please see the attached file
Password Cracking and Encryption | Lab 4 |
Notes:
All answers must be in complete sentences for full credit.
Reminder: Experiment with these tools in the classroom lab, VMWare or on your own personal machine. Use of these tools outside this lab is not sanctioned and may be in violation of policy or law.
Objective:
The purpose of this exercise is to give you more experience with Windows forensics by having you examine the Internet History, analyze the Windows Registry, and work with the Recycle Bin and Event Logs.
Software to Install:
SSH (Secure Shell)
Download and install PUTTY SSH (Secure Shell) from:
https://its.gmu.edu/knowledge-base/how-to-install-putty-ssh-for-windows/
You may need to use VPN if you are trying to access the account from a non-GMU network (https://its.gmu.edu/service/virtual-private-network-vpn/)
John the Ripper
Go to: http://www.openwall.com/john/ and download the Windows version of John the Ripper (directions are written for version 1.7.9 - if you install a different version you will need to adjust your commands to match the version you download)
Important: Save it to the desktop
Don’t unzip until you disable your antivirus!
How to disable Windows Defender: https://www.windowscentral.com/how-permanently-disable-windows-defender-windows-10
https://support.microsoft.com/en-us/help/4027187/windows-turn-off-windows-defender-antivirus
AxCrypt
Go to: https://www.axcrypt.net/
Download the current version: https://www.axcrypt.net/download/
Install with the Default Settings (Note: You may need to register for a trial account at https://account.axcrypt.net/en/Home/Register)
PSTools
Download PSTools: https://pstools.en.softonic.com/
Preparation:
Log in as the administrator account/local PC on the computer….
Note: Basic Unix/Linux
Note: in the exercises below ‘>’ is the unix prompt (which may be a different character on your screen.)
Don’t type the prompt.
Also, be careful with spaces.
You may need to use the Delete key instead of Backspace. Control-U can be used to erase a whole line.
Unix is case sensitive. The general format is:
>command filename
or:
>command –switch filename. (A switch is a way to modify a command.)
Secure Shell Client
Download and install SSH (Secure Shell) from: http://itservices.gmu.edu/downloads/
Go to: https://itservices.gmu.edu/services/view-service.cfm?customel_dataPageID_4609=7459 View the “How to Get this Service” section if you need help setting up your account.
You may need to login through VPN first (https://its.gmu.edu/service/virtual-private-network-vpn/)
Launch SSH, choose Quick Connect.
The Host Name is mason.gmu.edu.
Login to your mason account. (Leave the port number set at the default, 22.)
You can choose Yes and OK to the initial screens that appear at login.
Note: It will not show that you are typing your password when you are at the password prompt. Type your password and hit enter.
cat, more, man commands
man is a unix command that will allow you to see a help file.
In SSH, type man cat and man more to find out what these commands do.
(Press q to get out of man.)
.login file
The .login file contains settings that are executed when you login.
We will have you use a very simple editor called pico to edit this file to change your system prompt and create an alias:
>pico .login
Use the arrow keys to move down to the bottom of the file.
Add these two lines to the file, each on a separate line:
set prompt=’yourname>’
alias logut logout
Then type Ctrl-X (press x while holding down the CTRL key) to exit, y to save changes, press enter to confirm the filename .login.
Your changes won’t take effect until you log in again, so log out and log in again to test them. You should see your new command line prompt and you should be able to type logut (a common typo) to logout.
Practice chmod and ls
Type:
> ls –l
Then type:
>ls –al
What is the difference? Use pico to create a file called temp. Type:
>chmod a-w temp
What did that do? Try to delete the file with:
>rm temp
Did it work? How can you fix this so that you can delete the file?
View password file:
>more /etc/passwd
What information is in this file? How might this information be misused?
Answer questions 1-5.
Cracking Unix Passwords
You will have to disable Windows Defender or Symantec AntiVirus auto-protect (or whatever anti-virus you are running) before you can run the software… If you are not in VMWare, I suggest disabling the internet connection while you do this.
How to disable Windows Defender:
https://www.windowscentral.com/how-permanently-disable-windows-defender-windows-10
https://support.microsoft.com/en-us/help/4027187/windows-turn-off-windows-defender-antivirus
Disable Symantec:
Start->programs->Symantec Client Security->Semantic Anti-virus->Configure->File System Autoprotect->Deselect the check box to disable-> OK.
