Password Exercise

Created Wednesday 30 September 2020

First a few hashing exercises:

Download the following zip file and unzip its contents.
./avatarpeeps.zip

Detailed download guide

You will see 3 pairs of similar files — but only ONE of these three pairs contains actually IDENTICAL files. We're going to figure out which ones.

First, try simply viewing the contents of each of them in turn. A good tool for this is "less"

1. Describe the contents, briefly. Do they generally appear to be similar?
2. In the directory where they are unzipped, list the files with "ls." Can you rule a pair out now?
3. Finally, let's PROVE it. Hash all of the files. One fine tool for this is md5sum. Provide me with all the hashes and tell me which pair is actually identical.

4(definitely a bonus question if you're super geeky and interested. How *ARE* they different, exactly?)

Let's break some passwords, yall. HACKITY HACK HACK

(this might KILL the VMs, let's see what happens)

Have EACH member install john the ripper on their linux machine. (You do NOT have to use the VM if you have your own linux install and can do screenshots. You may want to though, as you will see)

sudo apt install john

(hey, john IS pretty rad)

Now, we will do a mild test of YOUR OWN PASSWORDS. First, we'll have to do a little prep; Linux stores users and passwords (ACTUALLY NOT PASSWORDS, BUT WHAT? YOU REALLY SHOULD BE ABLE TO ANSWER THIS QUESTION INSTANTLY) separately, but we're going to put them together, via "unshadowing" The users are in /etc/passwd and the other things are in /etc/shadow, so do a:

sudo unshadow /etc/passwd /etc/shadow > passwordfile

Just for sake of curiosity, take a look at "passwordfile" with less

sudo less ./passwordfile

5. Describe what you see? Where's the "goodies," and can you extract any information from it?

Then we will run a simple default scan:

sudo john ./passwordfile

Let this run for a bit. As it says, you can hit any key while it's running to get an idea of what's going on. Take a screenshot now, too.

5. Hey, what is going on? (Again — it tells you that "any other key" will show something like progress, be sure that is visible in your screenshot.
6. Also, ensure each team member has done this INDIVIDUALLY, and attach 4 different screenshots to show me.

If nothing happens after a few minutes, congrats, you probably picked a decent password.

Lets do a bad one. Each member should try this exercise, but I only need one submssion. I put a bad password on a machine and generated its shadow file for you. Take a look with less if you like, but either way...

7. Use john the ripper to crack the password on this shadow file and tell me what it is.

./crack_this_shadowfile

---

Backlinks: FSU Courses:LIS4774

• About The Site
• Bookmarks
• FSU Courses
  • LIS3353
  • LIS4022
  • LIS4708
  • LIS4774
    • Calendar
    • COMPLETE VM SecNet Instructions
    • First Day Secnet Lab
    • Lab Exercise 1
    • Password Exercise
      • Detailed download guide
    • Port Scanning Assignment
    • Project Ideas and Resources
    • RawSlides
    • Second Day Notes
    • Syllabus
    • Term Project Rubric
    • Week 7 Exercise
    • Week 12 -Advanced Thread Modelling and Malicious Software
    • Week 13 - Cybersecurity Policy
    • Week 14 - Code injection and XSS
  • LIS4910
  • LIS5362
  • LIS5364
  • LIS5367
  • LIS5411
  • LIS5417
  • That Time I Turned a Routine Traffic Ticket into the Constitutional Trial of the Century
• Home
• Journal
• My Media
• Networking
• On Discord
• On My Online Quizzes
• Project Code Sources
• Self-Hosted Ideas and Resources
• Tech Guides
• Videos
• Web Design