SlideShare a Scribd company logo

Password Security and Use of John the Ripper Tool

N
Neranjan Viduranga

Information security is one of the main concerns in modern society. Even though we have much more advanced methods to secure our data, good old passwords are the final security measurement standing between our information and the outside world. So, the security of passwords is very important for the overall security of a system, network, or application. In this paper, the learner discusses about John the ripper tool and its 4 different password cracking modes. Using Kali Linux operating system and John the ripper tool, learner demonstrates the Single crack mode by creating different passwords in different strength levels and cracking them. By analysing the time, which is taken to crack those passwords, learner is looking forward to gain knowledge about strong and weak passwords along with their characteristics. At last, learner discusses about major principles behind password policies to learn about good password construction and password management. By using that knowledge, learner creates an organizational password policy for “Rythmo Art Gallery”.

Technology
1 of 27
Download to read offline
W.A Neranjan Viduranga COL/A-069224 pg. 7 Password Security and Use of John the Ripper Tool Course Work Report – Cyber Security W.A Neranjan Viduranga Kingston University
W.A Neranjan Viduranga COL/A-069224 pg. 8 Abstract Information security is one of the main concerns in modern society. Even though we have much more advanced methods to secure our data, good old passwords are the final security measurement standing between our information and the outside world. So, the security of passwords is very important for the overall security of a system, network or application. In this course work, the learner discusses about John the ripper tool and its 4 different password cracking modes. Using Kali Linux operating system and John the ripper tool, learner demonstrates the Single crack mode by creating different passwords in different strength levels and cracking them. By analysing the time which is taken to crack those passwords, learner is looking forward to gain knowledge about strong and weak passwords along with their characteristics. At last, learner discusses about major principles behind password policies in order to learn about good password construction and password management. By using that knowledge, learner creates an organizational password policy for “Rythmo Art Gallery”.
W.A Neranjan Viduranga COL/A-069224 pg. 9 Table of Contents Introduction ........................................................................................................................... 11 Activity 01 .............................................................................................................................. 12 Part “A” ................................................................................................................................ 12 1] Navigating to the Desktop through the Terminal ..................................................... 12 2] Creating a MD5 hash value for “password1” and store it in a file named “md5hash.txt”. ................................................................................................................. 12 3] Creating five more hashing values using the same command............................... 12 4] Hash values of the created passwords..................................................................... 13 5] Cracking the MD5 hashes stored in the md5hash.txt file using John the Ripper tool. .................................................................................................................................. 13 6] Cracked and failed passwords. ................................................................................. 14 7] Analysis of password strengths and the time taken to crack them ........................ 15 Part “B” ................................................................................................................................ 16 1] Creating users. ........................................................................................................... 16 2] Contents of “passwd”. ................................................................................................ 18 3] Contents of “shadow”................................................................................................. 19 4] Copying the contents of “passwd” and “shadow” in to text files. ............................ 21 5] Unshadowing the contents in the text files in to “passwords.txt” file...................... 22 6] Cracking the passwords using John the Ripper tool. .............................................. 22 7] Cracked and failed passwords. ................................................................................. 23 8] Analysis of password strengths and the time taken to crack them ........................ 24 Activity 02 .............................................................................................................................. 25 Part “A” – John the Ripper Tool......................................................................................... 25 Different cracking modes in John the Ripper tool ........................................................ 25 Part “B” – Password policy and principles........................................................................ 27 Password Policy for Rythmo Art Gallery....................................................................... 27 Principles behind password policy ................................................................................ 30 Conclusion............................................................................................................................. 32 References............................................................................................................................. 33
W.A Neranjan Viduranga COL/A-069224 pg. 10 Table of figures Figure 1 - Navigating to the desktop.......................................................................................... 12 Figure 2 – Creating MD5 hash values......................................................................................... 12 Figure 3 – Creating more hash values........................................................................................ 13 Figure 4 - Hash values................................................................................................................ 13 Figure 5 - Cracking the MD5 hashes........................................................................................... 14 Figure 6 - Cracked and failed passwords.................................................................................... 14 Figure 7 - Creating users (01)..................................................................................................... 17 Figure 8 - Creating users (02)..................................................................................................... 17 Figure 9 - Contents of passwd (01) ............................................................................................ 18 Figure 10 - Contents of passwd (02) .......................................................................................... 19 Figure 11 - Contents of shadow (01).......................................................................................... 20 Figure 12 - Contents of shadow (02).......................................................................................... 21 Figure 13 - Copying passwd and shadow in to a .txt................................................................... 22 Figure 14 _ Unshadowing.......................................................................................................... 22 Figure 15 - Password cracking ................................................................................................... 23 Figure 16 - Cracked and failed passwords.................................................................................. 23 List of tables Table 1 - Analysis of password strengths ................................................................................... 15 Table 2 - User details................................................................................................................. 16 Table 3 - Analysis of password strengths ................................................................................... 24 Table 4 - Pre-defined incremental modes.................................................................................. 26 Key words Kali Linux, John the Ripper tool, Hashing, Single crack mode, Word List mode, Incremental mode, External mode, Password cracking, Password unshadowing, Password policy, Password principles
W.A Neranjan Viduranga COL/A-069224 pg. 11 Introduction This course work consists of two main parts (Activities) and four sub parts. The first activity includes,  Part “A”  Part “B” Part “A” is a practical work which consists of creating different passwords with different levels of strength and cracking them using “Single crack mode” of John the Ripper tool. The “B” part is also a practical work which works with the same single crack mode in john the ripper tool but bit more advanced than the part “A”. At the end of the both parts, learner put the analysis of password strengths with the time that they spend on cracking those passwords. The second activity is also consists of two sub parts named part “A” and “B”. Part “A” of second activity includes, a brief explanation about John the Ripper tool and its 4 password cracking modes. The “B” part includes a password policy for “Rythmo Art Gallery” created by the learner. At last, the learner discusses about major principles behind password policies and gives his conclusion about this course work and knowledge that he gained during this course work.
W.A Neranjan Viduranga COL/A-069224 pg. 12 Activity 01 Part “A” 1] Navigating to the Desktop through the Terminal cd Desktop Figure 1 - Navigating to the desktop 2] Creating a MD5 hash value for “password1” and store it in a file named “md5hash.txt”. echo -n “password1” | md5sum | tr -d “-” >> md5hash.txt Figure 2 – Creating MD5 hash values 3] Creating five more hashing values using the same command. echo -n “river” | md5sum | tr -d “-” >> md5hash.txt echo -n “bridge” | md5sum | tr -d “-” >> md5hash.txt echo -n “557” | md5sum | tr -d “-” >> md5hash.txt echo -n “neranjan123” | md5sum | tr -d “-” >> md5hash.txt echo -n “WAN@1999lanka” | md5sum | tr -d “-” >> md5hash.txt
W.A Neranjan Viduranga COL/A-069224 pg. 13 Figure 3 – Creating more hash values 4] Hash values of the created passwords. cat md5hash.txt Figure 4 - Hash values 5] Cracking the MD5 hashes stored in the md5hash.txt file using John the Ripper tool. john –format = Raw-MD5 md5hash.txt
