In-class Exercise 1: Cracking Passwords with John the Ripper (Sharon)
Password protection is important in any platform as is building robust passwords. You will need a copy of Kali Linux, as discussed previously, to perform this exercise. John and Ripper will be used to crack passwords. John performs different types of cracks: single mode; dictionary (wordlist mode), the one performed in this exercise, which applies a dictionary list of passwords for comparison; and brute-force (incremental) mode, which is the slowest of the three modes and attempts every combination of letters and numbers. You can download the Kali Linux and WinXP VMs at http://ciswww.desu.edu/~xhei/
- Start Kali virtual machine.
- Login: root Password: SCIA472
Before attempting to crack the existing passwords, enter a few more users to see how fast the passwords can be cracked.
- root@kali: adduser user1
- set the password to password
- root@kali: adduser user2
- set the password to P@ssw0rd
- root@kali: adduser user3
- set the password to !P@ssw0rD1
After the three users have been added, you will want to execute John.
- ApplicationsàBackTrack->Provilege Escalation->Password Attacks->Offline Attacks-> john the ripper
- root@kali:/pentest/passwords/john#: john /etc/shadow
- Give it time to see how long it takes for each password to be cracked. Record those times here: User1:______ User2:_______User3:______
- Refection: Did you notice a correlation between the times it took to crack a password versus the complexity of the password? You should have seen that more complex passwords take longer to recover.
- Write your comment to this exercise including what you have learned, more practices you can think of, and what can be improved about this exercise.
- Turn it in Blackboard by Tonight.