C5 MS Word Template Accessible



CSE 433s Spring 2019Studio 4Assigned 6/21/19Due 6/25/19 11:59 amNote: materials below developed at Colorado School of Mines by Yi Qin, Cody Watters, Mykel Allen, Peer Seyferman, and Chuan Yue. Adapted under Creative Commons license by Steve Cole for CSE 433s Spring 2019 at Washington University in St. Louis, modified again for Summer 2019.-------------------------------------PASSWORD STRENGTH LAB EXERCISELab Description: You will experiment with some open-source password checker as well as the popular open-source John the Ripper password cracker in this lab exercise. You will examine and create different passwords, analyze their strengths, as well as understand and evaluate the critical factors that influence the strengths of users’ passwords. You will also create some material such as a demo video, a comic strip, or some slides for observational learning by others. This lab consists of six steps.The high-level learning outcomes of this lab are summarized as follows. Examine the functionality of some password checkers.Construct complex variations of passwords based on simple passwords.Create hashed passwords based on the plaintext passwords.Use the different methods in John the Ripper (JTR) password checker to crack hashed passwords.Lab Exercise/step 1 (Download and unzip the file PasswordStrength.zip)Download and unzip the file PasswordStrength.zip from the Studio 4 page on the course website, which contains the materials that you will need to use in this lab exercise.LAB EXERCISE/STEP 2 (Identify one open-source password checker to analyze a list of banned passwords)Several open-source password checkers exist that produce some password strength indicator (e.g., ‘weak’, ‘fair’, and ‘strong’) or score for passwords you provide. One example is The Password Meter (The website) with its core logic implemented in JavaScript code . Please do not use this online meter with any of your actual passwords! The original authors of this lab created their own version of The Password Meter with the added capability to check multiple passwords, e.g. those copied in from a file of (plaintext) passwords. Please use this modified version of The Password Meter for all tests in this section.You can find the standalone Password Meter application in the folder “ThePasswordMeter” in the contents of the PasswordStrength.zip archive once you un-zip it with the command ‘unzip PasswordStrength.zip’ . To use the application, let’s point your browser to the main HTML page that displays the interface for TPM. 1. Enter the “ThePasswordMeter” directory.2. Enter the command ‘pwd’ , which stands for ‘print working directory’ .3. Copy the output (the full path to the current directory) to the clipboard.4. Open a web browser, and for the URL enter “” , where <path> is the path to the TPM directory that you can paste in from the clipboard.5. You should now see an HTML frontpage for TPM.The text file 'twitter-banned.txt' in the folder “PwdFiles” of the assignment archive contains 370 simple passwords banned by Twitter. This file was taken from Skull Security (The website). Please use TPM to analyze the strengths of all the 370 passwords, and answer the following two questions:Question 1: What is the distribution of the password strength indicators or scores of the 370 passwords? Please include a figure for this distribution. For example, the x-axis can represent the password index and the y-axis can indicate the password strength indicator or score.Question 2: What criteria are used by TPM to rate the strength of a password? Is TPM a good password checker in your opinion? Why or why not?LAB EXERCISE/STEP 3 (Modify passwords to generate new password files)Please modify the original password file 'twitter-banned.txt' following the requirements listed below. You may use whatever programming language or text editor you wish to make the changes. You should keep all the different plaintext password files for use in subsequent steps.(Note: the question numbers shown below correspond to question numbers in the original assignment; this assignment has been compressed from the origninal.)(1) Make no change. This will keep the original 'twitter-banned.txt' as your first password file.(5) Make the following guessable replacements and capitalizations (a to @, e to 3, o to 0, s to 5, l to 1, t to 7, h to H, p to P, w to W, d to D, r to R, and n to N) in the original password file 'twitter-banned.txt' to generate your fifth password file.(7) Add four random digits to the end of each password in the original password file 'twitter-banned.txt' to generate your seventh password file.(8) Create combinations of words based on your seventh password file by prefixing each immediately preceding word to the current word to generate your eighth password file. For example, if the wordlist were ['abc1234', 'def3456', 'tyu9361', …] in your seventh password file, the new wordlist would be ['abc1234', ' abc1234def3456', ' def3456tyu9361', …] in your eighth password file.