W.A Neranjan Viduranga COL/A-069224 pg. 14 Figure 5 - Cracking the MD5 hashes 6] Cracked and failed passwords. john –show –format = Raw-MD5 md5hash.txt Figure 6 - Cracked and failed passwords
W.A Neranjan Viduranga COL/A-069224 pg. 15 7] Analysis of password strengths and the time taken to crack them Table 1 - Analysis of password strengths Password No. of characters Password Strength Time taken to crack 01 password1 9 (8 lowercase letters and 1 digit) Low (Over 8 characters but commonly used. Not unique) Under 5 minutes 02 river 5 (5 lowercase letters) Low (Fewer characters. Not unique) Under 5 minutes 03 bridge 6 (6 lowercase letters) Low (Fewer characters. Not unique) Under 5 minutes 04 557 3 (3 digits) Low (Fewer characters. Not unique) Under 7 minutes 05 neranjan123 11 (8 lowercase letters and 3 digits) Medium (Over 8 characters and has letters plus digits) Failed to crack (15 minutes time frame) 06 WAN@1999lanka 13 (3 uppercase letters, 1 symbol, 4 digits and 5 lowercase letters) Strong (Unique combination. Doesn’t related to the user name) Failed to crack (15 minutes time frame) By the time of using John the Ripper tool, there was total of six hash values (passwords) in the md5hash.txt file. John the Ripper tool took 5 minutes to crack the first 3 passwords (“river”, “bridge”, “Password1”). Then it took additional 2 minutes to crack the fourth password which was “557”. After that the learner gave additional 15 minutes to crack the last 2 passwords (“neranjan123” and “WAN@1999lanka”) but the tool was unable to crack those passwords.
W.A Neranjan Viduranga COL/A-069224 pg. 16 As the fifth password, the learner gave his first name and three numbers (neranjan123) to the system hoping that the tool (John the Ripper) will be able to crack that password due to its simplicity. But it had total of 11 characters and those higher number of character combinations may cause the tool to fail. The sixth password (WAN@1999lanka) was a unique password with thirteen harder to guess character combinations. It was created using numbers, uppercases, lowercases and symbols in order to avoid cracking. So, the tool failed to crack the last password as the learner expected. By looking at those results, the learner came to a conclusion that, passwords with common use, fewer than 8 characters and single type of characters (uppercases only, lowercases only) are easy to crack. Even though, the 4th password (557) took additional 2 minutes to crack it cannot be considered as a strong password due to its minimum use of characters. Part “B” 1] Creating users. sudo adduser user01 sudo adduser user02 sudo adduser user03 Table 2 - User details User name Password Full name Room number Work phone Home phone Other Info/ correct (Y/N) user01 user01 Default Default Default default Default Yes user02 neranjan Default Default Default Default Default Yes user03 WAN@1999lanka Default Default default Default Default Yes
W.A Neranjan Viduranga COL/A-069224 pg. 17 Figure 7 - Creating users (01) Figure 8 - Creating users (02)
W.A Neranjan Viduranga COL/A-069224 pg. 18 2] Contents of “passwd”. cat /etc /passwd Figure 9 - Contents of passwd (01)
W.A Neranjan Viduranga COL/A-069224 pg. 19 Figure 10 - Contents of passwd (02) 3] Contents of “shadow”. cat /etc /shadow
W.A Neranjan Viduranga COL/A-069224 pg. 20 Figure 11 - Contents of shadow (01)
W.A Neranjan Viduranga COL/A-069224 pg. 21 Figure 12 - Contents of shadow (02) 4] Copying the contents of “passwd” and “shadow” in to text files. cp /etc /passwd passwd.txt sudo cp /etc/shadow shadow.txt
W.A Neranjan Viduranga COL/A-069224 pg. 22 Figure 13 - Copying passwd and shadow in to a .txt 5] Unshadowing the contents in the text files in to “passwords.txt” file. sudo chmod 777 shadow.txt unshadow passwd.txt shadow.txt > passwords.txt Figure 14 _ Unshadowing In here, the learner had to use additional command, “sudo chmod 777 shadow.txt”, which is used to change the permission in order to make the shadow.txt file readable. [Thornsby, J., 2020.] 6] Cracking the passwords using John the Ripper tool. john –format = sha512crypt passwords.txt
W.A Neranjan Viduranga COL/A-069224 pg. 23 Figure 15 - Password cracking 7] Cracked and failed passwords. john –show passwords.txt Figure 16 - Cracked and failed passwords
W.A Neranjan Viduranga COL/A-069224 pg. 24 8] Analysis of password strengths and the time taken to crack them Table 3 - Analysis of password strengths User Name Password No. of characters Password Strength Time taken to crack 01 user01 user01 6 (4 lowercase letters and 2 digits) Low (Usage of user name as the password and lower characters) One minute 02 user02 neranjan 8 (all lowercase letters) Medium (Has 8 characters and slightly unique. But contains only lowercases) Failed to crack (13 minutes time frame) 03 user03 WAN@1999lanka 13 (3 uppercase letters, 1 symbol, 4 digits and 5 lowercase letters) Strong (Unique combination. Doesn’t related to the user name) Failed to crack (13 minutes time frame) By the time of using John the Ripper tool, there was total of three passwords in the passwords.txt file. John the Ripper tool took only one minute to crack the first password which was “user01”. Then the learner gave another 12 minutes to crack the other passwords but the tool (John the Ripper) was unable to do that. As the second password, the learner gave his first name (neranjan) to the system hoping that the tool (John the Ripper) will be able to crack that password due to its simplicity. But it had total of 8 characters and those higher number of character combinations may cause the tool to fail. The sixth password (WAN@1999lanka) was a unique password with thirteen harder to guess character combinations. It was created using numbers, uppercases, lowercases
W.A Neranjan Viduranga COL/A-069224 pg. 25 and symbols in order to avoid cracking. It was successful and shows some of the characteristics that should be in a strong password. Activity 02 Part “A” – John the Ripper Tool John the Ripper tool is a password cracking tool which was released to the public in 1996 for UNIX based systems. John the ripper tool is designed to test different passwords for their strength, hashed passwords (Brute – Force encrypted passwords) and to crack passwords using dictionary attacks. Mainly, there are two versions of John the ripper tools are available. General Public Licenced (GNU/GPL) and Proprietary (Pro) versions. GNU/GPL versions are designed for light users like students while professionals like, cyber security engineers and penetration testers use the Pro version with more advanced features like multilingual wordlists and 64 bit architecture support. [Sharma, A., 2020.] Different cracking modes in John the Ripper tool 1. “Single Crack” mode Single crack mode is considered as the quickest password cracking mode in john the ripper tool. This mode uses the data and information from “passwd” files such as login names, GECOS or full name fields and user’s home directory names to crack passwords by guessing the password. This mode uses the collected information only to crack passwords which are related to those information. Because of that reason, this mode is way faster than other modes when it comes to password cracking. But, to successfully crack a password using this mode, the password must be based on commonly available phrases or combinations in the username that it related to. Also, it should not be an uncommon and strong password. Otherwise it will take much longer time or fail to crack the password. E.g.- admin123 / 1234 / kasun345 [Openwall.com. 2013.] 2. “Wordlist” mode Wordlist mode is considered as the simplest password cracking mode in John the ripper tool. That’s because, in this mode, the user only have to specify a wordlist and password files. (“Wordlist” is a text file which contains single word per line)
W.A Neranjan Viduranga COL/A-069224 pg. 26 This mode uses a user specified wordlist and password files to crack passwords by applying each passwords again and again until the correct password is found. In this mode, the user can enable “word managing rules” to modify or change the combinations of words in the specified wordlist in order to make new passwords. By enabling this feature, users can get multiple likely passwords per every line in the wordlist. So, it increases the chance of cracking password by multiple times. John the ripper tool does not contain the ability to sort wordlists due to the large quantity of resources that need. So, every wordlist that is intended to use on john the ripper must be sorted beforehand. Users can sort their wordlists by more likely passwords listed first or in the alphabetical order. Alphabetical order of a wordlist allows the tool to crack passwords that are longer than the maximum supported password length for the hash type that you are cracking. [Openwall.com. 2013.] 3. “Incremental” mode Incremental mode is considered as the most powerful password cracking mode in John the ripper tool. Although, technically this mode can try all possible phrases and character combinations as likely passwords, it is assumed that the incremental password cracking will never terminate due to the large number of possible character combinations. Due to that reason, incremental mode deals with different trigraph frequencies for each and every character positions and password lengths separately, in order to crack each possible password within a limited time frame. But, users can set this mode to terminate automatically by setting low password lengths or giving it a small charset to use. John the ripper tool provides some pre-defined incremental modes like ASCII, LM_ASCII, Alnum, Alpha, LowerNum, UpperNum, LowerSpace, Lower, Upper and Digits. (Below chart shows the content of above pre-defined incremental modes) Table 4 - Pre-defined incremental modes Pre-defined incremental mode Contents of the mode ASCII All of the 95 printable ASCII characters. LM_ASCII All the ASCII characters that are used in LM hashes. Alnum All of the Alphanumeric characters.
W.A Neranjan Viduranga COL/A-069224 pg. 27 Alpha All of the 52 letters. (Uppercase and Lowercase letters) LowerNum All of the lowercase letters with 0 to 9 digits (Total of 36 characters) UpperNum All of the uppercase letters with 0 to 9 digits (Total of 36 characters) LowerSpace All of the lowercase letters with the space. (Total of 27 characters) Lower All of the lowercase letters. Upper All of the uppercase letters. Digits Digits only. Apart from using pre-defined incremental modes, users can give specific parameters like password length limits and charset to create their custom incremental mode. [Openwall.com. 2013.] 4. “External” mode External mode allows the user to write their own rules for generating password guesses. By using this mode, users can define and create their own custom password cracking mode in john the ripper tool. [Clarke, M., 2015.] Part “B” – Password policy and principles Password Policy for Rythmo Art Gallery 1.0] Overview Information security is one of the major concerns of a modern company. Passwords hold the last standing protection against unauthorized access and resource exploitation of the company. To prevent that, all the employees and suppliers of “Rythmo Art Gallery” who
