Introduction

This lab is developed to help you gain an understanding of password strengths and common tools used for password cracking and attacks. Note that different password cracking tools will not necessarily function with the same speed, precision, and results. This lab will help you compare results from two password cracking tools based on those characteristics you learned in the classroom, so you can include your assessment and recommendations as part of your deliverables. You will test systems for password strength and complexity and complete validation testing.

Assignment Rules

• This lab assignment should be done individually. While you may discuss the work with your instructor and other students, your submitted work should be done independently.
• Content directly copied from the internet or other sources is not allowed.
• Lab procedures and results need to be documented and included in your deliverables.
• Provide screenshots where necessary to support your work.

Assignment Objectives

• Become acquainted with password-cracking tools.
• Use manuals and general guidance to test user password strength.
• Identify password vulnerabilities.
• Recover passwords on a specific machine.
• Perform the password-cracking exercise. Record weak passwords discovered and strong passwords that could not be cracked.

Competencies

• Authentication analysis and password security.

Lab Overview

The hands-on exercises for this lab will help you understand password cracking concepts. You will reinforce the importance of using strong passwords. You will experiment using password-cracking tools and compare results.

You will try to crack the password of existing users that are in the same system as yours. In other words, you will be taking advantage of your administrative access to the system to retrieve the account passwords. You will be using two password cracking tools: Cain and Abel and Ophcrack.

You will use the UMGC Virtual Lab environment to access the password-cracking tools.

UMGC Virtual Lab Topology

The UMGC virtual lab environment has four virtual machines (VMs) in this course, which are connected as depicted in the schematic diagram below the next table. Two of the machines run Linux operating system (OS), while the other two run Windows OS.

The lab topology is shown below. Part A (left side) of the schematic diagram is the virtual lab topology indicating how the VMs are laid out in the dedicated local area network (LAN); Part B (right side) consists of a hypothetical core network connection to the internet.

As shown in the diagram, there are two internal subnets:

1. The 10.11.0.0/16 (or 10.11.5.0/24) subnet is used to connect to your allocated VMs.
2. The 192.168.0.0/16 (or 192.168.10.0/24) subnet is used for the VMs to communicate among themselves.

The following is a list of specific examples of IPv4 addresses for the VMs that you are likely to encounter based on the subnets: 10.11.5.2, 10.11.5.10, 10.11.5.45, 192.168.10.1, 192.168.10.20, 192.168.10.6, etc.

Note: For safety, legal, and ethical concerns about the potential for misuse of some software tools when performing the lab, students' access to the Internet from the UMGC Virtual Lab Environment is blocked.

Use the required VM and/or applications or software tools, which are provided in the Lab Resources section, to complete this lab.

You will use WINATK01 to run the password-cracking tools Cain and Abel and Ophcrack.

Important Lab Information

1. After reading all the information in this section, use the Lab Instructions section to perform the exercises.
2. Familiarize yourself with the resources provided in the Lab Resources section of this document. You will find helpful open-source links that help you understand password-cracking tools.
3. You will also be provided with a list of user accounts. Some of these passwords will be simple and easy to crack. Some will be complex and difficult for password crackers to solve. Some accounts might have strong passwords and take a long time to recover. You should indicate the amount of time it took for each tool to determine the password of an account.
   • Note: Do not spend more than an hour in attempting to recover any password. Rather, simply identify any tool that cannot recover the password within an hour on an account. If the tool indicates an approximate recovery time, identify and document as part of your deliverables.
4. Connect to the lab environment following the instructions provided in the "UMGC Virtual Labs" document in the "Complete This Lab" section of your classroom. After you have successfully connected to the lab environment, proceed to the next step to run the tools associated with this project.
5. Follow the instructions for Cain and Abel provided in section I of the Lab Instructions.
6. After you finish the Cain and Abel exercise, follow the instructions for Ophcrack provided in section II of the Lab Instructions.
7. As you experiment with these password-cracking tools, respond to the questions below and share your findings in the project report.
   • Which tool was able to recover passwords the quickest? Provide examples of the timing by your experimental observations.
   • Compare the amount of time taken for the passwords that you were able to recover.
   • Compare the complexity of the passwords for those discussed in the previous question. What can you say about recovery time relevant to complexity of these specific accounts?
   • What are the four types of character sets generally discussed when forming strong passwords? How many of the four sets should you use, as a minimum? What general rules are typically stated for minimum password length?
   • How often should password policies require users to change their passwords?
   • Discuss the pros and cons of using the same username accounts and passwords on multiple machines.
   • What are the ethical issues of using password cracker and recovery tools? Are there any limitations, policies, or regulations in their use on local machines? Home networks? Small business local networks? Intranets? Internets? Where might customer data be stored?
   • If you were using these tools for approved penetration testing, how might you get the sponsor to provide guidance and limitations to your test team?
   • Discuss any legal issues in using these tools on home networks in states that have antiwiretap communications regulations. Who must know about the tools being used in your household?
8. Compile your findings and incorporate what you have learned in your deliverables for this project.