Or:
Start->Programs-> Symantec Endpoint Protection
Click on each option button and disable
Click on the Antivirus & Antispyware Protection button – click change settings – file system auto protect, and uncheck “Enable File System Auto Protect”
Weak Passwords:
Blank (no password)
The word 'password'
The user's name or login name or the name of spouse or child
Birthplace, date of birth, anniversary
A pet's name or license plate number
Rows of keys on the keyboard: qwerty
Stronger Passwords:
Use at least 8 characters and combine alpha and non-alphanumeric characters. Avoid dictionary words or proper names in any language.
4sa7ya0f (Gettysburg address incipit)
Patr10t&
On Linux/Unix systems, the password file is usually accessible in this file: /etc/passwd
This file contains the login name and information about the login account. This file is readable since many programs depend on it. The actual password is stored, encrypted, in a separate file called the shadow file.
Forensic examiners and system administrators will want to check this file for new, unauthorized accounts. Upon breaking into a system, a hacker will often make new accounts (often with blank passwords) for his/her own use.
For this exercise, we have created a shadow file and stored 3 passwords in it. Your job will be to crack as many passwords as you can. Two of the passwords are weak; the third is a strong password.
John the Ripper:
Go to: http://www.openwall.com/john/ and download the Windows version of John the Ripper. Important: Save it to the desktop.
Locate and right-click the John179w2 folder. (Note: if you downloaded a version other than 1.7.9, this file path may be different)
Extract all zipped files if they don’t extract automatically. The files we will be using will be in: john179\run (Note: if you downloaded a version other than 1.7.9, this file path may be different)
Login to Blackboard, and locate and download the shadow file and password files.
Copy and paste the files into the john179\run file. Important: Click OK to overwrite the password.lst file.
Open your command prompt (Go to Start->Run. Type: command)
Type: cd desktop \john179\run
Verify this is the correct filepath. Note: if you downloaded a version other than 1.7.9, this file path may be different.
Type: john-omp --wordlist=password.lst shadow.txt
2 Passwords will be revealed, with account names in parentheses. Record them on the last page. Type exit to exit the command line window.
***If you get an error here, your Anti-virus software was not disabled and it ate the john -omp file. Disable the Anti-virus and unzip John the Ripper again and start this section over.
Ophcrack:
Go to the websites below and read/watch the tutorials.
http://www.wikihow.com/Crack-Windows-Passwords-With-Ophcrack-and-Rainbow-Tables
https://www.youtube.com/watch?v=x4WfTdlmwyY
After rebooting, you will need to disable Symantec Autoprotect again.
Answer questions 6-10.
Other Good Tools…
AccessData Password Recovery Toolkit and AccessData DNA software are great tools.
The Demo versions are pretty limited, but try them out when you have some free time!
http://www.accessdata.com/support/product-downloads#.UdHeKNjzA_I
Encryption using AxCrypt:
Install AxCrypt
Create a folder called TEST
Create a word document called TEST.docx and place it inside the test folder
Right Click on the TEST folder – go to AxCrypt – Encrypt
Enter a passphrase and click ok
Open FTK Imager
Add Evidence Item – Contents of a Folder
Select your test folder
Expand the view so you can see the file contents. Include a screenshot for question 14.
From the evidence tree, try to export/open the file. What happens? Answer question 15.
Go back to the test folder.
Right Click on the TEST folder – go to AxCrypt – Decrypt
Enter a passphrase and click ok
Open FTK Imager
Remove your previous evidence item.
Add Evidence Item – Contents of a Folder
Select your test folder
Expand the view so you can see the file contents. Include a screenshot for question 16.
From the evidence tree, try to export/open the file. What happens? Answer question 17.
PSTools:
Download PSTools from Blackboard
Extract PSTools and save it to your desktop
Go to the cmd prompt change directory to your desktop, then to the PSTools folder
Type in pslist
This will give you a list of the current processes running
You should see an entry for AxCrypt
7 | ©2007 Anne Marchant, with contributions by Rebecca Pollard, updated 2017 |