W.A Neranjan Viduranga COL/A-069224 pg. 28 has the access to the system must take appropriate actions and actions as outlined below. 2.0] Purpose The main purpose of this password policy is to create and establish a well-managed, standard password policy in order to ensure the security of the system. This password policy will establish a standard to create strong passwords and frequent password changes. 3.0] Scope The scope of the password policy of “Rythmo Art Gallery” includes all of the employees, suppliers and people who have the authorized access to the company’s system, network or any kind of user account that belongs to the company. 4.0] Policy 4.1] General  All of the passwords must be changed after using for 90 days.  All of the passwords that were expired in last year cannot be reused again for next 2 years.  All of the expired passwords can be used again after 3 year time period but characters of every password must be rearranged.  Passwords or a part of a password must not be transmitted through any form of electronic communication media under any kind of circumstances.  All of the passwords must conform to the guidelines below. 4.2] Guidelines for password creation 1. A password must include minimum of 8 characters. 15 characters are recommended. 2. A password must not be same as the User ID or User name. 3. A password must not use birthdays, addresses or any kind of personal information. 4. A password must not be a dictionary word, common name or proper name. 5. A password must include uppercases, lowercases, digits and symbols. 6. A password must be changed after using for 90 days. 7. A password should not be identical to the previous passwords. 8. Ensure passwords must only be reset for authorized users.
W.A Neranjan Viduranga COL/A-069224 pg. 29 9. Do not use personal passwords as the work account passwords. 4.3] Guidelines for password protection 1. Do not use any kind of digital or electronical media to store your password without strong encryption. 2. Do not write down your password in a book, paper or any kind of a surface. 3. Do not share your password with your supervisor, co-workers or other employees. 4. Do not share your password with your family members. 5. Do not talk about your password in front of people. 6. Do not use your password in front of people (public) 7. Do not enable the “See password” option when you are logging in to the system/account. 8. Do not use “Remember password” or “Remember me” option on an application. 9. Do not reveal your password on questionnaires or security forms. 10. Do not use your password to log in to other applications that are suspicious. 11. Do not use the same password for different accounts. 12. If someone demands a password, please refer them to this document or the IT department. Security check-ups may be performed randomly by the information security officer. Users will be informed and require changing their passwords if a password is guessed or cracked during these security check-ups. 4.4] Guidelines for password deletion All of the passwords and accounts that are no longer needed must be deleted immediately. When an account no longer needed,  Employee should notify his/her superior officer.  Suppliers should notify the supply manager. After that, that supply manager or superior officer should notify IT department. The information security officer (of IT department) should delete the password and suspend the user account within the day. 4.5] Guidelines for application development To ensure the security of the system and information, application developers of the Rythmo Art Gallery must follow the guidelines in below.
W.A Neranjan Viduranga COL/A-069224 pg. 30 1. Applications should not show the passwords in clear text when logging in to the system. 2. User authentication should be done in individual basis, not the group basis. 3. Passwords should not be stored in clear text (in databases). All the stored passwords must be encrypted using a strong encryption method. 4. Some sort of role management should be provided. 4.6] Guidelines for remote access Remote access to the Rythmo Art gallery must be limited to fewer numbers of authorized employees. Remote access must be controlled by using a Virtual Private Network (VPN) / form of advanced authentication method (biometrics) or combination of both methods. 5.0] Penalties All the employees and suppliers of Rythmo Art Gallery should not violate this policy. Any employee, who violated this policy, may be subjected to disciplinary action or even termination of employment. Suppliers who violated this policy may be subjected to termination of supply contract. Principles behind password policy Above password policy (Password policy of Rythmo Art Gallery) is completely based on below principles in order to ensure the security of password as well as the system and information.  A password should be lengthy. Always, a password should have at least 8 different characters. Passwords, which consist of less than 8 characters, are easy to crack or guess using John the ripper tool or any other kind of password cracking tool. By increasing the characters and character combinations of a password, users can reduce the possibility of someone cracking their password. Even though 8 characters are safer, 15 characters are recommended in order to increase the security of a password further more.  A password should be unique and strange. Passwords should be as strange as possible to others. It should not consist of User ID, User name, nick name, birthday or your phone number. People, who are familiar with you, can easily get these data and use it to break or guess your
W.A Neranjan Viduranga COL/A-069224 pg. 31 password. Always should use unique and strange combinations without using any common phrases which are easy to guess.  A password should be complex. Always, a password should be complex enough that others cannot guess or crack it. This is the principle behind the use of uppercases, lowercases, digits and symbols as a combination. Passwords with pure numbers or letters can be easily cracked or guesses. So users should always use at least 3 of those different varieties of characters to construct their passwords. It turns the password in to a complex password while increasing the security of it.  Two passwords should not be similar. When using a digital media, internet or a computer, users required to have multiple accounts with multiple passwords. So, it’s easy to use the same password throughout different accounts and platforms. But, it is not a good practice. This principle shows that, the use of same password can compromise your security easily. If someone finds your password, he/she can get access to all of your sensitive data quite easily. But if you use different passwords for different accounts and applications, no one can steal all of your data easily.  A password should be changed regularly. This is one of the most important principles behind password policies. A good password should be changed regularly. Even though your password is strong and hard to crack, that doesn’t mean it couldn’t be cracked. Strength of a password is slowly decreasing as long as it’s used. To increase your security, passwords should be changed at least once per three months (90 days).  A system or application should not remember your password. Almost all of the modern day applications, websites and systems provide a option called “Remember me”. This option store your user name and password in order to provide speed login for their users. Most of the users are willing to use this option due to its convenience. But this practice is very dangerous. Hackers and outsiders can easily see those passwords as long as they have related viewing softwares. [Asunsoft.com. 2019.]
W.A Neranjan Viduranga COL/A-069224 pg. 32 Conclusion By doing this course work, learner has learnt to use “Kali Linux” operating system as well as “John the Ripper tool”. Also, this course work helped the learner to get a deep understanding of how password cracking works and how to construct stronger passwords in order to ensure the security of a password and information. The first part (Activity 01) of this course work encouraged the learner to do self-studies about “Kali Linux” and “John the Ripper” tool and helped to do practical work using “Single crack” mode of John the ripper tool. It showed the strength of different kinds of passwords and different combinations that can increase or compromise the security of a password. The second part (Activity 02) of this course work allowed the learner to explore the technical side of John the ripper tool. By doing research, the learner had been able to gain knowledge about different cracking modes of John the ripper tool and their uses. Also, in ths part, learner had to create a professional password policy for an organization. By doing that the learner gained the knowledge to create professional paper works and policies. Overall, learner had been able to gain new knowledge about password cracking, password construction, identify weak or strong passwords and organizational password policies. This new knowledge will be helpful for the learner in his future education and work life.
W.A Neranjan Viduranga COL/A-069224 pg. 33 References 1] Thornsby, J., 2020. Chmod 777: What Does It Really Mean? - Make Tech Easier. [online] Make Tech Easier. Available at: <https://www.maketecheasier.com/file-permissions-what-does- chmod-777-means/> [Accessed 17 December 2020]. 2] Sharma, A., 2020. John The Ripper Explained: An Essential Password Cracker For Your Hacker Toolkit. [online] CSO Online. Available at: <https://www.csoonline.com/article/3564153/john-the-ripper-explained-an-essential-password- cracker-for-your-hacker-toolkit.html> [Accessed 16 December 2020]. 3] Openwall.com. 2013. John The Ripper - Cracking Modes. [online] Available at: <https://www.openwall.com/john/doc/MODES.shtml> [Accessed 16 December 2020]. 4] Clarke, M., 2015. John The Ripper - External Mode - Recover Partially Remembered Password | Jumping Bean - We Build, We Support, We Train. [online] Jumpingbean.co.za. Available at: <https://www.jumpingbean.co.za/blogs/mark/john-the-ripper-partially-remembered- password#:~:text=External%20mode%20allows%20one%20to%20write%20rules%20for%20gene rating%20password%20guesses.> [Accessed 17 December 2020]. 5] Asunsoft.com. 2019. Ten Principles To Set A Secure Computer Password. [online] Available at: <https://www.asunsoft.com/password-management-and-protection/ten-principles-to-set-a-secure- computer-password.html> [Accessed 20 December 2020].

