CYB 610 Project 1 Workspace Exercise

Transcription

1 CYB 610 Project 1 Workspace Exercise I. Project Overview Your deliverables for Project 1 are described below. You will submit your work at the end of Step 6 of Project 1 in your ELM classroom. 1. Non-Technical Presentation 2. Technical Report 3. Executive Summary 4. A Word document that demonstrates that you performed the lab. Description of deliverables for Project 1: 1. Non-Technical Presentation: This is a 8-10 slides presentation in the form of PowerPoint slides for business executives and Board members You will learn more about this as you work through Step 5: The Non-Technical Presentation. 2. Technical Report: Your report should be 6-7 pages double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables or citations. You will learn more about this as you work through Step 6: The Technical Report and Executive Summary. This report should also include your tool comparisons, recommendations and countermeasures. You will learn more about this as you work through Step 4: Comparing Software. 3. Executive Summary: Produce a 2-3 pages double-spaced Word document. You will learn more about this as you work through Step 6: The Technical Report and Executive Summary 4. A Word document that demonstrates that you performed the lab: Share your lab experience and provide screen prints to demonstrate that you performed the lab. Note: Deliverable Submission Reminders: 1

2 At the end of Step 6 in your ELM classroom, you will be provided with a place to submit your deliverables. After your deliverables meet all the stated criteria and you have completed all the ELM classroom steps, upload your deliverables to the assignment folder. You must check the file(s) right after submission to make sure the right file(s) are submitted. II. Password Cracking Lab (Cain and Abel & Ophcrack) a. Assignment Rules: Each student has to do the lab individually. Document your lab results/experience and include screen prints. b. Assignment Objectives: Become acquainted with password cracking tools Use manuals and general guidance to test user password strength. Identify password vulnerabilities. Recover passwords on a specific machine. Perform password-cracking exercise. Record weak passwords discovered and strong passwords that could not be cracked. c. Competencies: authentication analysis, password security d. Lab Overview: The hands-on exercises for this lab will help you understand password cracking concepts. As you perform this lab, you will reinforce the concepts you learn in Step 2: Threats, especially the concepts regarding the importance of using strong passwords. You will experiment using password-cracking tools and perform product comparison as specify in Step 4: Comparing Software. In this lab you will try to crack the password of existing users that are in the same system you are in. In other words, you will be taking advantage of your administrative access to the system, in order to retrieve the account passwords. You will be using two password cracking tools: Cain and Abel and Ophcrack. You will learn more about this in the Lab Instructions section of this document. You will use the UMUC Virtual lab environment to access the password cracking tools. These lab environment has 4 VMs (Virtual Machines) available. Two of the machines 2

3 run Linux OS, and two run Windows OS as follows: VM1= Linux = NIXATK01 VM2= Linux = NIXTGT01 VM3= Windows = WINATK01 (Use this system to run the password cracking tools for this project --- Cain and Abel & Ophcrack) VM4= Windows = WINTGT01 The instructions to connect to the UMUC virtual lab are provided in Appendix B of this document. Keep in mind that these instructions are generic instructions depicting the lab environment needed for several CYB courses. The student login for all VMs is the same: User: StudentFirst and Password: Cyb3rl@b. To get started, proceed to Lab Instructions. If you have problems accessing this UMUC virtual lab or any of the VM systems, contact lab support via the CLAB 699 (Cyber Computing lab assistance). e. Lab Instructions: 1) Familiarize yourself with the resources provided in the Lab Resources section of this document. You will find helpful open source links that help you understand password cracking tools. Take the time to visit the websites and videos to learn more about the functionality and usage of Cain and Abel and L0phtcrack. Keep in mind that links to other open source tools are provided for your information, however, not all of them are installed in the VMs of the UMUC Virtual lab. For this exercise, you are only required to use Cain and Abel and Ophcrack which are password cracking tools already installed in the VM WINATCK01 system of the UMUC Lab Environment. 2) You will also be provided with a list of user accounts. Some of these passwords will be simple and easy to crack. Some will be complex, which are difficult for password crackers to solve. Some accounts might have strong passwords and take a very long time to recover. You should indicate the amount of time it took for each tool to determine the password of an account. NOTE: do not go more than an hour in attempting the recovery of any account s password; simply indicate the tool and that it was taking over an hour for a specified username to recover the password. If the tool indicates how long it might take, make a note of it and documented in your deliverables. 3) Connect to the lab environment: Enter Workspace (link located in the Step 3: Password Cracking Tools). Connect to the UMUC virtual lab using the instructions 3

