Information security is one of the main concerns in modern society. Even though we have much more advanced methods to secure our data, good old passwords are the final security measurement standing between our information and the outside world. So, the security of passwords is very important for the overall security of a system, network, or application.
In this paper, the learner discusses about John the ripper tool and its 4 different password cracking modes. Using Kali Linux operating system and John the ripper tool, learner demonstrates the Single crack mode by creating different passwords in different strength levels and cracking them. By analysing the time, which is taken to crack those passwords, learner is looking forward to gain knowledge about strong and weak passwords along with their characteristics. At last, learner discusses about major principles behind password policies to learn about good password construction and password management. By using that knowledge, learner creates an organizational password policy for “Rythmo Art Gallery”.
DerbyCon 2016
Nick Landers @monoxgas
External mail via Exchange is one of the most common services offered by organizations today. The Microsoft Office suite is even more prevalent making Outlook the most common mail client around. This talk focuses on the abuse of these two products for the purpose of gaining code execution inside remote networks. Subjects include E-Mail and password scraping, OWA/EWS brute forcing techniques, and new research into abusing Outlook mail rules for remote code execution. Learn about the capabilities of client side rules, the underlying Windows APIs, and how to modify these rule objects to make phishing attacks obsolete. Security Consultant at Silent Break Security. Professional Hacker for 2 years. Current work involves writing custom malware and researching unique attack vectors that abuse functionality in windows environments.
DerbyCon 2016
Nick Landers @monoxgas
External mail via Exchange is one of the most common services offered by organizations today. The Microsoft Office suite is even more prevalent making Outlook the most common mail client around. This talk focuses on the abuse of these two products for the purpose of gaining code execution inside remote networks. Subjects include E-Mail and password scraping, OWA/EWS brute forcing techniques, and new research into abusing Outlook mail rules for remote code execution. Learn about the capabilities of client side rules, the underlying Windows APIs, and how to modify these rule objects to make phishing attacks obsolete. Security Consultant at Silent Break Security. Professional Hacker for 2 years. Current work involves writing custom malware and researching unique attack vectors that abuse functionality in windows environments.
Password Cracking is a technique to gain the access to an organisation.
In this slide, I will tell you the possible ways of cracking and do a live example for Gmail Password Cracking.
This talk is going to give an overview of Android operating system and it´s apps ecosystem from the security point of view of a penetration tester.
So lets dive into topics like Pentest Environment Setup, Tools of the Trade, App Analysis and some security hints for Android developers.
Threat modeling web application: a case studyAntonio Fontes
TAM is a security activity conducted early in the development lifecycle, when we only have ideas, early design specifications and no source code is produced yet. It helps identify major threats to your web application and their appropriate countermeasures.
This session focuses on an introduction to the threat modeling technique through a case study on an online newspaper platform.
Event: Confoo 2011 Montreal
Hospitals, school districts, state and local governments, law enforcement agencies, small businesses, large businesses—these are just some of the entities impacted recently by ransomware, an insidious type of malware that encrypts, or locks, valuable digital files and demands a ransom to release them. And, of course, home computers are just as susceptible to ransomware, and the loss of access to personal and often irreplaceable items—including family photos, videos, and other data—can be devastating for individuals as well.
Malware analysis, threat intelligence and reverse engineeringbartblaze
In this presentation, I introduce the concepts of malware analysis, threat intelligence and reverse engineering. Experience or knowledge is not required.
Feel free to send me feedback via Twitter (@bartblaze) or email.
Blog post: https://bartblaze.blogspot.com/2018/02/malware-analysis-threat-intelligence.html
Labs: https://github.com/bartblaze/MaTiRe
Mind the disclaimer.
Windows Registry Forensics with Volatility FrameworkKapil Soni
Windows Registry Forensics is the most important part of Memory Forensics Investigations. With the help of Windows Registry Forensics we can reconstruct user activity as well find the evidence easily.
Windows Registry Forensics (WRF) is a one of most important part on malware analysis. The changes made due to malware on Windows that reflect on Registry.
If attacker tried to make changes on Windows OS so all the logs like opening, deleting, modifying folder or file as well if attacker executed a file like .exe , everything is stores in Windows Registry that helps investigator to catch cyber criminal.
This Edureka PPT on "Application Security" will help you understand what application security is and measures taken to improve the security of an application often by finding, fixing and preventing security vulnerabilities.
Following are the topics covered in this PPT:
Introduction to Cybersecurity
What is Application Security?
What is an SQL Injection attack
Demo on SQL Injection
Follow us to never miss an update in the future.
Instagram: https://www.instagram.com/edureka_learning/
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
Password Cracking is a technique to gain the access to an organisation.
In this slide, I will tell you the possible ways of cracking and do a live example for Gmail Password Cracking.
This talk is going to give an overview of Android operating system and it´s apps ecosystem from the security point of view of a penetration tester.
So lets dive into topics like Pentest Environment Setup, Tools of the Trade, App Analysis and some security hints for Android developers.