Lab Resources

Lab Credentials

• Username: StudentFirst
• Password: Cyb3rl@b

Application Websites

• Ophcrack (Windows, Linux, Apple OS)

Application Documentation

• Cain and Abel (Windows)
• Ophcrack (Windows, Linux, Apple OS)
  • Howto
  • Documentation for Linux Certification

Password Storage and Hashing

• How Your Passwords Are Stored on the Internet (And When Password Strength Doesn't Matter)
• Safely Storing User Passwords
• How Are Passwords Stored in Linux

Dumping Passwords

• Dump Windows Password Hashes Efficiently
• Dumping Windows Credentials
• Dumping and Cracking Unix Password Hashes

Lab Instructions

Section I: Password Cracking Using Cain and Abel

Cain and Abel is a software application used in password cracking. In this lab, you will experience how to recover passwords for the given user accounts on a VM machine and will also note the limitations to cracking passwords; that is, if it is a strong password, you will not be able to recover it in a reasonable amount of time.

About Cain and Abel

Cain and Abel is a powerful password recovery tool for system administrators, network administrators, and security professionals mainly used in Windows environments, but it can also be used in Linux-based systems. To ensure the full functionality of the Cain and Abel package on Windows operating systems, Win PCAP must be installed in order to provide network packet captures. Both programs are installed on your VMs.

The tool can also analyze encrypted protocols such as SSH-1 and HTTPS and contains filters to capture credentials from a wide range of authentication mechanisms, including Kerberos. Additionally, the tool can be used to recover wireless passwords, uncover cached passwords, and analyze routing protocols. Further, it can be used to crack the passwords stored in reference authentication files associated with the OS account log-in.

About the Algorithms

There are two authentication protocols used to store passwords depending on which version of Windows is being run. The two are LAN Manager (LM) and NT LAN Manager (NTLM). Below are detailed descriptions of both tools.

LAN Manager (LM)

The LM, sometimes referred to as LanMan or the LAN Manager hash, is the primary authentication protocol that Microsoft employed in Windows versions prior to Windows NT. It is used to store user passwords in an encrypted format on the disk. To transform a user's password to the LM hash, the password is first converted to all uppercase letters. If the password is greater than 14 bytes (14 characters), any character after the 14th is truncated; likewise, if the password is less than 14 bytes, it is null-padded to be 14 bytes exactly. The password is then split into two 7-byte halves.

A null bit is inserted at the beginning of each half. The halves are then used as keys to DES-encrypt the constant ASCII string “KGS!@#$%”. The concatenation of the two output values forms a 16-byte value, which is the LM Hash.

This algorithm is weak by virtue of its implementation. The maximum possible combination of values (key space) is restricted since it only uses uppercase character values in the ASCII character set. Additionally, since the algorithm breaks down the password into two separate pieces, each component can be attacked individually, allowing for a maximum possible password combination of 69 possible values to the power of 7 (69^7).

NT LAN Manager (MTLM)

NTLM, also known as NT LAN Manager, was introduced in Microsoft Windows NT 3.1 to address the security weaknesses inherent in LM encryption. The NTLM algorithm is much stronger than the LM authentication protocol for several reasons: NTLM passwords are based on Unicode, increasing the amount of possible characters that can be used; NTLM passwords are case-sensitive; and NTLM passwords can be up to 128 characters long. All of these contribute to a much bigger key space, which requires more time to analyze and hence crack.

User Accounts

There are several accounts already installed on the Windows and Linux virtual machines (VMs) provided in the UMGC lab. Each machine has the same set of user accounts and associated passwords, each of which has a unique password. Below is a list of those accounts:

Technical Instructions

On the desktop of the WINATK01 VM, navigate to the Applications folder (Lab Resources > Applications > Cain) and launch the Cain application.

Note: You are encouraged to enlarge the window for full visibility. Cain and Abel must be run with administrator privileges, so if applicable, right-click the Cain icon and select Run as administrator.

The Cain application window contains two panes: a list of tools represented by icons on the left, and information or details on the right pane represented by individual columns starting with User Name, LM Password, etc.

Next, click the Cracker tab as shown.

In the left pane, click LM & NTLM Hashes. Recall that these are the two authentication protocols described earlier.

Next, click the plus sign in the top ribbon to import the password hashes from the local VM.