4 provided in Appendix B. 4) The desktop of the VM WINATK01 contains a folder for CYB610. In this folder, you will find access (i.e. icons, shortcuts, links) to the various tools and files you need to perform this lab and all the labs for this course. Contact lab support CLAB 699 if you experience difficulties. 5) Follow the instructions for Cain and Abel provided in section I of Appendix A. 6) After you finish using the Cain and Abel tool, follow the instructions for Ophcrack provided in section II of Appendix A. 7) As you experiment with these password cracking tools, read the questions below as they will help you think of concepts related to this type of tool evaluation. Which tool, on which operating system was able to recover passwords the quickest? Provide examples of the timing by your experimental observations. Which tool(s) provided estimates of how long it might take to crack the passwords? What was the longest amount of time it reported, and for which username? Compare the amount of time it took for three passwords that you were able to recover. Compare the complexity of the passwords for those discussed in the last question. What can you say about recovery time relevant to complexity of these specific accounts? What are the 4 types of character sets generally discussed when forming strong passwords? How many of the 4 sets should you use, as a minimum? What general rules are typically stated for minimum password length? How often should password policies require users to change their passwords? Discuss the pros and cons of using the same username accounts and passwords on multiple machines. 4

5 What are the ethical issues of using password cracker and recovery tools? Are there any limitations, policies or regulations in their use on local machines? Home networks? Small business local networks? Intranets? Internets? Where might customer data be stored? If you were using these tools for approved penetration testing, how might you get the sponsor to provide guidance and limitations to your test team? Discuss any legal issues in using these tools on home networks in States, which have anti-wiretap communications regulations. Who has to know about the tools being used in your household? 8) Compile your findings and incorporate what you have learned in your deliverables for this Project. III. Lab Resources Student login for all the VM machines provided in the UMUC Virtual lab. User: StudentFirst Pass: Password storage and hashing Cain and Abel (Windows) John the Ripper (Windows, Linux, Apple OS) Hydra (Windows, Linux, Apple OS) Ophcrack (Windows, Linux, Apple OS) L0phtCrack Dumping passwords 5

6 Application websites Cain and Abel (Windows) John the Ripper (Windows, Linux, Apple OS) Hydra (Windows, Linux, Apple OS) Ophcrack (Windows, Linux, Apple OS) L0phtCrack Application documentation Cain and Abel (Windows) (see the section on Password Cracking) John the Ripper (Windows, Linux, Apple OS) Hydra (Windows, Linux, Apple OS) Ophcrack (Windows, Linux, Apple OS) L0phtCrack Application videos online Cain and Abel (Windows) John the Ripper (Windows, Linux, Apple OS) Hydra (Windows, Linux, Apple OS) Ophcrack (Windows, Linux, Apple OS) L0phtCrack 6

7 APPENDIX A (Return to Lab Instructions) I. Password Cracking Using Cain and Abel Cain and Able is a software application that is used in password cracking. You will experience how it is done first hand by using this tool called Cain and Abel. You will recover the passwords for the given user accounts on the VM machine you will use. You will also note the limitations to cracking passwords, i.e. not being able to recover a password in a reasonable amount of time if it is a "strong password". 1) BACKGROUND INFORMATION 1) About Cain and Abel Cain and Abel is a powerful tool for system administrators, network administrators, and security professionals. Its web site states that it is password recovery tool for Microsoft Operating Systems. There is also a version that can be installed on Linux-based systems. In order to release the full functionality of the Cain and Abel package on MS-Windows operating systems, Win PCAP must be installed in order to provide network packet captures (Win PCAP and Can and Abel are already installed on your school VM machine). Through Win PCAP, Cain and Abel has the ability to crack encrypted passwords using Brute Force, Dictionary, or Cryptanalysis (via rainbow tables ). The sniffer (captures and analyzes network traffic) in this version can also analyze encrypted protocols such as SSH-1 and HTTPS, and contains filters to capture credentials from a wide range of authentication mechanisms, including Kerberos. In addition to this, Cain and Abel can be used to recover wireless passwords, uncover cached passwords, and analyze routing protocols. It can also attempt to crack the passwords stored in operating system account login reference authentication files. 2) About the Algorithms There are two authentication protocols used to store passwords depending on which version of Windows is being run. The two are LM and NTLM LM The LM, sometimes referred to as LanMan or the LAN Manager hash, is the primary authentication protocol that Microsoft employed in Windows versions prior to Windows NT; it is used to store user passwords in an encrypted format on the disk. In order to transform a user's password to the LM hash, the password is first converted to all uppercase letters. If the password is greater than 14 bytes (14 characters) any character after the 14th is truncated; likewise, if the password is less than 14 bytes, it is null-padded to be 14 bytes exactly. The password is then split into two, 7-byte halves. A null bit is inserted at the beginning of each half. The halves are then used as keys to DES 7