Threat modeling web application: a case studyAntonio Fontes
TAM is a security activity conducted early in the development lifecycle, when we only have ideas, early design specifications and no source code is produced yet. It helps identify major threats to your web application and their appropriate countermeasures.
This session focuses on an introduction to the threat modeling technique through a case study on an online newspaper platform.
Event: Confoo 2011 Montreal
Hospitals, school districts, state and local governments, law enforcement agencies, small businesses, large businesses—these are just some of the entities impacted recently by ransomware, an insidious type of malware that encrypts, or locks, valuable digital files and demands a ransom to release them. And, of course, home computers are just as susceptible to ransomware, and the loss of access to personal and often irreplaceable items—including family photos, videos, and other data—can be devastating for individuals as well.
Malware analysis, threat intelligence and reverse engineeringbartblaze
In this presentation, I introduce the concepts of malware analysis, threat intelligence and reverse engineering. Experience or knowledge is not required.
Feel free to send me feedback via Twitter (@bartblaze) or email.
Blog post: https://bartblaze.blogspot.com/2018/02/malware-analysis-threat-intelligence.html
Labs: https://github.com/bartblaze/MaTiRe
Mind the disclaimer.
Windows Registry Forensics with Volatility FrameworkKapil Soni
Windows Registry Forensics is the most important part of Memory Forensics Investigations. With the help of Windows Registry Forensics we can reconstruct user activity as well find the evidence easily.
Windows Registry Forensics (WRF) is a one of most important part on malware analysis. The changes made due to malware on Windows that reflect on Registry.
If attacker tried to make changes on Windows OS so all the logs like opening, deleting, modifying folder or file as well if attacker executed a file like .exe , everything is stores in Windows Registry that helps investigator to catch cyber criminal.
This Edureka PPT on "Application Security" will help you understand what application security is and measures taken to improve the security of an application often by finding, fixing and preventing security vulnerabilities.
Following are the topics covered in this PPT:
Introduction to Cybersecurity
What is Application Security?
What is an SQL Injection attack
Demo on SQL Injection
Follow us to never miss an update in the future.
Instagram: https://www.instagram.com/edureka_learning/
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
a book authored by Dr. sami khiami discusses the concept of web application security and explain the attack process, attack types and different used methodologies to achieve an acceptable level of application security.
XAdES Specification based on the Apache XMLSec Project Krassen Deltchev
This B.Sc. project thesis is presented to the
Department of Electrical Engineering and Information Sciences
of the Ruhr-University of Bochum
Chair of Network and Data Security
of the Ruhr-University of Bochum,
Horst-Görtz Institute,
Prof. Jörg Schwenk
Abstract:
XML Advanced Electronic Signature (XAdES) provides basic authentication and integrity protection, and
satisfies the legal requirements for advanced electronic signatures.There are several implementations of
XAdES, but most of them are not OpenSource, or are partialy proprietary software. Great project concerned
with Digital Electronic Signatures is the OpenSource Apache XML Security Project. For the developer and
common user there is an implementation for the XMLDSIG specification, but still no one for XAdES.
The free source code implemetations of XAdES threat this project as a separate one and there is no interface,
which can explicit assemble them into the Apache XML Sec. That’s why, the scope of our project is to create
a library, that implements XAdES into the OpenSource Apache XML Security- to extend its functionality
and level of security, so using the Apache XML Sec, gives the opportunity to handle Advanced Electronic
Signatures, which is a standard of security nowadays.
The library is developed in Java, because shouldn’t be any kind of OS platform - dependencies, using it as a
plug-in to the Security Project of Apache.
More detailed, to validate the signing and verifying of signatures, and also test our code, we use the text-
based test suite of JUnit.
We well know that hackers are persistent — they maliciously look and search for the smallest crack in network security, then exploit the vulnerability. In an era in which most of our personal information – and corporate data – lives in the cloud, password‒ protected, we need defenses beyond standard antivirus software and firewall. As we enter a more technologically fragile Web age, companies, individuals and government agencies will need to use a combination of tools and techniques to protect data. PeopleNet Security experts can help advise you protect every aspect of your enterprise network environment.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
UiPath Test Automation using UiPath Test Suite series, part 4
Password Security and Use of John the Ripper Tool
1. W.A Neranjan Viduranga COL/A-069224 pg. 7
Password Security and Use of John the Ripper Tool
Course Work Report – Cyber Security
W.A Neranjan Viduranga
Kingston University
2. W.A Neranjan Viduranga COL/A-069224 pg. 8
Abstract
Information security is one of the main concerns in modern society. Even though we
have much more advanced methods to secure our data, good old passwords are the
final security measurement standing between our information and the outside world. So,
the security of passwords is very important for the overall security of a system, network
or application.
In this course work, the learner discusses about John the ripper tool and its 4 different
password cracking modes. Using Kali Linux operating system and John the ripper tool,
learner demonstrates the Single crack mode by creating different passwords in different
strength levels and cracking them. By analysing the time which is taken to crack those
passwords, learner is looking forward to gain knowledge about strong and weak
passwords along with their characteristics. At last, learner discusses about major
principles behind password policies in order to learn about good password construction
and password management. By using that knowledge, learner creates an organizational
password policy for “Rythmo Art Gallery”.