Recommended

Sit presentation - Hacking
Sit presentation - HackingSit presentation - Hacking
Sit presentation - Hackingmsolis0710
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingSagar Verma
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information SecurityDr. Loganathan R
 
John the ripper & hydra password cracking tool
John the ripper & hydra password cracking toolJohn the ripper & hydra password cracking tool
John the ripper & hydra password cracking toolMd. Raquibul Hoque
 
Data security
Data securityData security
Data securitySoumen Mondal
 
Malicious software
Malicious softwareMalicious software
Malicious softwareDr.Florence Dayana
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to CryptographyMd. Afif Al Mamun
 
Software Configuration Management (SCM)
Software Configuration Management (SCM)Software Configuration Management (SCM)
Software Configuration Management (SCM)Er. Shiva K. Shrestha
 

Recommended

Sit presentation - Hacking
Sit presentation - HackingSit presentation - Hacking
Sit presentation - Hackingmsolis0710
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingSagar Verma
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information SecurityDr. Loganathan R
 
John the ripper & hydra password cracking tool
John the ripper & hydra password cracking toolJohn the ripper & hydra password cracking tool
John the ripper & hydra password cracking toolMd. Raquibul Hoque
 
Data security
Data securityData security
Data securitySoumen Mondal
 
Malicious software
Malicious softwareMalicious software
Malicious softwareDr.Florence Dayana
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to CryptographyMd. Afif Al Mamun
 
Software Configuration Management (SCM)
Software Configuration Management (SCM)Software Configuration Management (SCM)
Software Configuration Management (SCM)Er. Shiva K. Shrestha
 
Cryptography
CryptographyCryptography
Cryptographyjayashri kolekar
 
Information Security Lecture #1 ppt
Information Security Lecture #1 pptInformation Security Lecture #1 ppt
Information Security Lecture #1 pptvasanthimuniasamy
 
Encryption And Decryption
Encryption And DecryptionEncryption And Decryption
Encryption And DecryptionNA
 
Network Security Issues
Network Security IssuesNetwork Security Issues
Network Security IssuesAfreenYousaf
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Cryptography and Information Security
Cryptography and Information SecurityCryptography and Information Security
Cryptography and Information SecurityDr Naim R Kidwai
 
Chapter 11 laws and ethic information security
Chapter 11 laws and ethic information securityChapter 11 laws and ethic information security
Chapter 11 laws and ethic information securitySyaiful Ahdan
 
cryptography ppt free download
cryptography ppt free downloadcryptography ppt free download
cryptography ppt free downloadTwinkal Harsora
 
Operating system security
Operating system securityOperating system security
Operating system securityRamesh Ogania
 
System Programming- Unit I
System Programming- Unit ISystem Programming- Unit I
System Programming- Unit ISaranya1702
 
Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
Software security
Software securitySoftware security
Software securityRoman Oliynykov
 
Hash cat
Hash catHash cat
Hash catSreekanth Narendran
 
Computer Security
Computer SecurityComputer Security
Computer Securityvishal purkuti
 
password cracking using John the ripper, hashcat, Cain&abel
password cracking using John the ripper, hashcat, Cain&abelpassword cracking using John the ripper, hashcat, Cain&abel
password cracking using John the ripper, hashcat, Cain&abelShweta Sharma
 
RSA Algorithm
RSA AlgorithmRSA Algorithm
RSA AlgorithmSrinadh Muvva
 
The CIA triad.pptx
The CIA triad.pptxThe CIA triad.pptx
The CIA triad.pptxGulnurAzat
 
Network security
Network securityNetwork security
Network securityquest university nawabshah
 
Attendance management system project report.
Attendance management system project report.Attendance management system project report.
Attendance management system project report.Manoj Kumar
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Dreamweaver cs5 help
Dreamweaver cs5 helpDreamweaver cs5 help
Dreamweaver cs5 helpPhp RedStorm
 
Dreamweaver cs5 help
Dreamweaver cs5 helpDreamweaver cs5 help
Dreamweaver cs5 helpok71
 

More Related Content

What's hot

Information Security Lecture #1 ppt
Information Security Lecture #1 pptInformation Security Lecture #1 ppt
Information Security Lecture #1 pptvasanthimuniasamy
 
Encryption And Decryption
Encryption And DecryptionEncryption And Decryption
Encryption And DecryptionNA
 
Network Security Issues
Network Security IssuesNetwork Security Issues
Network Security IssuesAfreenYousaf
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Cryptography and Information Security
Cryptography and Information SecurityCryptography and Information Security
Cryptography and Information SecurityDr Naim R Kidwai
 
Chapter 11 laws and ethic information security
Chapter 11 laws and ethic information securityChapter 11 laws and ethic information security
Chapter 11 laws and ethic information securitySyaiful Ahdan
 
cryptography ppt free download
cryptography ppt free downloadcryptography ppt free download
cryptography ppt free downloadTwinkal Harsora
 
Operating system security
Operating system securityOperating system security
Operating system securityRamesh Ogania
 
System Programming- Unit I
System Programming- Unit ISystem Programming- Unit I
System Programming- Unit ISaranya1702
 
password cracking using John the ripper, hashcat, Cain&abel
password cracking using John the ripper, hashcat, Cain&abelpassword cracking using John the ripper, hashcat, Cain&abel
password cracking using John the ripper, hashcat, Cain&abelShweta Sharma
 
The CIA triad.pptx
The CIA triad.pptxThe CIA triad.pptx
The CIA triad.pptxGulnurAzat
 
Attendance management system project report.
Attendance management system project report.Attendance management system project report.
Attendance management system project report.Manoj Kumar
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 

What's hot (20)

Cryptography
CryptographyCryptography
Cryptography
 
Information Security Lecture #1 ppt
Information Security Lecture #1 pptInformation Security Lecture #1 ppt
Information Security Lecture #1 ppt
 
Encryption And Decryption
Encryption And DecryptionEncryption And Decryption
Encryption And Decryption
 
Network Security Issues
Network Security IssuesNetwork Security Issues
Network Security Issues
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
 