8 encrypt the constant ASCII string The concatenation of the two output values forms a 16-byte value, which is the LM Hash This algorithm is weak via its implementation. The maximum possible combination of values (key space) is restricted since it only uses uppercase character values in the ASCII character set. Additionally, since the algorithm breaks down the password into two separate pieces, each component can be attacked individually, allowing for a maximum possible password combination of 69 possible values to the power of 7 (69^7). NT LAN Manager NTLM, also known as NT LAN Manager, was first introduced in Microsoft Windows NT 3.1 to address the security weaknesses inherent in LM encryption. The NTLM algorithm is much stronger than the LM authentication protocol for several reasons: 1) NTLM passwords are based on Unicode, increasing the amount of possible characters that can be used 2) NTLM passwords are case sensitive and 3) NTLM passwords can be up to 128 characters long. All of these reasons imply that there is a much bigger keyspace, which would require for more time to analyze. 2) USER ACCOUNTS There are a number of accounts already installed on all of the MS-Windows and Linux Virtual Machines (VMs) provided in the UMUC lab. Each machine has the same user accounts and passwords for those accounts. Each account has a unique password. The accounts are: Xavier Wolverine Shield EarthBase dbmsadmin Kirk Mouse Rudolph Snoopy Spock Apollo Chekov Batman 3) USING CAIN AND ABEL (Step by Step Instructions) On the desktop of the VM WINATK01 CYB 610 Folder locate and launch Cain. If the icon is not found, open the Start Menu, display All Program, locate Cain and launch Cain. (Note: a barebones user s manual of the program is found at: ). You ought to maximum the window. 1. Click the Cracker tab. 8

9 2. In the left window, click on LM & NTLM Hashes. Recall that these are the two authentication protocols described earlier. 3. Click on the plus sign which add to the list and the Next button. All of the user accounts on the machine should populate the right window. 4. Right click on the first account of the provided list (section II above). Attempt to discover the password via Brute Force. For this, attempt to apply Brute Force using the NTLM Hash. Click the Start button. Note the Time Left. Stop after a few minutes. Click Exit. 5. Next, perform a dictionary attack against the user accounts. Right click on the first account again and select Dictionary Attack using the NTLM Hash. 6. Click the Start button. Again note the results. 7. Repeat this procedure for the other accounts in the list. Note: When performing a subsequent dictionary attack, you may need to right click the wordlist and reset the file position to the initial position. 8. When done, close the Cain and Abel application II. Password Cracking Using Ophcrack (Return to Lab Instructions) After working with Cain and Abel, you have now learned/re-enforced password cracking concepts (e.g. hash, attacks such as bruteforce, dictionary, rainbowtables, etc) that help you apply these concepts to other password cracking tools such as Ophcrack. You will use the same accounts you used in Cain and Abel. Xavier Wolverine Shield EarthBase dbmsadmin Kirk Mouse Rudolph Snoopy Spock Apollo Chekov 9

10 Batman USING Ophcrack (Step by Step Instructions) 1) On the desktop of the VM WINATCK01 CYB 610 Folder locate and launch Ophcrack. 2) Load the user accounts. Select the Local SAM with samdump2 as shown in screenshots below. 3) Click on the Crack icon to initiate password cracking. Note results. 4) Learn more about the usage of this product via the open source links provided in the Lab Resources 10

11 The Workspace APPENDIX B (Return to Lab Instructions) Connect to UMUC Virtual Lab Instructions Navigating the CYB610 Workspace and Lab Setup The workspace is your personal Virtual Machine (VM) that has the necessary software preinstalled for you to complete your projects. These pre-installed software packages include the Microsoft Office suite and any other software required to link your VM to the Lab Setup in the Case of CYB610. Note: It is recommended that you use Google Chrome to access the workspace for better performance. Once you gain access to your Workspace from the link provided in the classroom, you will be taken to a Windows 7 desktop as shown on the screenshot below. 2

12 Your workspace is dedicated to you and can be used save your documents that you create directly form it or documents that you move from the other virtual Machines that make up your Lab setup. The Lab Setup This lab setup is comprised of four networked virtual machines. The four virtual machines are configured as follows: A Windows Attacker VM, WINATK01, configured with software tools needed to complete your lab exercises. A Windows Target VM, WNTGT01, configured to be used as a Windows computer that you will be lunching attacks against A Linux Attacker VM, NIXATK01, configured with software tools needed to complete your labs exercises 3

13 A Linux Target VM, NIXTGT01, configure to be used as a Linux computer that you will be lunching attacks against The four VMs are networked to allow communication in every direction. Accessing the lab VMs Ideally, you would only need to access the Windows and Linux Attacker VMs to perform the required tasks related to the labs. As such, the Microsoft Remote Desktop Connection client and NoMachine have been made available for you to access Windows VMs and Linux VMs respectively (RDC for Windows VMs and NoMachine for Linux VMs). 4

