Objective

This is a two part assignment. In the first part, you'll conduct a password audit using John the Ripper on a set of password hashes.  In the second part, you will create password policies for two groups. Below you will find an example policy you can use as reference and help with your own research. You can and should also use the textbook, the Internet and, most importantly, your own cleverness to create these policies. If you find any good information that you want to use as reference, use your understanding in your own words with a citation for the source. Wikipedia can be a useful spring board to legitimate sources, but Wikipedia itself is not a credible source.

 

The assignment is not meant to demonstrate only your password cracking ability, but to demonstrate that you know how to run a password audit and recognizing the importance of good passwords and policies.

 

Assignment

 

Assignment Files

 

• Letter from Avenal (Assignment Description PDF)
• passwd and shadow files zipped
• SHA1 Hashes for Verification
• 301c18e1830901133dee68d4b0efaff6aaf0e1ee  4360.sp23.a1.accounts.zip
• c8c0f755240676a6df73a9b046d71e4015f4d1df  passwd
• f9a7fdaf320f7647a68f3287adf980a9861a9090  shadow

 

• Example Password Policy
• Use this as a template for yours including headings and create your own policies for each group
• Don't simply copy what you see here
• Your policies should be tailored to the groups
• Include two-factor authentication for one of the groups. You'll need to do some research on which type of two-factor you want to use
  
• Dictionaries
• You probably should use these and find/use at least one other dictionary
• You really should use these
• Using these are part of your grade
• Use these

 

Deliverables

Your deliverable is a professional quality paper in one PDF preferred, but Word format also accepted, that includes the following sections:

 

1. Minimum one page letter to Mr. Avenal that explains what you were requested to do, what you did, what you found, and the possible implications of continuing the use of current password policies

 

Note that Avenal is paying you and so  Your letter should be written in business style with little-to-no technical terminology

Reference Sites:  

http://writing.wisc.edu/Handbook/BusinessLetter.html
http://writingcenter.unc.edu/handouts/business-letters/

 

2. Two sets of password policies, one for each organizational unit as listed in the Avenal letter

Justify why you suggest using password policies for each organizational unit. Note the two organizational units are very different. Should or shouldn't they differ? You can be as technical as you like with this section Perhaps the highly sensitive information should be protected with two-factor authentication.

3. A table that includes the usernames and for each, Method used to break the account (If dictionary, include the dictionary used ), and Why the password was broken (Too short, Used in a dictionary, etc) See example table below

4. The URL or location of the additional password dictionary used

 

Make sure this all goes in ONE document, either a Word document or a PDF.

 

5. Your john.log file. This file is located in a hidden .john directory off your user's home directory. Full path: ~/.john/john.log . I want the full file not a screenshot or a copy/paste text, but the actual file submitted. Without this file, you will not receive credit for password audit portion of the assignment.

 

 

 

Example table:

 

Username  Password  Source  Why?  a1  a12013 Single Mode combination username and year b1  X  X  X (not broken)  c1 hello Dictionary - english.txt dictionary word d1 abcxx Brute Force / Incremental mode too short, only uses lower case alphabet ... ... ... ... z2 alkotyellenesnek Dictionary: albanian.txt dictionary word

 

 

 

John The Ripper Details

 

You do not have to perform a manual installation of John in Linux!

 

John is super easy to install in Ubuntu/Mint/Debian-based systems: 'sudo aptitude install john'.

 

You do not have to perform a manual installation of John in Linux!

 

You have been provided several password dictionaries you may use and you should use them; I'll know if you don't. Additionally, find and use at least one additional password dictionary other than the foreign dictionaries provided. You may want to Google for 'commonly used passwords. COUGH hint, hint COUGH. There should be quite a few results for the Top X Passwords where X is a number between 1 and Too many; some employees may be using some of these common passwords.

  

Feel free to post links to good dictionaries you may find on your own in the General Discussion or Assignment 1 group. If you alter John's rules and want to share that information, that's fine as well. Do not share broken accounts/passwords for the assignment; that will result in a zero.

 

 

Getting Started

 

Unshadow the passwd and shadow files:

 

unshadow passwd shadow > unshadowed 

 

 

Run John first in Single mode

 

john --single unshadowed

 

Break a password or two? Huzzah!  Now, for the dictionary files including the additional dictionary you found. You should make a copy of the found dictionary as all upper case by running this in the terminal:

 

tr '[:lower:]' '[:upper:]' < yourFoundDictionary > uppercase.dict

 

The tr command is a text manipulator utility which we are using to change all lower case characters in the file, convert them to uppercase, and then redirect those changes to a new file called 'uppercase.dict'. Using this may or may not find any additional passwords as it's possible you may have broken them by other means prior to using your own dictionary.

 

Note: You do not have to uppercase any of the foreign dictionaries

 

 

Now run John first using the provided dictionaries then your dictionary followed by your converted-to-uppercase dictionary

 

john --wordlist:nameOfDictionaryFile unshadowed

 

 

Any passwords left? If so, run John in incremental mode - this is the brute force option - for 12 hours (cumulative).

 

john --incremental unshadowed

 

 

Grading

Your grade will be based on:

• The quality and appropriateness of your password policies for each group
• A paragraph or two that explains to users why good passwords are important
• Completeness
• Make sure you provide everything Mr. Avenal requested
• There are certain passwords that I know you should crack and some I know should not be cracked given the time constraint
• Note that the letter from Mr. Avenal is written as a business communication and I expect your letter to be written in the same tone
• The inclusion of your john.log file. Without this file, you will not receive credit for the password audit.

 

 

Writing A Non-Technical Summary

 

Your non technical summary should use little-to-no technical terms. This can be difficult, but not impossible, to do when a technical event is involved. Here is an excerpt from the Washington Post about the Heartbleed SSL issue. Note that they do a fantastic job of explaining the technical issue with mostly every day, non-technical terms

 

Q: What is SSL?.

A: It stands for Secure Socket Layer. It is the technology for establishing an encrypted link between a Web server and a browser. This link ensures that all data passed between the Web server and browsers remain private. “Open” SSL simply means that the code is freely available.

It’s the “s” in “https” that is supposed to stand for “secure.” Unlike Web sites that begin with “http,” “https” sites have a lock in browser address bars.

“That lock is supposed to signal that third parties won’t be able to read any information you send or receive. Under the hood, SSL accomplishes that by transforming your data into a coded message that only the recipient knows how to decipher,” explains Vox’s Timothy Lee. “If a malicious party is listening to the conversation, it will only see a seemingly random string of characters, not the contents of your emails, Facebook posts, credit card numbers, or other private information.”