Cryptography and Information Security
Cryptography and Information SecurityCryptography and Information Security
Cryptography and Information Security
 
Chapter 11 laws and ethic information security
Chapter 11 laws and ethic information securityChapter 11 laws and ethic information security
Chapter 11 laws and ethic information security
 
cryptography ppt free download
cryptography ppt free downloadcryptography ppt free download
cryptography ppt free download
 
Operating system security
Operating system securityOperating system security
Operating system security
 
System Programming- Unit I
System Programming- Unit ISystem Programming- Unit I
System Programming- Unit I
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
 
Software security
Software securitySoftware security
Software security
 
Hash cat
Hash catHash cat
Hash cat
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
password cracking using John the ripper, hashcat, Cain&abel
password cracking using John the ripper, hashcat, Cain&abelpassword cracking using John the ripper, hashcat, Cain&abel
password cracking using John the ripper, hashcat, Cain&abel
 
RSA Algorithm
RSA AlgorithmRSA Algorithm
RSA Algorithm
 
The CIA triad.pptx
The CIA triad.pptxThe CIA triad.pptx
The CIA triad.pptx
 
Network security
Network securityNetwork security
Network security
 
Attendance management system project report.
Attendance management system project report.Attendance management system project report.
Attendance management system project report.
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 

Similar to Password Security and Use of John the Ripper Tool

Dreamweaver cs5 help
Dreamweaver cs5 helpDreamweaver cs5 help
Dreamweaver cs5 helpPhp RedStorm
 
Dreamweaver cs5 help
Dreamweaver cs5 helpDreamweaver cs5 help
Dreamweaver cs5 helpok71
 
RDB Synchronization, Transcoding and LDAP Directory Services ...
RDB Synchronization, Transcoding and LDAP Directory Services ...RDB Synchronization, Transcoding and LDAP Directory Services ...
RDB Synchronization, Transcoding and LDAP Directory Services ...Videoguy
 
Web application security the fast guide
Web application security the fast guideWeb application security the fast guide
Web application security the fast guideDr.Sami Khiami
 
Bypass Windows Defender Attack Surface Reduction.pdf
Bypass Windows Defender Attack Surface Reduction.pdfBypass Windows Defender Attack Surface Reduction.pdf
Bypass Windows Defender Attack Surface Reduction.pdfpostfix
 
Expert oracle database architecture
Expert oracle database architectureExpert oracle database architecture
Expert oracle database architectureairy6548
 
Java Complete Reference Fifth Edition
Java Complete Reference Fifth EditionJava Complete Reference Fifth Edition
Java Complete Reference Fifth Editionumavanth
 
Java Security Overview
Java Security OverviewJava Security Overview
Java Security Overviewwhite paper
 
XAdES Specification based on the Apache XMLSec Project
XAdES Specification based on the Apache XMLSec Project XAdES Specification based on the Apache XMLSec Project
XAdES Specification based on the Apache XMLSec Project Krassen Deltchev
 
Witsml core api_version_1.3.1
Witsml core api_version_1.3.1Witsml core api_version_1.3.1
Witsml core api_version_1.3.1Suresh Ayyappan
 
TDavis_SkynaxDataWebServicesGuide
TDavis_SkynaxDataWebServicesGuideTDavis_SkynaxDataWebServicesGuide
TDavis_SkynaxDataWebServicesGuideToni Davis
 
Flash File Format Specification
Flash File Format SpecificationFlash File Format Specification
Flash File Format Specificationguest0ebe1e
 
Secure remote access in solaris 9
Secure remote access in solaris 9Secure remote access in solaris 9
Secure remote access in solaris 9Tintus Ardi
 

Similar to Password Security and Use of John the Ripper Tool (20)

Dreamweaver cs5 help
Dreamweaver cs5 helpDreamweaver cs5 help
Dreamweaver cs5 help
 
Dreamweaver cs5 help
Dreamweaver cs5 helpDreamweaver cs5 help
Dreamweaver cs5 help
 
RDB Synchronization, Transcoding and LDAP Directory Services ...
RDB Synchronization, Transcoding and LDAP Directory Services ...RDB Synchronization, Transcoding and LDAP Directory Services ...
RDB Synchronization, Transcoding and LDAP Directory Services ...
 
Web application security the fast guide
Web application security the fast guideWeb application security the fast guide
Web application security the fast guide
 
Bypass Windows Defender Attack Surface Reduction.pdf
Bypass Windows Defender Attack Surface Reduction.pdfBypass Windows Defender Attack Surface Reduction.pdf
Bypass Windows Defender Attack Surface Reduction.pdf
 
Expert oracle database architecture
Expert oracle database architectureExpert oracle database architecture
Expert oracle database architecture
 
Java Complete Reference Fifth Edition
Java Complete Reference Fifth EditionJava Complete Reference Fifth Edition
Java Complete Reference Fifth Edition
 
Silverlight
SilverlightSilverlight
Silverlight
 
Avg avbe user_manual_en
Avg avbe user_manual_enAvg avbe user_manual_en
Avg avbe user_manual_en
 
Investigation in deep web
Investigation in deep webInvestigation in deep web
Investigation in deep web
 
Java Security Overview
Java Security OverviewJava Security Overview
Java Security Overview
 
XAdES Specification based on the Apache XMLSec Project
XAdES Specification based on the Apache XMLSec Project XAdES Specification based on the Apache XMLSec Project
XAdES Specification based on the Apache XMLSec Project
 
Witsml core api_version_1.3.1
Witsml core api_version_1.3.1Witsml core api_version_1.3.1
Witsml core api_version_1.3.1
 
TDavis_SkynaxDataWebServicesGuide
TDavis_SkynaxDataWebServicesGuideTDavis_SkynaxDataWebServicesGuide
TDavis_SkynaxDataWebServicesGuide
 
PeopleNet Enterprise Network Security Solution
PeopleNet Enterprise Network Security SolutionPeopleNet Enterprise Network Security Solution
PeopleNet Enterprise Network Security Solution
 
Ebay News 1998 10 27 Earnings
Ebay News 1998 10 27 EarningsEbay News 1998 10 27 Earnings
Ebay News 1998 10 27 Earnings
 
Flash File Format Specification
Flash File Format SpecificationFlash File Format Specification
Flash File Format Specification
 
AWS Pentesting
AWS PentestingAWS Pentesting
AWS Pentesting
 
Secure remote access in solaris 9
Secure remote access in solaris 9Secure remote access in solaris 9
Secure remote access in solaris 9
 
B12303
B12303B12303
B12303
 

Recently uploaded

Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 

Recently uploaded (20)

Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 

Password Security and Use of John the Ripper Tool

  • 1. W.A Neranjan Viduranga COL/A-069224 pg. 7 Password Security and Use of John the Ripper Tool Course Work Report – Cyber Security W.A Neranjan Viduranga Kingston University
  • 2. W.A Neranjan Viduranga COL/A-069224 pg. 8 Abstract Information security is one of the main concerns in modern society. Even though we have much more advanced methods to secure our data, good old passwords are the final security measurement standing between our information and the outside world. So, the security of passwords is very important for the overall security of a system, network or application. In this course work, the learner discusses about John the ripper tool and its 4 different password cracking modes. Using Kali Linux operating system and John the ripper tool, learner demonstrates the Single crack mode by creating different passwords in different strength levels and cracking them. By analysing the time which is taken to crack those passwords, learner is looking forward to gain knowledge about strong and weak passwords along with their characteristics. At last, learner discusses about major principles behind password policies in order to learn about good password construction and password management. By using that knowledge, learner creates an organizational password policy for “Rythmo Art Gallery”.
  • 3. W.A Neranjan Viduranga COL/A-069224 pg. 9 Table of Contents Introduction ........................................................................................................................... 11 Activity 01 .............................................................................................................................. 12 Part “A” ................................................................................................................................ 12 1] Navigating to the Desktop through the Terminal ..................................................... 12 2] Creating a MD5 hash value for “password1” and store it in a file named “md5hash.txt”. ................................................................................................................. 12 3] Creating five more hashing values using the same command............................... 12 4] Hash values of the created passwords..................................................................... 13 5] Cracking the MD5 hashes stored in the md5hash.txt file using John the Ripper tool. .................................................................................................................................. 13 6] Cracked and failed passwords. ................................................................................. 14 7] Analysis of password strengths and the time taken to crack them ........................ 15 Part “B” ................................................................................................................................ 16 1] Creating users. ........................................................................................................... 16 2] Contents of “passwd”. ................................................................................................ 18 3] Contents of “shadow”................................................................................................. 19 4] Copying the contents of “passwd” and “shadow” in to text files. ............................ 21 5] Unshadowing the contents in the text files in to “passwords.txt” file...................... 22 6] Cracking the passwords using John the Ripper tool. .............................................. 22 7] Cracked and failed passwords. ................................................................................. 23 8] Analysis of password strengths and the time taken to crack them ........................ 24 Activity 02 .............................................................................................................................. 25 Part “A” – John the Ripper Tool......................................................................................... 25 Different cracking modes in John the Ripper tool ........................................................ 25 Part “B” – Password policy and principles........................................................................ 27 Password Policy for Rythmo Art Gallery....................................................................... 27 Principles behind password policy ................................................................................ 30 Conclusion............................................................................................................................. 32 References............................................................................................................................. 33
  • 4. W.A Neranjan Viduranga COL/A-069224 pg. 10 Table of figures Figure 1 - Navigating to the desktop.......................................................................................... 12 Figure 2 – Creating MD5 hash values......................................................................................... 12 Figure 3 – Creating more hash values........................................................................................ 13 Figure 4 - Hash values................................................................................................................ 13 Figure 5 - Cracking the MD5 hashes........................................................................................... 14 Figure 6 - Cracked and failed passwords.................................................................................... 14 Figure 7 - Creating users (01)..................................................................................................... 17 Figure 8 - Creating users (02)..................................................................................................... 17 Figure 9 - Contents of passwd (01) ............................................................................................ 18 Figure 10 - Contents of passwd (02) .......................................................................................... 19 Figure 11 - Contents of shadow (01).......................................................................................... 20 Figure 12 - Contents of shadow (02).......................................................................................... 21 Figure 13 - Copying passwd and shadow in to a .txt................................................................... 22 Figure 14 _ Unshadowing.......................................................................................................... 22 Figure 15 - Password cracking ................................................................................................... 23 Figure 16 - Cracked and failed passwords.................................................................................. 23 List of tables Table 1 - Analysis of password strengths ................................................................................... 15 Table 2 - User details................................................................................................................. 16 Table 3 - Analysis of password strengths ................................................................................... 24 Table 4 - Pre-defined incremental modes.................................................................................. 26 Key words Kali Linux, John the Ripper tool, Hashing, Single crack mode, Word List mode, Incremental mode, External mode, Password cracking, Password unshadowing, Password policy, Password principles
  • 5. W.A Neranjan Viduranga COL/A-069224 pg. 11 Introduction This course work consists of two main parts (Activities) and four sub parts. The first activity includes,  Part “A”  Part “B” Part “A” is a practical work which consists of creating different passwords with different levels of strength and cracking them using “Single crack mode” of John the Ripper tool. The “B” part is also a practical work which works with the same single crack mode in john the ripper tool but bit more advanced than the part “A”. At the end of the both parts, learner put the analysis of password strengths with the time that they spend on cracking those passwords. The second activity is also consists of two sub parts named part “A” and “B”. Part “A” of second activity includes, a brief explanation about John the Ripper tool and its 4 password cracking modes. The “B” part includes a password policy for “Rythmo Art Gallery” created by the learner. At last, the learner discusses about major principles behind password policies and gives his conclusion about this course work and knowledge that he gained during this course work.
  • 6. W.A Neranjan Viduranga COL/A-069224 pg. 12 Activity 01 Part “A” 1] Navigating to the Desktop through the Terminal cd Desktop Figure 1 - Navigating to the desktop 2] Creating a MD5 hash value for “password1” and store it in a file named “md5hash.txt”. echo -n “password1” | md5sum | tr -d “-” >> md5hash.txt Figure 2 – Creating MD5 hash values 3] Creating five more hashing values using the same command. echo -n “river” | md5sum | tr -d “-” >> md5hash.txt echo -n “bridge” | md5sum | tr -d “-” >> md5hash.txt echo -n “557” | md5sum | tr -d “-” >> md5hash.txt echo -n “neranjan123” | md5sum | tr -d “-” >> md5hash.txt echo -n “WAN@1999lanka” | md5sum | tr -d “-” >> md5hash.txt
  • 7. W.A Neranjan Viduranga COL/A-069224 pg. 13 Figure 3 – Creating more hash values 4] Hash values of the created passwords. cat md5hash.txt Figure 4 - Hash values 5] Cracking the MD5 hashes stored in the md5hash.txt file using John the Ripper tool. john –format = Raw-MD5 md5hash.txt
  • 8. W.A Neranjan Viduranga COL/A-069224 pg. 14 Figure 5 - Cracking the MD5 hashes 6] Cracked and failed passwords. john –show –format = Raw-MD5 md5hash.txt Figure 6 - Cracked and failed passwords
