Results on experiment with the password cracking tools; please find answers to the questions below while findings are equally shared in the project report. 1. Which tool, on which operating system was able to recover passwords the quickest? Provide examples of the timing by your experimental observations. Ophcrack tool was able to recover passwords the quickest on Windows 7 Enterprise operating system Cain and Abel tool using BRUTE FORCE attack with NTLM Hashes loaded User NT Password Time left Time taken Time start Time stop 1 Xavier xmen blank < 1 min 12.01am 12.01am 2 Wolverine Not cracked 3.1e+10 years > 1 hr 3 Shield Not cracked 2.9e+10 years > 1 hr 4 EarthBase Not cracked 2.9e +10 years > 1 hr 5 dbmsAdmin Not cracked 1.3e +17 years > 1 hr 6 Kirk Not cracked 1.3e+17 years > 1 hr 7 Mouse Not cracked 3.0e+10 years > 1 hr 8 Rudolph Not cracked 1.3e+17 years > 1 hr 9 Snoopy Not cracked 3.0e+10 years > 1 hr 10 Spock Not cracked 3.0e+10 years > 1 hr 11 Apollo Not cracked 2.9e+10 years > 1 hr 12 Chekov Not cracked 2.9e+10 years > 1 hr 13 Batman Not cracked 2.9e+10 years > 1 hr Cain and Abel tool using Dictionary attack with NTLM Hashes loaded (common stop position 3456292) User NT Password Time spent 1 Xavier Not cracked 2 Wolverine Motorcycle (position 1747847) < 1 min 3 Shield Not cracked < 1 min 4 EarthBase Not cracked < 1 min 5 dbmsAdmin Not cracked < 1 min 6 Kirk Not cracked < 1 min 7 Mouse Not cracked < 1 min 8 Rudolph Not cracked < 1 min 9 Snoopy Not cracked < 1 min 10 Spock Not cracked < 1 min 11 Apollo Not cracked < 1 min 12 Chekov Not cracked < 1 min 13 Batman Not cracked < 1 min Ophcrack tool used for password cracking User LM Password 1 Xavier xmen 2 Wolverine Not found 3 Shield Not found 4 EarthBase Not found 5 dbmsAdmin Not found 6 Kirk Not found 7 Mouse Not found 8 Rudolph Not found 9 Snoopy Not found 10 Spock Not found 11 Apollo M00n 12 Chekov Riza 13 Batman Bats Time elapsed was 17 secs 2. Which tool(s) provided estimates of how long it might take to crack the passwords? Cain and Abel too using Brute force attack Cain and Abel provided time left in number of years, days or minutes depending on the specified password length. What was the longest amount of time it reported? 3.1e+10 years and for which username? Wolverine 3. Compare the amount of time it took for three passwords that you were able to recover. • Cain and Abel tool: Xavier user (xmen password cracked using brute force attack) = <1 min • Cain and Abel tool: Wolverine user (motorcycle password cracked using dictionary attack) = <1 min • Ophcrack tool : Batman user (bats password cracked under 17 secs) 4. Compare the complexity of the passwords for those discussed in the last question. What can you say about recovery time relevant to complexity of these specific accounts? Xavier user password (xmen) was easier and quicker to crack using brute force attack due to its short password length, while it allocated a long time to crack Wolverine user password (motorcycle). Dictionary attack found Wolverine user password (motorcycle) simple to attack because it possibly exists in its wordlists. Dictionary attack of Cain and Abel tool keeps a record position on the wordlist which allows you to continue from the word where you left off before you halt the attack. Brute force attack takes the specified password length (e.g minimum of 1, maximum of 16 or more) into consideration to run through every possible combination which makes it CPU intensive and extremely slow. Ophcrack tool has proved to be quicker and more powerful than Cain and Abel to crack up to four passwords for users; Xavier, Apollo, Chekov and Batman. One would have expected Ophcrack tool to succeed in cracking Wolverine password (motorcycle). It shows that the longer and/or more complex a password is, the longer it will take to crack. It is advisable to use passphrase (thkGodisfri), long words or complex words with all four types of character sets as they are pretty secure. 5. What are the 4 types of character sets generally discussed when forming strong passwords? Lower case letters, upper case letters, numbers (0 through 9) and special characters ($,*, #, ! and so on) How many of the 4 sets should you use, as a minimum? Upper case letters, Lower case letters, and numbers depending on the company password policy What general rules are typically stated for minimum password length? Minimum of eight characters in length 6. How often should password policies require users to change their passwords? 90 days 7. Discuss the pros and cons of using the same username accounts and passwords on multiple machines. Pros : You would only need to remember one set of username and password for multiple machines Cons : Hackers can have access to other machines using the same account credentials that have been compromised. 8. What are the ethical issues of using password cracker and recovery tools? Systems Administrators can use it to recover lost passwords and regain access to machines Users that either lost their passwords or corporate entities that need to look into any compromise or vulnerability they might have exposed themselves to, should be made aware of when and why such password cracker, recovery tools may be run Recovered or cracked passwords should not be disclosed to third parties and there shouldn't be a way to link passwords back to the users 9. Are there any limitations, policies or regulations in their use on local machines? Consent of the system owner should be acquired before usage of password recovery tools as there might be damages and / or loss of data using the password cracking software. Home networks? As an individual you can build your own labs and explore password cracking Small business local networks? Intranets? Internets? Where might customer data be stored? We need to coordinate with clients to clearly define the scope of password recovery or cracking efforts and abide by the related rules of engagement. It is illegal to launch password cracking tools on individual's or organization's web sites through the internet without adequate notice and/or consent. It does not really matter how long or strong your password may be,what matters is how is your confidential or protected data (password) is stored 10. If you were using these tools for approved penetration testing, how might you get the sponsor to provide guidance and limitations to your test team? The test team will request guidance and limitation from the sponsor by scheduling for a kickoff meeting where the timing and duration of the testing will be discussed, so that normal business and everyday operations of the organization will not be disrupted. Information will be gathered as much as possible by identifying the targeted machines, systems and network, operational requirements and the staff involved. 11. Discuss any legal issues in using these tools on home networks in States, which have anti-wiretap communications regulations. Who has to know about the tools being used in your household? Using these tools on home networks in States, which have anti-wiretap communications regulations would involve obtaining the relevant legal documents protecting against any legal actions, should anything go wrong during tests. If it is a rented apartment, the leasing office management needs to be informed. Please, find screenshots of step by step exercise on password cracking: References Password storage and hashing ● http://lifehacker.com/5919918/how-your-passwords-are-stored-on-the-internet-and-whenyour-password-strength-doesnt-matter ● http://www.darkreading.com/safely-storing-user-passwords-hashing-vs-encrypting/a/did/1269374 ● http://www.slashroot.in/how-are-passwords-stored-linux-understanding-hashing-shadowutils Click on Lab broker to allocate resources Signing into the workspace with StudentFirst/Cyb3rl@b Right on the desktop of VM WINATK01, click Lab Resource then folder - Applications, locate and launch Cain. After launch of Cain Maximize screen and click Cracker tab 20 user accounts on the local machine used to populate the right window. 1 hash cracked on Xavier user using brute force plus NTLM hash Brute force attack on Wolverine user Results after using Cain and Abel application for both types (brute force and dictionary) of attacks Results after using Ophcrack application to crack all user passwords Click on Ophcrack -> click 'crack' then stop and take note of time taken