Password Exercise
Created Wednesday 30 September 2020
First a few hashing exercises:
Download the following zip file and unzip its contents.
./avatarpeeps.zip
You will see 3 pairs of similar files — but only ONE of these three pairs contains actually IDENTICAL files. We're going to figure out which ones.
First, try simply viewing the contents of each of them in turn. A good tool for this is "less"
- Describe the contents, briefly. Do they generally appear to be similar?
- In the directory where they are unzipped, list the files with "ls." Can you rule a pair out now?
- Finally, let's PROVE it. Hash all of the files. One fine tool for this is md5sum. Provide me with all the hashes and tell me which pair is actually identical.
Let's break some passwords, yall. HACKITY HACK HACK
(this might KILL the VMs, let's see what happens)
Have EACH member install john the ripper on their linux machine. (You do NOT have to use the VM if you have your own linux install and can do screenshots. You may want to though, as you will see)
sudo apt install john
(hey, john IS pretty rad)
Now, we will do a mild test of YOUR OWN PASSWORDS. First, we'll have to do a little prep; Linux stores users and passwords (ACTUALLY NOT PASSWORDS, BUT WHAT? YOU REALLY SHOULD BE ABLE TO ANSWER THIS QUESTION INSTANTLY) separately, but we're going to put them together, via "unshadowing" The users are in /etc/passwd and the other things are in /etc/shadow, so do a:
sudo unshadow /etc/passwd /etc/shadow > passwordfile
Just for sake of curiosity, take a look at "passwordfile" with less
sudo less ./passwordfile
- Describe what you see? Where's the "goodies," and can you extract any information from it?
Then we will run a simple default scan:
sudo john ./passwordfile
Let this run for a bit. As it says, you can hit any key while it's running to get an idea of what's going on. Take a screenshot now, too.
- Hey, what is going on? (Again — it tells you that "any other key" will show something like progress, be sure that is visible in your screenshot.
- Also, ensure each team member has done this INDIVIDUALLY, and attach 4 different screenshots to show me.
If nothing happens after a few minutes, congrats, you probably picked a decent password.
Lets do a bad one. Each member should try this exercise, but I only need one submssion. I put a bad password on a machine and generated its shadow file for you. Take a look with less if you like, but either way...
- Use john the ripper to crack the password on this shadow file and tell me what it is.
Backlinks: FSU Courses:LIS4774