This is a two part assignment. In the first part, you'll conduct a password audit using John the Ripper on a set of password hashes. In the second part, you will create password policies for two groups. Below you will find an example policy you can use as reference and help with your own research. You can and should also use the textbook, the Internet and, most importantly, your own cleverness to create these policies. If you find any good information that you want to use as reference, use your understanding in your own words with a citation for the source. Wikipedia can be a useful spring board to legitimate sources, but Wikipedia itself is not a credible source.
The assignment is not meant to demonstrate only your password cracking ability, but to demonstrate that you know how to run a password audit and recognizing the importance of good passwords and policies.
Your deliverable is a professional quality paper in one PDF preferred, but Word format also accepted, that includes the following sections:
1. Minimum one page letter to Mr. Avenal that explains what you were requested to do, what you did, what you found, and the possible implications of continuing the use of current password policies
Note that Avenal is paying you and so Your letter should be written in business style with little-to-no technical terminology
Reference Sites:
http://writing.wisc.edu/Handbook/BusinessLetter.html
http://writingcenter.unc.edu/handouts/business-letters/
2. Two sets of password policies, one for each organizational unit as listed in the Avenal letter
Justify why you suggest using password policies for each organizational unit. Note the two organizational units are very different. Should or shouldn't they differ? You can be as technical as you like with this section Perhaps the highly sensitive information should be protected with two-factor authentication.
3. A table that includes the usernames and for each, Method used to break the account (If dictionary, include the dictionary used ), and Why the password was broken (Too short, Used in a dictionary, etc) See example table below
4. The URL or location of the additional password dictionary used
Make sure this all goes in ONE document, either a Word document or a PDF.
5. Your john.log file. This file is located in a hidden .john directory off your user's home directory. Full path: ~/.john/john.log . I want the full file not a screenshot or a copy/paste text, but the actual file submitted. Without this file, you will not receive credit for password audit portion of the assignment.
Example table:
|
You do not have to perform a manual installation of John in Linux!
John is super easy to install in Ubuntu/Mint/Debian-based systems: 'sudo aptitude install john'.
You do not have to perform a manual installation of John in Linux!
You have been provided several password dictionaries you may use and you should use them; I'll know if you don't. Additionally, find and use at least one additional password dictionary other than the foreign dictionaries provided. You may want to Google for 'commonly used passwords. COUGH hint, hint COUGH. There should be quite a few results for the Top X Passwords where X is a number between 1 and Too many; some employees may be using some of these common passwords.
Feel free to post links to good dictionaries you may find on your own in the General Discussion or Assignment 1 group. If you alter John's rules and want to share that information, that's fine as well. Do not share broken accounts/passwords for the assignment; that will result in a zero.
Unshadow the passwd and shadow files:
unshadow passwd shadow > unshadowed
Run John first in Single mode
john --single unshadowed
Break a password or two? Huzzah! Now, for the dictionary files including the additional dictionary you found. You should make a copy of the found dictionary as all upper case by running this in the terminal:
tr '[:lower:]' '[:upper:]' < yourFoundDictionary > uppercase.dict
The tr command is a text manipulator utility which we are using to change all lower case characters in the file, convert them to uppercase, and then redirect those changes to a new file called 'uppercase.dict'. Using this may or may not find any additional passwords as it's possible you may have broken them by other means prior to using your own dictionary.
Note: You do not have to uppercase any of the foreign dictionaries
Now run John first using the provided dictionaries then your dictionary followed by your converted-to-uppercase dictionary
john --wordlist:nameOfDictionaryFile unshadowed
Any passwords left? If so, run John in incremental mode - this is the brute force option - for 12 hours (cumulative).
john --incremental unshadowed
Your grade will be based on:
Your non technical summary should use little-to-no technical terms. This can be difficult, but not impossible, to do when a technical event is involved. Here is an excerpt from the Washington Post about the Heartbleed SSL issue. Note that they do a fantastic job of explaining the technical issue with mostly every day, non-technical terms
Q: What is SSL?.
A: It stands for Secure Socket Layer. It is the technology for establishing an encrypted link between a Web server and a browser. This link ensures that all data passed between the Web server and browsers remain private. “Open” SSL simply means that the code is freely available.
It’s the “s” in “https” that is supposed to stand for “secure.” Unlike Web sites that begin with “http,” “https” sites have a lock in browser address bars.
“That lock is supposed to signal that third parties won’t be able to read any information you send or receive. Under the hood, SSL accomplishes that by transforming your data into a coded message that only the recipient knows how to decipher,” explains Vox’s Timothy Lee. “If a malicious party is listening to the conversation, it will only see a seemingly random string of characters, not the contents of your emails, Facebook posts, credit card numbers, or other private information.”