Make sure that the Import Hashes from local system is selected and that the Include Password History Hashes is not checked. Click Next to continue. At this point, all the user accounts on the machine should populate in the right pane.

Using a Brute-Force Attack

A brute-force attack is a password attack that iteratively tries all combinations for a password. In other words, it is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until the one correct combination that works is revealed.

This method is effective for short passwords; however, it becomes infeasible, even on a modern computer system, with a password of at least seven characters. For example, assuming only alphabetical characters, in uppercase or in lowercase letters, it would take 26⁷ guesses or attempts. The strength and complexity of the password depends upon the creativity of the user and the complexity of the program that is being used.

Next, right-click on the Apollo account under the User Name column in the right pane of Cain and select Brute Force. Then attempt to discover the password using NTLM Hash under Brute Force.

Leave the default values for both Charset and Password length unchanged and click the Start button.

Stop after a few minutes and take note of how long it could take to crack the password for the Apollo account.

Now change the default values for Charset and Password length using the following details:

• Charset: Alpha numeric, lower case, and uppercase letters.
• Password length: numbers between 1 (Min) and 8 (Max) characters.

As you change these values, note how the values and length of Keyspace changes. What can you say about these changes?

After making these changes, click the Start button. While performing the above steps, note the Time Left value. What can you say about time left in relation to the changed values for the NTLM Hash under Brute Force?

Stop after a few minutes if the password is not cracked within a reasonable amount of time. Repeat the above steps for the users on the given accounts.

Exit the Brute-Force Attack window when done. Do not close Cain. In the next task, you will perform similar steps using a dictionary attack.

Note: Remember to take notes and appropriate screenshots to help you compile your report to the leadership team in your organization.

Using a Dictionary Attack

A dictionary attack is a technique of using a program or software tool to try all possible strings typically derived from a list of words such as in a normal English dictionary. In other words, it is a method of breaking into a password-protected computer or server system by systematically entering every word in a dictionary as a password. This attack can also be used to figure out the encryption key to decrypt an encrypted message or document.

In the following steps, perform a dictionary attack against the given user accounts. With the Cain app still open with loaded user accounts from the brute-force attack from the previous task, right-click on any of the users and select Remove All to start the password cracking.

The dictionary in this exercise is a text file containing a list of thousands of words. The file needs to be added to the list of dictionaries within the Cain app before running a dictionary attack. The file is in the Lab Resources folder on the desktop of the WINATK01 VM. If you were able to successfully crack at least one password using the brute-force method, selecting Remove All will reset the LM and NTLM Hashes in the Cain app and enable a fresh load of accounts. This produces correct results.

Still in the Cain application, click the Cracker tab as shown.

In the left pane, click LM & NTLM Hashes. Click the plus sign to reimport the same accounts previously imported and click Next.

All the user accounts on the machine should populate in the right pane.

Now, right-click the Apollo account of the loaded list. In the menu that appears, select Dictionary Attack and then NTLM Hashes.

Notice that the Dictionary Attack window opens with a dictionary already loaded.

If there is no file visible, right-click in the first cell under the file column to add a dictionary file to the list.

Browse to the Lab Resources folder on the VM and select the words.txt.txt file to be inserted in the application. Then click Open to insert the file in Cain.

Notice that the words.txt file is now listed in the Dictionary Attack window. Notice the Position column and the Options available for running a dictionary attack.

Click Start and note the results. Again, notice the Position column and the Options available for running a dictionary attack. What changes do you see and why?

Whether or not a dictionary attack is successful, always reset the file Position under the dictionary to its initial position after each attempt to crack a password. This is done by right-clicking on the row containing the file path and position number and selecting Reset initial file position from the menu.

Repeat this procedure for the other accounts in the list.

When done, clear all the password hashes and user account information from the Cain and Abel application interface.

Note: Remember to take notes and appropriate screenshots to help you compile your report to the leadership team in your organization.

Exporting User Accounts and Password Hashes From Cain

To prepare for the next part of this lab, Password Cracking Using Ophcrack, reimport all the password hashes and associated user accounts and export that data to a file with the following steps:

In the Cain application, click the Cracker tab as shown.

In the left pane, click LM & NTLM Hashes. Recall that these are the two authentication protocols described earlier.

Next, click the plus sign to import the password hashes from the local VM.

Make sure that the Import Hashes from local system is selected and that the Include Password History Hashes is not selected. Click the Next button. At this point, all the user accounts on the machine should populate in the right pane.

Once the user accounts have been imported into Cain, right-click on any of the rows and choose Export on the menu that appears.

You will be prompted to choose the destination location and the name of the exported file. Choose the desktop as the destination and choose ExportedHashes as the file name.

The exported file will be placed in the location that you chose, the desktop.