  • 9. W.A Neranjan Viduranga COL/A-069224 pg. 15 7] Analysis of password strengths and the time taken to crack them Table 1 - Analysis of password strengths Password No. of characters Password Strength Time taken to crack 01 password1 9 (8 lowercase letters and 1 digit) Low (Over 8 characters but commonly used. Not unique) Under 5 minutes 02 river 5 (5 lowercase letters) Low (Fewer characters. Not unique) Under 5 minutes 03 bridge 6 (6 lowercase letters) Low (Fewer characters. Not unique) Under 5 minutes 04 557 3 (3 digits) Low (Fewer characters. Not unique) Under 7 minutes 05 neranjan123 11 (8 lowercase letters and 3 digits) Medium (Over 8 characters and has letters plus digits) Failed to crack (15 minutes time frame) 06 WAN@1999lanka 13 (3 uppercase letters, 1 symbol, 4 digits and 5 lowercase letters) Strong (Unique combination. Doesn’t related to the user name) Failed to crack (15 minutes time frame) By the time of using John the Ripper tool, there was total of six hash values (passwords) in the md5hash.txt file. John the Ripper tool took 5 minutes to crack the first 3 passwords (“river”, “bridge”, “Password1”). Then it took additional 2 minutes to crack the fourth password which was “557”. After that the learner gave additional 15 minutes to crack the last 2 passwords (“neranjan123” and “WAN@1999lanka”) but the tool was unable to crack those passwords.
  • 10. W.A Neranjan Viduranga COL/A-069224 pg. 16 As the fifth password, the learner gave his first name and three numbers (neranjan123) to the system hoping that the tool (John the Ripper) will be able to crack that password due to its simplicity. But it had total of 11 characters and those higher number of character combinations may cause the tool to fail. The sixth password (WAN@1999lanka) was a unique password with thirteen harder to guess character combinations. It was created using numbers, uppercases, lowercases and symbols in order to avoid cracking. So, the tool failed to crack the last password as the learner expected. By looking at those results, the learner came to a conclusion that, passwords with common use, fewer than 8 characters and single type of characters (uppercases only, lowercases only) are easy to crack. Even though, the 4th password (557) took additional 2 minutes to crack it cannot be considered as a strong password due to its minimum use of characters. Part “B” 1] Creating users. sudo adduser user01 sudo adduser user02 sudo adduser user03 Table 2 - User details User name Password Full name Room number Work phone Home phone Other Info/ correct (Y/N) user01 user01 Default Default Default default Default Yes user02 neranjan Default Default Default Default Default Yes user03 WAN@1999lanka Default Default default Default Default Yes
  • 11. W.A Neranjan Viduranga COL/A-069224 pg. 17 Figure 7 - Creating users (01) Figure 8 - Creating users (02)
  • 12. W.A Neranjan Viduranga COL/A-069224 pg. 18 2] Contents of “passwd”. cat /etc /passwd Figure 9 - Contents of passwd (01)
  • 13. W.A Neranjan Viduranga COL/A-069224 pg. 19 Figure 10 - Contents of passwd (02) 3] Contents of “shadow”. cat /etc /shadow
  • 14. W.A Neranjan Viduranga COL/A-069224 pg. 20 Figure 11 - Contents of shadow (01)
  • 15. W.A Neranjan Viduranga COL/A-069224 pg. 21 Figure 12 - Contents of shadow (02) 4] Copying the contents of “passwd” and “shadow” in to text files. cp /etc /passwd passwd.txt sudo cp /etc/shadow shadow.txt
  • 16. W.A Neranjan Viduranga COL/A-069224 pg. 22 Figure 13 - Copying passwd and shadow in to a .txt 5] Unshadowing the contents in the text files in to “passwords.txt” file. sudo chmod 777 shadow.txt unshadow passwd.txt shadow.txt > passwords.txt Figure 14 _ Unshadowing In here, the learner had to use additional command, “sudo chmod 777 shadow.txt”, which is used to change the permission in order to make the shadow.txt file readable. [Thornsby, J., 2020.] 6] Cracking the passwords using John the Ripper tool. john –format = sha512crypt passwords.txt
  • 17. W.A Neranjan Viduranga COL/A-069224 pg. 23 Figure 15 - Password cracking 7] Cracked and failed passwords. john –show passwords.txt Figure 16 - Cracked and failed passwords
  • 18. W.A Neranjan Viduranga COL/A-069224 pg. 24 8] Analysis of password strengths and the time taken to crack them Table 3 - Analysis of password strengths User Name Password No. of characters Password Strength Time taken to crack 01 user01 user01 6 (4 lowercase letters and 2 digits) Low (Usage of user name as the password and lower characters) One minute 02 user02 neranjan 8 (all lowercase letters) Medium (Has 8 characters and slightly unique. But contains only lowercases) Failed to crack (13 minutes time frame) 03 user03 WAN@1999lanka 13 (3 uppercase letters, 1 symbol, 4 digits and 5 lowercase letters) Strong (Unique combination. Doesn’t related to the user name) Failed to crack (13 minutes time frame) By the time of using John the Ripper tool, there was total of three passwords in the passwords.txt file. John the Ripper tool took only one minute to crack the first password which was “user01”. Then the learner gave another 12 minutes to crack the other passwords but the tool (John the Ripper) was unable to do that. As the second password, the learner gave his first name (neranjan) to the system hoping that the tool (John the Ripper) will be able to crack that password due to its simplicity. But it had total of 8 characters and those higher number of character combinations may cause the tool to fail. The sixth password (WAN@1999lanka) was a unique password with thirteen harder to guess character combinations. It was created using numbers, uppercases, lowercases
  • 19. W.A Neranjan Viduranga COL/A-069224 pg. 25 and symbols in order to avoid cracking. It was successful and shows some of the characteristics that should be in a strong password. Activity 02 Part “A” – John the Ripper Tool John the Ripper tool is a password cracking tool which was released to the public in 1996 for UNIX based systems. John the ripper tool is designed to test different passwords for their strength, hashed passwords (Brute – Force encrypted passwords) and to crack passwords using dictionary attacks. Mainly, there are two versions of John the ripper tools are available. General Public Licenced (GNU/GPL) and Proprietary (Pro) versions. GNU/GPL versions are designed for light users like students while professionals like, cyber security engineers and penetration testers use the Pro version with more advanced features like multilingual wordlists and 64 bit architecture support. [Sharma, A., 2020.] Different cracking modes in John the Ripper tool 1. “Single Crack” mode Single crack mode is considered as the quickest password cracking mode in john the ripper tool. This mode uses the data and information from “passwd” files such as login names, GECOS or full name fields and user’s home directory names to crack passwords by guessing the password. This mode uses the collected information only to crack passwords which are related to those information. Because of that reason, this mode is way faster than other modes when it comes to password cracking. But, to successfully crack a password using this mode, the password must be based on commonly available phrases or combinations in the username that it related to. Also, it should not be an uncommon and strong password. Otherwise it will take much longer time or fail to crack the password. E.g.- admin123 / 1234 / kasun345 [Openwall.com. 2013.] 2. “Wordlist” mode Wordlist mode is considered as the simplest password cracking mode in John the ripper tool. That’s because, in this mode, the user only have to specify a wordlist and password files. (“Wordlist” is a text file which contains single word per line)
  • 20. W.A Neranjan Viduranga COL/A-069224 pg. 26 This mode uses a user specified wordlist and password files to crack passwords by applying each passwords again and again until the correct password is found. In this mode, the user can enable “word managing rules” to modify or change the combinations of words in the specified wordlist in order to make new passwords. By enabling this feature, users can get multiple likely passwords per every line in the wordlist. So, it increases the chance of cracking password by multiple times. John the ripper tool does not contain the ability to sort wordlists due to the large quantity of resources that need. So, every wordlist that is intended to use on john the ripper must be sorted beforehand. Users can sort their wordlists by more likely passwords listed first or in the alphabetical order. Alphabetical order of a wordlist allows the tool to crack passwords that are longer than the maximum supported password length for the hash type that you are cracking. [Openwall.com. 2013.] 3. “Incremental” mode Incremental mode is considered as the most powerful password cracking mode in John the ripper tool. Although, technically this mode can try all possible phrases and character combinations as likely passwords, it is assumed that the incremental password cracking will never terminate due to the large number of possible character combinations. Due to that reason, incremental mode deals with different trigraph frequencies for each and every character positions and password lengths separately, in order to crack each possible password within a limited time frame. But, users can set this mode to terminate automatically by setting low password lengths or giving it a small charset to use. John the ripper tool provides some pre-defined incremental modes like ASCII, LM_ASCII, Alnum, Alpha, LowerNum, UpperNum, LowerSpace, Lower, Upper and Digits. (Below chart shows the content of above pre-defined incremental modes) Table 4 - Pre-defined incremental modes Pre-defined incremental mode Contents of the mode ASCII All of the 95 printable ASCII characters. LM_ASCII All the ASCII characters that are used in LM hashes. Alnum All of the Alphanumeric characters.
  • 21. W.A Neranjan Viduranga COL/A-069224 pg. 27 Alpha All of the 52 letters. (Uppercase and Lowercase letters) LowerNum All of the lowercase letters with 0 to 9 digits (Total of 36 characters) UpperNum All of the uppercase letters with 0 to 9 digits (Total of 36 characters) LowerSpace All of the lowercase letters with the space. (Total of 27 characters) Lower All of the lowercase letters. Upper All of the uppercase letters. Digits Digits only. Apart from using pre-defined incremental modes, users can give specific parameters like password length limits and charset to create their custom incremental mode. [Openwall.com. 2013.] 4. “External” mode External mode allows the user to write their own rules for generating password guesses. By using this mode, users can define and create their own custom password cracking mode in john the ripper tool. [Clarke, M., 2015.] Part “B” – Password policy and principles Password Policy for Rythmo Art Gallery 1.0] Overview Information security is one of the major concerns of a modern company. Passwords hold the last standing protection against unauthorized access and resource exploitation of the company. To prevent that, all the employees and suppliers of “Rythmo Art Gallery” who