14 Connecting to the Windows Attacker VM Use the Microsoft Remote Desktop Client from the Workspace to access the Windows Attacker VM. Please follow these steps: 1. Open "Start Menu" in workspace. 2. Open "All Programs." 3. Verify that "RDC" is present. 4. Open RDC and connect to lab.daas.umuc.edu (this will connect you to WINATK01) 5

15 Note: As you connect to your Windows VMs, you might need to adjust your screen resolution to best fit the size or space available on your computer screen based on your local screen resolution. To adjust your screen resolution, please follow these steps: 1. Click on Show Options on the Remote Desktop Connection window 2. Click on the Display tab 3. Setup the resolution that better fits you display as shown below () 6

16 Provide the credentials necessary to connect to your Windows Attacker VM, WINATK01. o Username: StudentFirst o Password: Cyb3rl@b 7

17 After providing the credentials, Click yes to continue A successful login to the WINATK01 VM takes you to the desktop of the VM. 8

18 Please notice the second desktop and the VM information for the instance of the WINATK01 VM that you have been connected to. Note: Do not close the Attacker Windows VM while you are actively working on you lab. If you close this remote desktop window before obtaining all the information that you need, we will have to start over. From this point, use the lab instructions provided in the classroom to start Connecting to the Linux Attacker VM To connect to Linux VMs in from the workspace, an application named NoMachine has been made available to you. Please do the following to connect to your Linux Attacker VM: 1. Open "Start Menu" in workspace. 2. Open "All Programs." 3. Verify that "NOMACHINE" is present. 9

19 4. Open NOMACHINE and connect to lab.daas.umuc.edu (this will connect you to NIXATK01) Note: When connecting to the Linux Attacker VM from the Workspace, please make sure that you are not also connected to the Windows Attacker VM at that moment as concurrent connections to both Attacker VMs is not currently allowed. Once NoMachine has been launched, please use lab.daas.umuc.edu to connect to the Linux Attacker VM, NIXATK01. Click on the green plus sign to create the connection to lab.daas.umuc.edu. Click Connect to establish the connection 10

20 If prompted with the following screen, please click yes to continue Next, you ll be prompted to provide the credentials required to access the Virtual Machine. Please provide the following for your Linux Attacker virtual machine: 11

21 o o Username: StudentFirst Password: Cyb3rl@b 12

22 Note: Linux is a case sensitive OS. As a result, please make sure that the credentials are typed as displayed above. After typing in the Username and Password, click OK to continue Note: Depending on your screen size and screen resolution, you might need to adjust the resolution within NoMachine for the VM that you will be connecting to. The next two screenshots show you were to go to adjust the screen resolution for the Linux VM that you are connecting to. Adjust the screen resolution using the menu items highlighted below 13

23 14

24 Once connected to the Linux Attacker VM, you will be presented with the following screen: Once on the above screen, press the space key on your keyboard to be prompted for the user and password required to access the VM. o Username: StudentFirst o Password: Cyb3rl@b 15

25 A successful login to the Linux attacker VM will take you to the Desktop as displayed below. At this point, please locate the application or tool that you need to use to complete your lab exercise. You may use the search feature to locate an application if it is not listed as in the screenshot below. 16

26 Finding the IP Addresses of your Four VMs A quick way among others of finding the IP address of any of the four VMs is to ping the host name of the VM at the command prompt on the Windows Attacker VM or in Terminal on the Linux Attacker VM. The following screenshot shows examples of pings of the hosts names provided for this lab and the IP addresses of all four lab VMS returned by these pings. 17

27 Accessing the Target VMs from the Attacker VMs At times, you might need to access the target VMs, depending on the exercise you are working on, to verify certain outcomes. The following describes how this can be accomplished. 18

28 Note: Windows Target VMs can be accessed from Windows Attacker VMs using the Microsoft Remote Desktop Connection client installed on the Windows Attacker VM. Note: Linux Target VMs can be accessed from the Linux Attacker VMs using NoMachine installed on the Linux attacker VM. Accessing a Linux Target VM from a Windows VM From your Windows Attacker VMs, use NoMachine to access a Linux Target VM as shown in the picture below. Note: Please follow the steps used to connect to the Linux Attacker VM using NoMachine from the Workspace to connect to the Linux Target VM from the Windows Attacker VM. 19

29 Accessing a Windows Target VM from a Linux VM From your Linux Attacker VMs, use Remote Desktop Viewer to access a Windows Target VM. Use the IP address or the hostname of the Target VM to establish a connection to it. 20

30 21