(9) Make the following guessable replacements and capitalizations (a to @, e to 3, o to 0, s to 5, l to 1, t to 7, h to H, p to P, w to W, d to D, r to R, and n to N) in the eighth password file to generate your ninth password file.Please answer Question 3:Question 3: Analyze each of the newly generated password files using your identified password checker. Please include new figures for each of your new password files similar to the ones you created for Question 1. Compare all figures and describe your main observations.LAB EXERCISE/STEP 4 (Install and learn about the John the Ripper (JTR))John the Ripper (JTR) is a fast password cracking application which is publicly available from Openwall at The website.For Linux and Mac users: We recommend you to use the community edition of JTR which is available on GitHub at the John The Ripper github website. Please read the file doc/INSTALL for more detailed installation information.For Windows users: You can download the Custom builds of JTR for Windows from the following link: The website.LAB EXERCISE/STEP 5 (Generate and save the hashed passwords into new hashed password files)Servers or services should only save the hashed passwords instead of the original plaintext passwords in their user authentication systems. Furthermore, they should use strong cryptographic hash functions, and should use random salts together with the original plaintext passwords as the inputs to the hash functions. In this lab exercise, we use the weak and unsalted (or raw) MD5 hash function to generate hashed passwords because our focus is on examining the cracking capabilities of JTR on passwords with different strengths. Therefore, please use an MD5 utility installed on your operating system or hosted on some trustworthy website to generate correspondingly hashed password files based on the plaintext password files that you generated and kept in Step 3.LAB EXERCISE/STEP 6 (Use JTR to crack the passwords in the hashed password files)You will use two modes of JTR to perform five different experiments on each of the hashed password files. One mode is the Incremental Method and the other mode is the Wordlist Method. The Incremental Method has no variation in this lab exercise. $./john --incremental --format=[FORMAT] [PASSWD_FILE] The Wordlist Method allows you to specify both the wordlist file and the word mangling rules to use in the cracking.$./john --wordlist=[WORD_FILE] --rules=[RULES] --format=[FORMAT] [PASSWD_FILE]In this lab exercise, you will use two different wordlist files. One is the default file 'john.txt' that contains 3107 passwords. The other is the large file 'rockyou.txt' that contains 14,344,357 actual Internet passwords that were leaked. Both files were taken from Skull Security (The website).Mutations can be applied to passwords on the list to produce other similar passwords to be checked: for example, numbers could be added to dictionary words (changing ‘bob’ to ‘bob2005’), special characters can be substituted in for letters (changing ‘hacker’ to ‘h4cker’), etc. JTR contains many mutation rules that test modified passwords derived from those in an input list in addition to the exact ones. For this part of the exercise, you will test two cases of using JTR’s mutations that would be applied to each word in the wordlist to produce other likely passwords for cracking. One rule, the default to be used as a control case, is listed as ‘none’, which means no modification rules are applied. The other rule is ‘all’ , which applies all the modifications in the JTR’s rule list. Please learn more about these modes and rules using the command './run/john' or visiting the following link: The website.Please answer Questions 4, 5, and 6:Question 4: (4 points) What are the essential differences between the Incremental Method and the Wordlist Method?Question 5: (30 points) Use the Incremental Method and the Wordlist Method (with its four combinations of the aforementioned two wordlist files and two rules) to perform five different experiments on each of the hashed password files that you generated in Step 5. In each experiment, please record the number of passwords cracked in a maximum time window of 120 seconds, and fill your recorded information into the following table.More specifically, in the 2nd column, you will fill into each cell the average password length (in characters) for passwords in the corresponding plaintext password file; in the 3rd to 7th columns, you will fill into each cell the number of passwords cracked (out of the 370 passwords) within the 120-second time window.Password FileAverage Password Length (characters)Incremental MethodWordlist: Default, Rules:NoneWordlist: Large, Rules:NoneWordlist: Default,Rules:AllWordlist: Large, Rules:All(1) - No change(5) - Large number of replacements(7) - Four random digits added(8) - Combined Words(9) - Combined Words with multiple replacements Question 6: What are your main observations from the table that you filled above? (3 points)Compare your results in the table for password files (8) to (9). What are your main observations? What to submit Please answer all 6 questions in this lab exercise. You are welcome to copy and paste text and the chart from this Word document to help create your writeup, but if you do so please remember to copy the contents into our .docx assignment template and export to .pdf before submitting via Gradescope. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download