Lab Assignment 2 : due 10/12 Monday
Submission
1. (Optional) Use scp to download the lab report file at /home/shengbo/it443/lab2.txt
$scp :/home/shengbo/it443/lab2.txt .
2. Write all the answers in the file or use your own file (.txt, .doc, .pdf, and etc.).
3. Rename the file to lab2_firstname1_firstname2.txt. E.g., if Alice and Bob form a team, the file name should be lab2_alice_bob.txt
4. Email the lab report to the TA () and CC the instructor ()
· Task 1: Password Cracking
As a system administrator, you can test your users’ password strengths with a password cracker. “John the Ripper” is one of the popular password crackers. The program “john” guesses passwords with certain algorithm and tests if the “login” attempts are successful by comparing it with the password file.
John the Ripper (JtR) is available from Ubuntu repository (version 1.7.3), but only the latest versions (>1.7.6) supports SHA-512 hash which is adopted by Ubuntu 8.10 or later version. In this lab, we will install version 1.7.9 from source.
1. Download JtR source codes
$wget http://www.openwall.com/john/g/john-1.7.9.tar.gz
2. Unzip and compile the program
$tar -zxvf john-1.7.9.tar.gz
$cd john-1.7.9/src
$make linux-x86-sse2
You should have “john” in ../run directory.
3. Create some user accounts with weak passwords.
a) Create an account with a password of 4 digits, e.g., 1357
b) Create an account with a common word (no more than 5 letters) as the password, e.g., apple
c) Create an account with a relevant password. E.g., user ID is jay and the password is jay123, or the registered full name is John Smith and the password is jsmith2000.
d) Create an account with a short but strong password (3 characters)
4. Run the cracker
a) Get all the hashed values
On Ubuntu, the actual password is /etc/shadow rather than /etc/passwd. This file is not readable to normal users. Enter JtR’s “run” directory and execute
$sudo ./unshadow /etc/passwd /etc/shadow > passwd.txt
b) Prune the file passwd.txt and only keep the lines that contain the four accounts you just created (remove the line for your login username).
c) Regularly, you can execute “./john passwd.txt” to start cracking. (don’t execute the command at this point)
Press any key for progress (including the time spent so far), CTRL-C for interruption.
To resume cracking from interruption: $./john --restore
To show the cracked password(s): $./john --show passwd.txt
Here, we’ll try some command options to speed up the process. The online document at http://www.openwall.com/john/doc/EXAMPLES.shtml may be helpful. (For each of the following steps, if the cracker program has been running for more than 10 minutes, you can abort it and claim that the password cannot be cracked. When the cracker program is running, you can continue to work on the second task.)
1) First try ‘single crack’ mode. It’s a quick process, but only works for some simple patterns of weak passwords.
$./john --single passwd.txt
If you observe a cracked password, press any key to show status and record the time information.
2) Next, we will try to crack the password with all digits. Open the configuration file john.conf and find the section “[Incremental:Digits]”. Set both “MaxLen” and “MinLen” to 4. Then execute the following command which specifies a “digits mode”. The program will try 10 digits (0~9) only.
$./john -i=digits passwd.txt
You don’t have to wait until the program terminates. Once the digits password is cracked, you can record the time spent and then stop the program. Note: this process may take some time depending on the password you chose. You can keep reading the rest instructions or start task 2 while the cracking program is running.
3) Another important mode is “wordlist” mode which launches dictionary attack. With ‘-w’ option we can specify a wordlist for the cracking program to use. JtR embeds a small list of common words (“password.lst”). Ubuntu has a longer list at /usr/share/dict/words. Try the following command to see whether it can crack the word password you picked.
$./john -w=password.lst passwd.txt
Again, you don’t have to wait until the program terminates. Once the word password is cracked, you can record the time spent and stop the program.
4) Finally, let us try to crack the short but strong password. Open the configuration file john.conf and find the section “[Incremental:All]”. Set both “MaxLen” and “MinLen” to 3.
$./john -i passwd.txt
Questions:
1. Include a copy of passwd.txt in your report
2. List the four accounts you created (user ID and password).
3. Report which accounts were cracked, at which round, and roughly how much time was spent? (After you observe a cracked password, press any key to show the time information).
· Task 2: Implementing Certificates
1. Becoming a Certificate Authority (CA)
A Certificate Authority (CA) is a trusted entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate. A number of commercial CAs are treated as root CAs, e.g., VeriSign. Users who want to get digital certificates issued by the commercial CAs need to pay those CAs. In this lab, we need to create digital certificates, but we are not going to pay any commercial CA. We will become a root CA ourselves, and then use this CA to issue certificate for others (e.g., web servers). Unlike other certificates, which are usually signed by another CA, the root CA’s certificates are self-signed. Root CA’s certificates are usually pre-loaded into most operating systems, web browsers, and other software that rely on Public Key Infrastructure (PKI). Root CA’s certificates are unconditionally trusted.