  • 22. W.A Neranjan Viduranga COL/A-069224 pg. 28 has the access to the system must take appropriate actions and actions as outlined below. 2.0] Purpose The main purpose of this password policy is to create and establish a well-managed, standard password policy in order to ensure the security of the system. This password policy will establish a standard to create strong passwords and frequent password changes. 3.0] Scope The scope of the password policy of “Rythmo Art Gallery” includes all of the employees, suppliers and people who have the authorized access to the company’s system, network or any kind of user account that belongs to the company. 4.0] Policy 4.1] General  All of the passwords must be changed after using for 90 days.  All of the passwords that were expired in last year cannot be reused again for next 2 years.  All of the expired passwords can be used again after 3 year time period but characters of every password must be rearranged.  Passwords or a part of a password must not be transmitted through any form of electronic communication media under any kind of circumstances.  All of the passwords must conform to the guidelines below. 4.2] Guidelines for password creation 1. A password must include minimum of 8 characters. 15 characters are recommended. 2. A password must not be same as the User ID or User name. 3. A password must not use birthdays, addresses or any kind of personal information. 4. A password must not be a dictionary word, common name or proper name. 5. A password must include uppercases, lowercases, digits and symbols. 6. A password must be changed after using for 90 days. 7. A password should not be identical to the previous passwords. 8. Ensure passwords must only be reset for authorized users.
  • 23. W.A Neranjan Viduranga COL/A-069224 pg. 29 9. Do not use personal passwords as the work account passwords. 4.3] Guidelines for password protection 1. Do not use any kind of digital or electronical media to store your password without strong encryption. 2. Do not write down your password in a book, paper or any kind of a surface. 3. Do not share your password with your supervisor, co-workers or other employees. 4. Do not share your password with your family members. 5. Do not talk about your password in front of people. 6. Do not use your password in front of people (public) 7. Do not enable the “See password” option when you are logging in to the system/account. 8. Do not use “Remember password” or “Remember me” option on an application. 9. Do not reveal your password on questionnaires or security forms. 10. Do not use your password to log in to other applications that are suspicious. 11. Do not use the same password for different accounts. 12. If someone demands a password, please refer them to this document or the IT department. Security check-ups may be performed randomly by the information security officer. Users will be informed and require changing their passwords if a password is guessed or cracked during these security check-ups. 4.4] Guidelines for password deletion All of the passwords and accounts that are no longer needed must be deleted immediately. When an account no longer needed,  Employee should notify his/her superior officer.  Suppliers should notify the supply manager. After that, that supply manager or superior officer should notify IT department. The information security officer (of IT department) should delete the password and suspend the user account within the day. 4.5] Guidelines for application development To ensure the security of the system and information, application developers of the Rythmo Art Gallery must follow the guidelines in below.
  • 24. W.A Neranjan Viduranga COL/A-069224 pg. 30 1. Applications should not show the passwords in clear text when logging in to the system. 2. User authentication should be done in individual basis, not the group basis. 3. Passwords should not be stored in clear text (in databases). All the stored passwords must be encrypted using a strong encryption method. 4. Some sort of role management should be provided. 4.6] Guidelines for remote access Remote access to the Rythmo Art gallery must be limited to fewer numbers of authorized employees. Remote access must be controlled by using a Virtual Private Network (VPN) / form of advanced authentication method (biometrics) or combination of both methods. 5.0] Penalties All the employees and suppliers of Rythmo Art Gallery should not violate this policy. Any employee, who violated this policy, may be subjected to disciplinary action or even termination of employment. Suppliers who violated this policy may be subjected to termination of supply contract. Principles behind password policy Above password policy (Password policy of Rythmo Art Gallery) is completely based on below principles in order to ensure the security of password as well as the system and information.  A password should be lengthy. Always, a password should have at least 8 different characters. Passwords, which consist of less than 8 characters, are easy to crack or guess using John the ripper tool or any other kind of password cracking tool. By increasing the characters and character combinations of a password, users can reduce the possibility of someone cracking their password. Even though 8 characters are safer, 15 characters are recommended in order to increase the security of a password further more.  A password should be unique and strange. Passwords should be as strange as possible to others. It should not consist of User ID, User name, nick name, birthday or your phone number. People, who are familiar with you, can easily get these data and use it to break or guess your
  • 25. W.A Neranjan Viduranga COL/A-069224 pg. 31 password. Always should use unique and strange combinations without using any common phrases which are easy to guess.  A password should be complex. Always, a password should be complex enough that others cannot guess or crack it. This is the principle behind the use of uppercases, lowercases, digits and symbols as a combination. Passwords with pure numbers or letters can be easily cracked or guesses. So users should always use at least 3 of those different varieties of characters to construct their passwords. It turns the password in to a complex password while increasing the security of it.  Two passwords should not be similar. When using a digital media, internet or a computer, users required to have multiple accounts with multiple passwords. So, it’s easy to use the same password throughout different accounts and platforms. But, it is not a good practice. This principle shows that, the use of same password can compromise your security easily. If someone finds your password, he/she can get access to all of your sensitive data quite easily. But if you use different passwords for different accounts and applications, no one can steal all of your data easily.  A password should be changed regularly. This is one of the most important principles behind password policies. A good password should be changed regularly. Even though your password is strong and hard to crack, that doesn’t mean it couldn’t be cracked. Strength of a password is slowly decreasing as long as it’s used. To increase your security, passwords should be changed at least once per three months (90 days).  A system or application should not remember your password. Almost all of the modern day applications, websites and systems provide a option called “Remember me”. This option store your user name and password in order to provide speed login for their users. Most of the users are willing to use this option due to its convenience. But this practice is very dangerous. Hackers and outsiders can easily see those passwords as long as they have related viewing softwares. [Asunsoft.com. 2019.]
  • 26. W.A Neranjan Viduranga COL/A-069224 pg. 32 Conclusion By doing this course work, learner has learnt to use “Kali Linux” operating system as well as “John the Ripper tool”. Also, this course work helped the learner to get a deep understanding of how password cracking works and how to construct stronger passwords in order to ensure the security of a password and information. The first part (Activity 01) of this course work encouraged the learner to do self-studies about “Kali Linux” and “John the Ripper” tool and helped to do practical work using “Single crack” mode of John the ripper tool. It showed the strength of different kinds of passwords and different combinations that can increase or compromise the security of a password. The second part (Activity 02) of this course work allowed the learner to explore the technical side of John the ripper tool. By doing research, the learner had been able to gain knowledge about different cracking modes of John the ripper tool and their uses. Also, in ths part, learner had to create a professional password policy for an organization. By doing that the learner gained the knowledge to create professional paper works and policies. Overall, learner had been able to gain new knowledge about password cracking, password construction, identify weak or strong passwords and organizational password policies. This new knowledge will be helpful for the learner in his future education and work life.
  • 27. W.A Neranjan Viduranga COL/A-069224 pg. 33 References 1] Thornsby, J., 2020. Chmod 777: What Does It Really Mean? - Make Tech Easier. [online] Make Tech Easier. Available at: <https://www.maketecheasier.com/file-permissions-what-does- chmod-777-means/> [Accessed 17 December 2020]. 2] Sharma, A., 2020. John The Ripper Explained: An Essential Password Cracker For Your Hacker Toolkit. [online] CSO Online. Available at: <https://www.csoonline.com/article/3564153/john-the-ripper-explained-an-essential-password- cracker-for-your-hacker-toolkit.html> [Accessed 16 December 2020]. 3] Openwall.com. 2013. John The Ripper - Cracking Modes. [online] Available at: <https://www.openwall.com/john/doc/MODES.shtml> [Accessed 16 December 2020]. 4] Clarke, M., 2015. John The Ripper - External Mode - Recover Partially Remembered Password | Jumping Bean - We Build, We Support, We Train. [online] Jumpingbean.co.za. Available at: <https://www.jumpingbean.co.za/blogs/mark/john-the-ripper-partially-remembered- password#:~:text=External%20mode%20allows%20one%20to%20write%20rules%20for%20gene rating%20password%20guesses.> [Accessed 17 December 2020]. 5] Asunsoft.com. 2019. Ten Principles To Set A Secure Computer Password. [online] Available at: <https://www.asunsoft.com/password-management-and-protection/ten-principles-to-set-a-secure- computer-password.html> [Accessed 20 December 2020].