Open the exported file to verify that it contains the user accounts and hashes that were exported from Cain. Once verified, close Cain.

Notice the structure of the content of the file as depicted below. Going left to right, the first column is for User Name. The second and third columns have no data. The fourth and fifth columns contain the LM and NT hashes, respectively.

Notice that the LM hashes in column four are all the same. This simply indicates the LM hash was not computed for the passwords associated with the listed accounts. Your focus will be on the NT hashes as you move to the next section of this lab.

Section II: Password Cracking Using Ophcrack

Ophcrack is a free rainbow table-based password cracking tool for Windows. It is among the most popular Windows password cracking tools; however, it can also be used on Linux and Mac systems. Ophcrack cracks Windows log-in passwords by using hashes through rainbow tables. It is one of the more effective password-cracking tools that runs on multiple platforms.

Ophcrack uses rainbow tables to guess passwords by being able to import hashes in a variety of formats. The tool can crack most passwords within a few minutes.

In this exercise, you will use the information contained in the exported file from the previous section, to crack the NT Hashes for the user accounts listed in the file. You will focus on the following user accounts only:

Technical Instructions

On the desktop of the WINATK01 VM, double-click Lab Resources and then go to Applications and click Ophcrack to launch the application.

In addition to the menu ribbon with the Load, Delete, Save, Tables, Crack, Help, and Exit functions, notice that the Ophcrack main window has two panes: a list of accounts represented by individual columns listed as User, LM Hash, NT Hash, etc., and an information pane on the bottom pane represented by individual columns listed as Table, Directory, Status, Progress.

From this point, a user can load and crack certain password hashes without even installing additional rainbow table. However, due to the complexity of certain passwords corresponding to the users, you will need to install two rainbow tables to allow Ophcrack to be successful in cracking more than just the simplest passwords. Your next step is to install two rainbow tables; XP free fast and Vista free.

To install the tables, you need to download the table files from the CBR 600 Project 6 resources page.

From the desktop of the VM, click the Lab Resources folder and then the Resources shortcut to take you to the CBR 600 Resources page.

Once on the resources page, download both the tables_vista_free.zip and the tables_xp_free_fast.zip files by clicking on the down arrows as seen in the screenshot below.

Your files will download to the StudentFirst>Downloads folder as seen below.

Once downloaded, extract both files individually. You will see two new folders created as depicted below.

In Ophcrack, click the Tables button on the menu bar to start the installation of the rainbow tables.

After clicking the Tables button, you will see the table selection window, as seen below.

Select the table to install (if not already installed) and click the Install button. This starts Windows Explorer, where you can point to the location of the table you are trying to install. In this case, you are installing the xp_free_fast table.

Select the “tables_xp_free_fast” folder, and Ophcrack will grab the necessary files and complete the table installation process.

Repeat the above steps for the Vista free table to have both tables installed.

After installing tables, the Ophcrack interface will display which tables are installed and enabled.

Now that you have installed two rainbow tables, begin to crack the passwords using the exported hashes from Cain.

The installed version of Ophcrack offers five options to load password hashes. Among these options, we will only focus on the first, loading the Single hash option.

After selecting the Single hash option, you will see the Load Single Hash window.

In the Load Single Hash window, notice the three formats that you can use:

• The first option <LM Hash> is not going to be useful in this exercise.
• The second option <LM Hash>:<NT Hash> can be used, but it is also not going to be useful as the third option, which associates the User Name with the cracked password.

Important: Notice the format of the third option (PWDUMP format) as it relates to the format of the exported hashes.

<User Name>: <User ID>: <LM Hash>: <NT Hash>:::

In your exported hash file, you have the User Name, the LM Hash, and the NT Hash, but not the User ID.

Therefore, the format that you will be using to import the NT Hash is as follows:

<User Name>::: <NT Hash>:::

You must keep the colons (:) as indicated in the format above.

To make life easier, you can format all the entries in the exported hash file to be able to simply copy lines into Ophcrack.

Note: There are no spaces between the characters on each line.

In Ophcrack, click Load button and select Single hash.

Open the cleaned-up document and copy the first line containing the Apollo User Name and its NT Hash.

Paste the line in the open Ophcrack application interface and click OK.

The User Name and the NT Hash will be imported in Ophcrack to be cracked.

You are ready to crack the Apollo account password.

Click the Crack button and observe the progress bar in the second pane. The password for Apollo should be cracked in about 11 seconds.

Repeat the above steps for the remaining user accounts and hashes. Compare your results with those from Cain.

When you have completed those, you have completed all lab activities.

Close all applications and exit the virtual lab. Do not forget to incorporate what you have learned in your deliverables and ensure that you compile and include your findings in your report for submission.