Introduction

In this lab, you will be using bruteforce password cracking to attempt to determine the password of various users on the system. This attack is only possible with access to the password hashes of those users, which are normally protected, but in some instances, exploits or poor system security have allowed that information to be disclosed, and made these types of attacks possible. Another popular use case, is when you run this type of attack against your own machine, to determine the strength of the passwords of your users. This can become important when you have 10s or 100s or more users on a machine, in the case of a system like CSUNIX.

Steps

  • Do a regular NetBSD Install, be sure to select Blowfish as your password hashing algorithm
  • Set a strong root password
  • fetch pkgsrc from FTP
  • install security/john from pkgsrc
  • download four_wordlist.txt.gz from ftp
  • gunzip four_wordlist.txt.gz
  • add a user named 'blf', set their password with the passwd command. (limit your self to 4 characters to make it easier to crack)
  • edit /etc/passwd.conf , change the localcypher line to 'localcypher = old'
  • add a user named 'des', set their password with the passwd command.
  • edit /etc/passwd.conf , change the localcypher line to 'localcypher = md5'
  • add a user named 'md5', set their password with the passwd command.
  • edit /etc/passwd.conf , change the localcypher line back to 'localcypher = blowfish,7'

Commands:

	cp /etc/master.passwd ~/passwd_file
	john --wordlist=four_wordlist.txt --users=des --session=des ~/passwd_file
	john --wordlist=four_wordlist.txt --users=md5 --session=md5 ~/passwd_file
	john --wordlist=four_wordlist.txt --users=blf --session=blf ~/passwd_file

Steps

Read man passwd.conf and man pwhash
Experiment with the 'pwhash' command.
Remember when we set blowfish in the passwd.conf that we had to also set a number, the number of 'rounds', this is a number between 4 and 31 that determins how many times the blowfish algorithm is used, but the number isn't just how many times it is used, but the logrithm of how many times, so 8 is 10 times more than 7, and 9 is 100 times more than 7. Note the difference in how long it takes to generate hashes for the following commands:

Commands:

	date;pwhash -b 4 'somepassword';date
	date;pwhash -b 7 'somepassword';date
	date;pwhash -b 8 'somepassword';date
	date;pwhash -b 12 'somepassword';date
	date;pwhash -b 15 'somepassword';date

Questions:

Why do we hash passwords, rather than encrypt them?:



What is the speed difference in cracked DES vs MD5 vs Blowfish hashed passwords?:



Why shouldn't passwords be stored just as the unsalted md5 or sha1 hash of the password?:



Why does having a 'salt' in a password make rainbow tables mostly impractical?:




Why wouldn't you use the maximum (31) number of rounds for blowfish on your passwords?:


Last updated: 2008-02-27
Updated by: Allan Jude

Written by: Allan Jude (2008)