Lab Assignment 2 :due 10/12Monday

Submission

  1. (Optional) Use scp to download the lab report file at /home/shengbo/it443/lab2.txt

$scp:/home/shengbo/it443/lab2.txt .

  1. Write all the answers in the file or use your own file (.txt, .doc, .pdf, and etc.).
  2. Rename the file to lab2_firstname1_firstname2.txt. E.g., if Alice and Bob form a team, the file name should be lab2_alice_bob.txt
  3. Email the lab report to the TA () and CC the instructor ()
  • Task1: Password Cracking

As a system administrator, you can test your users’ password strengths with a password cracker. “John the Ripper” is one of the popular password crackers. The program “john” guesses passwords with certain algorithm and tests if the “login” attempts are successful by comparing it with the password file.

John the Ripper (JtR) is available from Ubuntu repository (version 1.7.3), but only the latest versions (1.7.6) supportsSHA-512 hash which is adopted by Ubuntu 8.10 or later version. In this lab, we will install version 1.7.9 from source.

  1. Download JtR source codes

$wget

  1. Unzip and compile the program

$tar -zxvf john-1.7.9.tar.gz

$cd john-1.7.9/src

$make linux-x86-sse2

You should have “john”in ../run directory.

  1. Create some user accounts with weak passwords.

a)Create an account with a password of 4 digits, e.g., 1357

b)Create an account with a common word (no more than 5 letters) as the password, e.g., apple

c)Create an account with a relevant password. E.g., user ID is jay and the password is jay123, or the registered full name is John Smith and the password is jsmith2000.

d)Create an account with a short but strong password (3 characters)

  1. Run the cracker

a)Get all the hashed values

On Ubuntu, the actual password is /etc/shadow rather than /etc/passwd. This file is not readable to normal users. Enter JtR’s “run” directory and execute

$sudo ./unshadow /etc/passwd /etc/shadow > passwd.txt

b)Prune the file passwd.txt and only keep the lines that contain the four accounts you just created (remove the line for your login username).

c)Regularly, you can execute “./john passwd.txt” to start cracking. (don’t execute the command at this point)

Press any key for progress (including the time spent so far), CTRL-C for interruption.

To resume cracking from interruption: $./john --restore

To show the cracked password(s): $./john --show passwd.txt

Here, we’ll try some command options to speed up the process. The online document at may be helpful. (For each of the following steps, if the cracker program has been running for more than 10 minutes, you can abort it and claim that the password cannot be cracked. When the cracker program is running, you can continue to work on the second task.)

1)First try ‘single crack’ mode. It’s a quick process, but only works for some simple patterns of weak passwords.

$./john --single passwd.txt

If you observe a cracked password, press any key to show status and record the time information.

2)Next, we will try to crack the password with all digits. Open the configuration file john.conf and find the section “[Incremental:Digits]”. Set both “MaxLen” and “MinLen” to 4. Then execute the following command which specifies a “digits mode”. The program will try 10 digits (0~9) only.

$./john -i=digits passwd.txt

You don’t have to wait until the program terminates. Once the digits password is cracked, you can record the time spent and then stop the program. Note: this process may take some time depending on the password you chose. You can keep reading the rest instructions or start task 2 while the cracking program is running.

3)Another important mode is “wordlist” mode which launches dictionary attack. With ‘-w’ option we can specify a wordlist for the cracking program to use. JtR embeds a small list of common words (“password.lst”). Ubuntu has a longer list at /usr/share/dict/words. Try the following command to see whether it can crack the word password you picked.

$./john -w=password.lst passwd.txt

Again, you don’t have to wait until the program terminates. Once the word password is cracked, you can record the time spent andstop the program.

4)Finally, let us try to crack the short but strong password. Open the configuration file john.conf and find the section “[Incremental:All]”. Set both “MaxLen” and “MinLen” to 3.

$./john -i passwd.txt

Questions:

  1. Include a copy of passwd.txt in your report
  2. List the four accounts you created (user ID and password).
  3. Report which accounts were cracked, at which round, and roughly how much time was spent? (After you observe a cracked password, press any key to show the time information).
  • Task2: Implementing Certificates
  1. Becoming a Certificate Authority (CA)

A Certificate Authority (CA) is a trusted entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate. A number of commercial CAs are treated as root CAs, e.g., VeriSign. Users who want to get digital certificates issued by the commercial CAs need to pay those CAs. In this lab, we need to create digital certificates, but we are not going to pay any commercial CA. We will become a root CA ourselves, and then use this CA to issue certificate for others (e.g., web servers). Unlike other certificates, which are usually signed by another CA, the root CA’s certificates are self-signed. Root CA’s certificates are usually pre-loaded into most operating systems, web browsers, and other software that rely on Public Key Infrastructure (PKI). Root CA’s certificates are unconditionally trusted.

In order to use OpenSSLto create certificates, you have tohave a configuration file which willbe used by three OpenSSLcommands: ca, reqand x509. You can get a copy of the configuration file from /usr/lib/ssl/openssl.cnf. After copying this file into your current directory, you need to create several sub-directoriesand files as specified in the configuration file (look at the [CA default] section):

dir = ./demoCA# Where everything is kept

certs = $dir/certs # Where the issued certs are kept

crl_dir = $dir/crl# Where the issued crl are kept

new_certs_dir = $dir/newcerts# default place for new certs.

database = $dir/index.txt # database index file.

serial = $dir/serial # The current serial number

For the index.txt file, simply create an empty file. For the serial file, put a single number instring format (e.g. 1000) in the file. Now you cancreate and issue certificates.

As we described before, we need to generate a self-signed certificate for ourCA. This means that this CA is totally trusted, and its certificate will serve as the root certificate. You canrun the following command to generate the self-signed certificate for the CA:

$opensslreq -new -x509 -keyoutca.key -out ca.crt -configopenssl.cnf

You will be prompted for information and a password. Do not lose this password, because you willhave to type the passphrase each time you want to use this CA to sign certificates for others. You will alsobe asked to fill in some information, such as the Country Name, Common Name, etc. The outputs of the command are stored in two files: ca.keyand ca.crt. The file ca.keycontains the CA’s private key,while ca.crtcontains the public-key certificate.

  1. Create a certificate for it443lab2.com

Now, we become a root CA, we are ready to sign digital certificates for our customers. Our first customer is a company called it443lab2.com. For this company to get a digital certificate from a CA, it needs to go through three steps.

Step 1: Generate public/private key pair. The company needs to first create its own public/private keypair. We can run the following command to generate an RSA key pair (both private and public keys).You will also be required to provide a password to protect the keys. The keys will be stored in the fileserver.key:

$opensslgenrsa -des3 -out server.key 1024

Step 2: Generate a Certificate Signing Request (CSR). Once the company has the key file, it shouldgenerate a Certificate Signing Request (CSR). The CSR will be sent to the CA, who will generate a certificatefor the key (usually after ensuring that identity information in the CSR matches with the server’s trueidentity). Please use it443lab2.com as the common name of the certificate request.

$opensslreq -new -key server.key -out server.csr -configopenssl.cnf

Step 3: Generating Certificates. The CSR file needs to have the CA’s signature to form a certificate. Inthe real world, the CSR files are usually sent to a trusted CA for their signature. In this lab, we will use ourown trusted CA to generate certificates:

$openssl ca -in server.csr -out server.crt -cert ca.crt -keyfileca.key -configopenssl.cnf

  1. Use certificates for web sites

In this lab, we will explore how public-key certificates are used by web sites to secure web browsing. Let us use it443lab2.com as our domain name. To get our computers recognize this domain name, let us add the following entry to /etc/hosts; this entry basically maps the domain name it443lab2.com to our localhost (i.e., 127.0.0.1):127.0.0.1 it443lab2.com

Next, let us launch a simple web server with the certificate generated in the previous task. OpenSSLallows us to start a simple web server using the s server command:

$cpserver.keyserver.pem

$cat server.crt > server.pem # Combine the secret key and certificate into one file

$openssls_server -cert server.pem–www# Launch the web server using server.pem

By default, the server will listen on port 4433. You can alter that using the -accept option. Now, youcan access the server using the following URL: it443lab2.com:4433/. Most likely,you will get an error message from the browser. In Firefox, you will see a message like the following:

“it443lab2.com:4433 uses an invalid security certificate. The certificate is not trusted because the issuercertificate is unknown”.

Had this certificate been assigned by VeriSign, we will not have such an error message, because VeriSign’scertificate is very likely preloaded into Firefox’s certificate repository already. Unfortunately, the certificateof it443lab2.com is signed by our own CA (i.e., using ca.crt), and this CA is not recognized byFirefox. We can manually add our CA’s certificate to the Firefox browser byclicking the following menu sequence:

Edit -> Preference -> Advanced -> View Certificates.

You will see a list of certificates that are already accepted by Firefox. From here, we can “import” ourown certificate. Please import ca.crt, and select the following option: “Trust this CA to identifyweb sites”. You will see that our CA’s certificate is now in Firefox’s list of the accepted certificates.Now, point the browser to and you should be able to access the web page without the error message.

Questions:

  1. Check the certificate file server.crt and answer the following questions

a)What cryptographic algorithm was used to generate the certificate?

b)What’s the valid duration of the certificate?

c)What’s the serial number of the certificate? Does it match the number you put in the file ‘serial’? Check the file ‘serial’ again, describe your observations.

  1. Since it443lab2.com points to the localhost, if we use instead, we will be connecting to the same web server. Please do so, describe and explain your observations.
  2. Summarize all the files you have generated in this task and describe the purpose of each of them.