LAB 3: Cracking Windows Passwords

 

The purpose of this exercise is to use password cracking tools to identify weak passwords.

 

Materials Needed:

4)      Computer running either Windows or Linux/Unix

5)      Internet connection

6)      SamInside (http://www.insidepro.com/eng/saminside.shtml) and LC4 (http://www.net-security.org/software.php?id=17) software for Windows; John the Ripper for Linux (http://www.openwall.com/john/)

 

PART I: Cracking Passwords

1)      Create several accounts with passwords

                                                               i.      Robot – C3PO

                                                             ii.      Star – WARS

                                                            iii.      ME – 1234

                                                           iv.      YOU – YOU

                                                             v.      Darth – Anakin-Skywalk3r

 

2)      The first step in determining user passwords is acquiring the list of usernames and the corresponding encrypted passwords.

 

3)      LC4 (limited version): Once you have obtained the encrypted passwords, you need to decode them into plaintext. [This should only be done with permission!]

·        Install LC4

·        Run LC4 (Start|Programs|LC4) with the evaluation version

                                                               i.      Retrieve from the local machine

                                                             ii.      Select Strong Password Audit

                                                            iii.      Select all Reporting Styles

4)      SAMInside (limited version): Once you have obtained the encrypted passwords, you need to decode them into plaintext. [This should only be done with permission!]

·        Install SAMInside

·        Run SAMInside

·        Click on the “people” icon to import the local users on the machine

·        Click on the “run attack” icon to start the password scan. Note that the boxes next to the usernames become unchecked once the password is discovered

5)      John the Ripper: Once you have obtained the encrypted passwords, you need to decode them into plaintext. [This should only be done with permission!]

·        Install John the Ripper (john.ini must be placed in the /etc directory)

·        Change to the /etc subdirectory (location of the john.ini)

·        Run john the ripper by specifying the command followed by the password file – e.g. #john /etc/passwd [replace with /etc/shadow if the passwords are shadowed]

·        Let the program run for a few minutes; it should crack the shorter/simpler passwords.

PART II: Setting Password Policy (in Windows)

1. Setting Password Length
1. Log on as admin
2. Select Start | Control Panel | Administrative Tools | Local Security Policy
3. Find Password Policy in Account Policies
4. What is the minimum password length?
5. Change the minimum length to 9 and click OK
2. Password Complexity
1. Enable Password must meet complexity requirements and click OK
3. Preventing the Display of Last Logon Name
1. Find Security Option in Local Policies
2. Enable Do not display last user name in login screen
4. Setting Account Lockout Policy
1. Find Account Lockout Policy in Account Policies
1. How many invalid logon attempts are permitted?
2. Change invalid logon attempts to 3.
3. How long is the account locked out?
4. Change the time to 20 minutes.

Post-assignment: Answer the following questions -

• what are the minimum and maximum password age on this computer? Why are they important?

 

 

• What is the difference between Local Polices and Account Policies?

 

• How complex is the password complexity? Can you modify the complexity? What should be included?

 

• What is the purpose of setting a lockout policy?

 

• What is a reasonable set of minimum password requirements?

 

• How do these minimum requirements fit with the ease-of-use for the users?