In order to use OpenSSL to create certificates, you have to have a configuration file which will be used by three OpenSSL commands: ca, req and x509. You can get a copy of the configuration file from /usr/lib/ssl/openssl.cnf. After copying this file into your current directory, you need to create several sub-directories and files as specified in the configuration file (look at the [CA default] section):
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
new_certs_dir = $dir/newcerts # default place for new certs.
database = $dir/index.txt # database index file.
serial = $dir/serial # The current serial number
For the index.txt file, simply create an empty file. For the serial file, put a single number in string format (e.g. 1000) in the file. Now you can create and issue certificates.
As we described before, we need to generate a self-signed certificate for our CA. This means that this CA is totally trusted, and its certificate will serve as the root certificate. You can run the following command to generate the self-signed certificate for the CA:
$openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf
You will be prompted for information and a password. Do not lose this password, because you will have to type the passphrase each time you want to use this CA to sign certificates for others. You will also be asked to fill in some information, such as the Country Name, Common Name, etc. The outputs of the command are stored in two files: ca.key and ca.crt. The file ca.key contains the CA’s private key, while ca.crt contains the public-key certificate.
2. Create a certificate for it443lab2.com
Now, we become a root CA, we are ready to sign digital certificates for our customers. Our first customer is a company called it443lab2.com. For this company to get a digital certificate from a CA, it needs to go through three steps.
Step 1: Generate public/private key pair. The company needs to first create its own public/private key pair. We can run the following command to generate an RSA key pair (both private and public keys). You will also be required to provide a password to protect the keys. The keys will be stored in the file server.key:
$openssl genrsa -des3 -out server.key 1024
Step 2: Generate a Certificate Signing Request (CSR). Once the company has the key file, it should generate a Certificate Signing Request (CSR). The CSR will be sent to the CA, who will generate a certificate for the key (usually after ensuring that identity information in the CSR matches with the server’s true identity). Please use it443lab2.com as the common name of the certificate request.
$openssl req -new -key server.key -out server.csr -config openssl.cnf
Step 3: Generating Certificates. The CSR file needs to have the CA’s signature to form a certificate. In the real world, the CSR files are usually sent to a trusted CA for their signature. In this lab, we will use our own trusted CA to generate certificates:
$openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
3. Use certificates for web sites
In this lab, we will explore how public-key certificates are used by web sites to secure web browsing. Let us use it443lab2.com as our domain name. To get our computers recognize this domain name, let us add the following entry to /etc/hosts; this entry basically maps the domain name it443lab2.com to our localhost (i.e., 127.0.0.1): 127.0.0.1 it443lab2.com
Next, let us launch a simple web server with the certificate generated in the previous task. OpenSSL allows us to start a simple web server using the s server command:
$cp server.key server.pem
$cat server.crt >> server.pem # Combine the secret key and certificate into one file
$openssl s_server -cert server.pem –www # Launch the web server using server.pem
By default, the server will listen on port 4433. You can alter that using the -accept option. Now, you can access the server using the following URL: https:// it443lab2.com:4433/. Most likely, you will get an error message from the browser. In Firefox, you will see a message like the following:
“it443lab2.com:4433 uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown”.
Had this certificate been assigned by VeriSign, we will not have such an error message, because VeriSign’s certificate is very likely preloaded into Firefox’s certificate repository already. Unfortunately, the certificate of it443lab2.com is signed by our own CA (i.e., using ca.crt), and this CA is not recognized by Firefox. We can manually add our CA’s certificate to the Firefox browser by clicking the following menu sequence:
Edit -> Preference -> Advanced -> View Certificates.
You will see a list of certificates that are already accepted by Firefox. From here, we can “import” our own certificate. Please import ca.crt, and select the following option: “Trust this CA to identify web sites”. You will see that our CA’s certificate is now in Firefox’s list of the accepted certificates. Now, point the browser to https://it443lab2.com:4433 and you should be able to access the web page without the error message.
Questions:
1. Check the certificate file server.crt and answer the following questions
a) What cryptographic algorithm was used to generate the certificate?
b) What’s the valid duration of the certificate?
c) What’s the serial number of the certificate? Does it match the number you put in the file ‘serial’? Check the file ‘serial’ again, describe your observations.
2. Since it443lab2.com points to the localhost, if we use https://localhost:4433 instead, we will be connecting to the same web server. Please do so, describe and explain your observations.
3. Summarize all the files you have generated in this task and describe the purpose of each of them.