you advise the client, go back to Chapter 4 and consider the Hawthorne Effect, which suggests that employees might behave differently when they know they are being observed. Finally, think about the ethical issues that might be involved in this situation. What will you advise your client, and why?arrow_forwardThe term "responsibility" refers to the act of determining whether or not a person is responsible for his or her own actions. Which of the following is the most secure option? It is critical that you provide an explanation for your behavior.arrow_forwardif you will be assigned as one of the authorized body to create the "robotics Code', give at least five areas or stipulations that you want to focus on the code and why?. minimum of 250 wordsarrow_forward
- What measures of self-defense should you take when confronted with the possibility of harm coming your way?arrow_forwardThis is Final Warning ⚠️ Don't post AI generated answer or plagiarised answer. If I see these things I'll give you multiple downvotes and will report immediately.arrow_forwardCan you think of an example of online bullying or harassment that you witnessed? How did you react when you first heard about the situation? After all, you didn't know the person had been bullied until after you intervened.arrow_forward
arrow_back_ios
SEE MORE QUESTIONS
arrow_forward_ios
Recommended textbooks for you
- Fundamentals of Information SystemsComputer ScienceISBN:9781305082168Author:Ralph Stair, George ReynoldsPublisher:Cengage Learning
Fundamentals of Information Systems
Computer Science
ISBN:9781305082168
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning