Cracking Passwords in Forensic Investigations - Scholarly ...

More documents

Recommendations

Info

were used for cracking, which would not allow the user to select a vulnerable password in the first place. Hence, Klein recommended the pro-active password checker to cover up the security vulnerability in order to make the crackable 24.2% of passwords secure. 3.1.2 An Analysis and Comparison of Clustered Password Crackers Frichot (2004) conducted research and analysis of clustered password cracking software John the Ripper. The main intention of his research was to compare the two software packages John the Ripper and Cisilia, which utilise the Open Mosix and Beowulf styles of parallel computing respectively. However, Frichot was unable to perform a comparison of the two, since he encountered problems using Cisilia. Therefore, he conducted an analysis and highlighted issues in regards to clustered password cracking with the use of John the Ripper. Frichot‟s (2004) background study on passwords and password cracking methods is similar to the ones identified in the literature review in Chapter 2. In order to perform his research, Frichot made use of two clusters of computers. The first cluster consisted of 13 nodes and was set to the Beowulf configuration in order to test John the Ripper. The second cluster consisted of 14 nodes and was set to the OpenMosix configuration for testing Cisilia. Both of these clusters were set up on the Linux platform. For the main experiment, Frichot (2004) created password samples in Microsoft‟s LAN manager (LANMAN) format. The sample passwords consisted of manually created passwords, which were created so as to cover a broad spectrum of password quality. The researcher used Williams‟ (2001) algorithm to determine password quality and created passwords that had quality ratings from 5 to 14 (cited in Frichot, 2004). Frichot performed password cracking tests on both the Beowulf cluster and the OpenMosix cluster. The data he collected for the Beowulf cluster included half the cipher-text password, half the plain-text password, username, a digit representing which half of the password was cracked, and the amount of time it took to crack the password. It was essential to note which half of the password was cracked, since the LANMAN hashing algorithm supports a maximum of seven- 33
character hashing. Thus, for passwords longer than seven characters, LANMAN divides them into separate blocks of seven characters and then hashes them individually. The resulting LANMAN hash for such a password would be all of these individual hashes appended together. The data collected for the OpenMosix cluster included the time taken to crack the password, the username, and the plaintext (i.e. cracked) password. Frichot performed two tests for each of the clusters to measure the reliability of the tools. To ensure comparability of the two clustered password crackers and to complete the work on time, the researcher performed the experiment for a maximum of three days. After the experiment was performed, Frichot (2004) collected the results. He found Cisilia‟s results to be inconsistent and unstable; thus, he discarded Cisilia‟s results and was unable to compare them with John the Ripper‟s. John the Ripper provided more consistent results. Hence, Frichot instead analysed the results for John the Ripper and highlighted issues with regards to clustered password cracking by the use of John the Ripper. According to his results, John the Ripper cracked 34 password hashes in the first 24 hours. In the next two days, John the Ripper cracked four more password hashes, resulting in a total of 38 cracked passwords in three days. According to the analysis of the results, 12 passwords were completely cracked (i.e., both separate LANMAN hashes for the passwords were completely cracked). Also, 27 passwords were half-cracked with only the first seven characters of the password cracked. The remainder of 11 passwords were not cracked at all. Frichot (2004) compared the relative strength of the password and the time it took to crack. The password strength vs. time comparison showed no relation as most of the easy and hard passwords were cracked within the first few hours of the first day itself. Two medium-strength passwords were cracked on the second day. The reason given by the researcher for such results was that LANMAN supported seven characters for hashing. Thus, it was easy to crack two separate hashes. Frichot also observed that the passwords that took longer than a day to crack contained special characters in them. He further observed that there were probable issues with regards to inconsistent truncating and padding of passwords either by the LANMAN algorithm or by John the Ripper. 34
Page 1 and 2: Cracking Passwords in Forensic Inve
Page 3 and 4: iii Acknowledgements This thesis wa
Page 5 and 6: v Abstract Digital Forensic Investi
Page 7 and 8: vii Table of Contents Declaration .
Page 9 and 10: ix Chapter 4 - Research Findings 4.
Page 11 and 12: xi List of Tables Table 2.1: The Mo
Page 13 and 14: xiii List of Abbreviations AMD Adva
Page 15 and 16: 1.1 PROBLEMS FOR DIGITAL FORENSIC I
Page 17 and 18: approach improves the password crac
Page 19 and 20: technologies, there exist challenge
Page 21 and 22: 2.1 PASSWORDS AND PASSWORD RECOVERY
Page 23 and 24: 2.1.2 Unix/Linux MD5 Password Schem
Page 25 and 26: encrypting the information within s
Page 27 and 28: iii) If possible, create a custom d
Page 29 and 30: Since all possible permutations and
Page 31 and 32: L0phtCrack 6 supports the retrieval
Page 33 and 34: i) Decryption attack: As discussed
Page 35 and 36: Full cost refers to the total amoun
Page 37 and 38: As shown in Table 2.3, a password w
Page 39 and 40: 5) Weir, Aggarwal, Medeiros, and Gl
Page 41 and 42: the speed of cracking and the attac
Page 43 and 44: is inevitable) but rather the optim
Page 45: Klein (1990) addressed the most com
Page 49 and 50: experiments were conducted by gener
Page 51 and 52: obtained via phishing attacks on th
Page 53 and 54: Bengtsson (2007) outlined a literat
Page 55 and 56: applications whose passwords need t
Page 57 and 58: equired for computing and testing.
Page 59 and 60: 3.2.3 The Research Questions and Hy
Page 61 and 62: main experiment, which is the next
Page 63 and 64: 12,500 x 8 = 100,000 passwords/seco
Page 65 and 66: 3.3.5 Data Map Figure 3.2: Research
Page 67 and 68: 4.0 INTRODUCTION Chapter 4 Research
Page 69 and 70: 4.1.2 Time Budgeting The time budge
Page 71 and 72: Another computer with the same conf
Page 73 and 74: minutes, and 24.8 days respectively
Page 75 and 76: vishal@vishal-desktop:~$ sudo addus
Page 77 and 78: Table 4.4: Monitoring/action-perfor
Page 79 and 80: 4.3 ANALYSIS OF DATA The experiment
Page 81 and 82: Table 4.6: First 10 accounts’ pas
Page 83 and 84: DD:HH:MM:SS format, similar to the
Page 85 and 86: 4.4 PRESENTATION OF DATA FINDING Af
Page 87 and 88: Figure 4.8 shows the time taken for
Page 89 and 90: Figure 4.11 displays the comparison
Page 91 and 92: 5.0 INTRODUCTION Chapter 5 Research
Page 93 and 94: Thus, the simulation mirrored the f
Page 95 and 96: Table 5.1: Testing hypothesis H0 Hy
Page 97 and 98:
Table 5.3: Testing hypothesis H2 Hy
Page 99 and 100:
Q3: What are the guidelines for bes
Page 101 and 102:
Since the passwords were arranged i
Page 103 and 104:
Analysis (see Section 3.2.3). All f
Page 105 and 106:
information for forensic investigat
Page 107 and 108:
5.3.1.2 Second Step - Find Password
Page 109 and 110:
Therefore, T (in seconds) = 12,500,
Page 111 and 112:
6.0 RESEARCH SUMMARY Chapter 6 Conc
Page 113 and 114:
udgets, the passwords were added to
Page 115 and 116:
SECONDARY RESEARCH QUESTION 3: What
Page 117 and 118:
overcome the security barriers of p
Page 119 and 120:
Clayton, R., & Bond, M. (2003). Exp
Page 121 and 122:
Openwall Project. (2010). John the
Page 123 and 124:
APPENDIX 1: Time Budget Calculation
Page 125 and 126:
51 Bas -2-38 TOTAL TIME REQUIRED FO
Page 127 and 128:
96 Bas -2-27 97 Bas -2-28 98 Bas -2
Page 129 and 130:
140 Adv -1-26 141 Bas -3-07 142 Adv
Page 131 and 132:
182 Adv -1-21 183 Adv -1-22 Diction
Page 133 and 134:
main12:$1$CSD0Tppt$0gO4c883evmn9sQR
Page 135 and 136:
main41.txt: main41:$1$B43.jKTn$5EPi
Page 137 and 138:
main70.txt: main70:$1$7kHK0PnH$yJ5x
Page 139 and 140:
main99:$1$UQiTB..u$SJUkwarkM1kzvnvt
Page 141 and 142:
main128.txt: main128:$1$n7OEbAyB$d6
Page 143 and 144:
main157.txt: main157:$1$VRmaYxPu$Iy
Page 145 and 146:
main186:$1$HFNaeUkb$t1lZ5QcrH9iy8G/
Page 147 and 148:
SHA 1: a168282ad70a94fbb8d5917f3505
Page 149 and 150:
C:\Main Test\MainTest-passwdFiles\B
Page 151 and 152:
Job Started: 7/13/10 8:49:24 File M
Page 153 and 154:
File Modified: 7/13/10 6:58:08 SHA
Page 155 and 156:
File Version: Unknown Job Started:
Page 157 and 158:
SHA 1: b95b12e95c70b66df01af148502e
Page 159 and 160:
File Size: 60 File Version: Unknown
Page 161 and 162:
Job Status: Finished on 7/13/10 8:5
Page 163 and 164:
Identified Type: *nix passwd File S
Page 165 and 166:
Password Type: Password Where Found
Page 167 and 168:
Job Status: Finished on 7/13/10 10:
Page 169 and 170:
Page 171 and 172:
MD5: df7c66c8b6b8528176d42314926021
Page 173 and 174:
Result: trapezoidal@ Description: U
Page 175 and 176:
Where Found: (ADV-1-20) Dictionary
Page 177 and 178:
Password Type: Password Where Found
Page 179 and 180:
Where Found: (BAS-3-04) Dictionary
Page 181 and 182:
Commonly Registered Type: crypt use
Page 183 and 184:
Page 185 and 186:
Page 187 and 188:
Where Found: --- C:\Main Test\MainT
Page 189 and 190:
MD5: 17632fca93fa27bb8d0a89c80a2ba9
Page 191 and 192:
Description: Unknown Password Type:
Page 193 and 194:
Page 195 and 196:
File Version: Unknown Job Started:
Page 197 and 198:
Page 199 and 200:
Page 201 and 202:
APPENDIX 4: Time Analysis for all B
Page 203 and 204:
main60 main61 main62 main63 main64
Page 205 and 206:
main127 main128 main129 main130 mai
Page 207:
main192 main193 main194 main195 mai
show all

Cracking Passwords in Forensic Investigations - Scholarly ...

Create successful ePaper yourself

Delete template?

Save as template?