Assignment 2: Password Cracking
Narrative:
You are part of a CIA cyber-spy team. You are trying to gain access
to an adversary's remote system. Fortunately, one of your team
members was able to gain access to the passwords file on the system.
As a team member, your task is to recover all passwords, so that you
can gain access to the users' files on that system.
Assignment
Goals:
In this assignment, you are required to perform a dictionary attack
on multiple password files. The assignment will be conducted in 4
different steps, with increasing levels of difficulty.
Description:
You will be presented with a series of password files that
contain a list of user names and related passwords stored in a
hashed form.
Parameters: The hash function for this assignment is MD5, and the length of the secret key used in Step 3 and Step 4 is 2 bytes.
Step 1: passwords are chosen among common English
dictionary words, and are simply hashed.
psw = random_element(dictionary_words);
h = HASH(password);
Step 2: similar to Step 1; but passwords are salted and
hashed (note: the salt is different for each system user).
psw = random_element(dictionary_words);
salt = generate_user_salt(user);
h = HASH(salt+psw);
Step 3: similar to Step 2; passwords are salted and a keyed
hash is computed for each password using a secret system-level key
(the key is the same for all users on the system).
key = generate_system_key();
psw = random_element(dictionary_words);
salt = generate_user_salt(user);
h = HASH(key+salt+psw);
Step 4: similar to Step 3; in this step passwords are still
chosen among common English dictionary words, but some of the
characters (e.g., vowels) are sometimes replaced with digits or
special characters
key = generate_system_key();
psw = random_element(dictionary_words);
perturbed_psw = random_char_replacement(psw);
salt = generate_user_salt(user);
h = HASH(key+salt+perturbed_psw);
Hints:
1) Most linux distributions already come by default with a list of
English dictionary words. If not installed by default, it can be
easily installed via a package (see manual instructions for apt-get
command).
2) You should start working on this assignment immediately, even
before the password files are leaked!
Grading:
This Assignment is worth 10 points; plus some bonus points if you
solve the hardest challenge and do it fast!
For each correctly solved step you will receive the following
points:
Step1: 2 points
Step2: 3 points
Step3: 5 points
Step4: 2 bonus points + time-based bonus points
TIME-BASED BONUS POINTS: The first 3 students to submit the correct
answer for all 4 steps will receive the bonus points
1st correct submission: 3 bonus points
2nd correct submission: 2 bonus points
3rd correct submission: 1 bonus point
Format of Password File:
This is an example password file:
bob:GRzHp:b9c3a727a558a126dde6a14a04e3b392
alice:fYqZd:7ed7c1de6305c3ef0417dcab86bab6f2
anne:fmDU9:78873d55cfcf80a6de63a7a9a78bc726
joe:DWVpO:aea346164c6b63156e01cc8c6b52675d
steve:TscPd:fbca34a993892f753f64fac49009a3c6
jean:uX8b7:bc4c3c52b1887e0fc2f9d6f949a93beb
root:2aTsR:f03319b713957db500eb6149f460cb52
albert:JAj86:e3815c7660fe8e1b716f3583cb31539d
dave:qHTs7:fa6e1f1de393b2b7f0b75197a49870fe
gale:0S7Qz:d4c4a40c38e07961a5f93de64c25c168
Each line is formatted as follows:
USERNAME:SALT:PSWHASH
Notice that in Step1 the salt field will be empty.
Solution File Format:
This is an example solution file:
bob:Myxogasteres
alice:transorbital
anne:erosible
joe:unportmanteaued
steve:Coccidioides
jean:reflecting
root:gradient
albert:accipitrary
dave:pathopsychology
gale:monkshood
VERY IMPORTANT: the solution file MUST NOT contain any empty lines,
or spaces at the beginning or end of each line. Follow the format
above closely!
Retrieve your password files:
1) Visit the following link and enter your UGA user name to retrieve
your first password file: FILE
2) Every time you solve a step you can come back to that same link,
where you need to enter the MD5 hash of the solution file to
retrieve the password file related to the next step (see also
solution submission instructions below).
Solution Submission:
Once you have output the solution to a text file, you need to
do the following:
1) Name the solution file using the following format, and submit it
via nike, under a directory called "Assignment2"
YOUUSERNAME_stepX_solution.txt, where YOURUSERNAME is your UGA user
name, and the X in StepX needs to be changed into the correct step
number. For example, I would submit a file named
perdisci_step2_solution.txt.
2) Every time you finish a step, compute the MD5 hash of the
solution file and submit via the following web form to get access to
the next step's leaked password file:FORM
4) Once you have solved all steps, or the time available for the
assignment expires, you will need to submit the source code you
wrote to solve the assignment. Create a .ZIP file with all necessary
source code files, and submit it via nike.
5) [Optional] At every step, measure how much time it takes for you
to crack each password. Compute the average password cracking time
for each step. Have fun!