3. W.A Neranjan Viduranga COL/A-069224 pg. 9
Table of Contents
Introduction ........................................................................................................................... 11
Activity 01 .............................................................................................................................. 12
Part “A” ................................................................................................................................ 12
1] Navigating to the Desktop through the Terminal ..................................................... 12
2] Creating a MD5 hash value for “password1” and store it in a file named
“md5hash.txt”. ................................................................................................................. 12
3] Creating five more hashing values using the same command............................... 12
4] Hash values of the created passwords..................................................................... 13
5] Cracking the MD5 hashes stored in the md5hash.txt file using John the Ripper
tool. .................................................................................................................................. 13
6] Cracked and failed passwords. ................................................................................. 14
7] Analysis of password strengths and the time taken to crack them ........................ 15
Part “B” ................................................................................................................................ 16
1] Creating users. ........................................................................................................... 16
2] Contents of “passwd”. ................................................................................................ 18
3] Contents of “shadow”................................................................................................. 19
4] Copying the contents of “passwd” and “shadow” in to text files. ............................ 21
5] Unshadowing the contents in the text files in to “passwords.txt” file...................... 22
6] Cracking the passwords using John the Ripper tool. .............................................. 22
7] Cracked and failed passwords. ................................................................................. 23
8] Analysis of password strengths and the time taken to crack them ........................ 24
Activity 02 .............................................................................................................................. 25
Part “A” – John the Ripper Tool......................................................................................... 25
Different cracking modes in John the Ripper tool ........................................................ 25
Part “B” – Password policy and principles........................................................................ 27
Password Policy for Rythmo Art Gallery....................................................................... 27
Principles behind password policy ................................................................................ 30
Conclusion............................................................................................................................. 32
References............................................................................................................................. 33
4. W.A Neranjan Viduranga COL/A-069224 pg. 10
Table of figures
Figure 1 - Navigating to the desktop.......................................................................................... 12
Figure 2 – Creating MD5 hash values......................................................................................... 12
Figure 3 – Creating more hash values........................................................................................ 13
Figure 4 - Hash values................................................................................................................ 13
Figure 5 - Cracking the MD5 hashes........................................................................................... 14
Figure 6 - Cracked and failed passwords.................................................................................... 14
Figure 7 - Creating users (01)..................................................................................................... 17
Figure 8 - Creating users (02)..................................................................................................... 17
Figure 9 - Contents of passwd (01) ............................................................................................ 18
Figure 10 - Contents of passwd (02) .......................................................................................... 19
Figure 11 - Contents of shadow (01).......................................................................................... 20
Figure 12 - Contents of shadow (02).......................................................................................... 21
Figure 13 - Copying passwd and shadow in to a .txt................................................................... 22
Figure 14 _ Unshadowing.......................................................................................................... 22
Figure 15 - Password cracking ................................................................................................... 23
Figure 16 - Cracked and failed passwords.................................................................................. 23
List of tables
Table 1 - Analysis of password strengths ................................................................................... 15
Table 2 - User details................................................................................................................. 16
Table 3 - Analysis of password strengths ................................................................................... 24
Table 4 - Pre-defined incremental modes.................................................................................. 26
Key words
Kali Linux, John the Ripper tool, Hashing, Single crack mode, Word List mode,
Incremental mode, External mode, Password cracking, Password unshadowing,
Password policy, Password principles
5. W.A Neranjan Viduranga COL/A-069224 pg. 11
Introduction
This course work consists of two main parts (Activities) and four sub parts. The first
activity includes,
Part “A”
Part “B”
Part “A” is a practical work which consists of creating different passwords with different
levels of strength and cracking them using “Single crack mode” of John the Ripper tool.
The “B” part is also a practical work which works with the same single crack mode in
john the ripper tool but bit more advanced than the part “A”. At the end of the both parts,
learner put the analysis of password strengths with the time that they spend on cracking
those passwords.
The second activity is also consists of two sub parts named part “A” and “B”. Part “A” of
second activity includes, a brief explanation about John the Ripper tool and its 4
password cracking modes. The “B” part includes a password policy for “Rythmo Art
Gallery” created by the learner. At last, the learner discusses about major principles
behind password policies and gives his conclusion about this course work and
knowledge that he gained during this course work.
6. W.A Neranjan Viduranga COL/A-069224 pg. 12
Activity 01
Part “A”
1] Navigating to the Desktop through the Terminal
cd Desktop
Figure 1 - Navigating to the desktop
2] Creating a MD5 hash value for “password1” and store it in a file named “md5hash.txt”.
echo -n “password1” | md5sum | tr -d “-” >> md5hash.txt
Figure 2 – Creating MD5 hash values
3] Creating five more hashing values using the same command.
echo -n “river” | md5sum | tr -d “-” >> md5hash.txt
echo -n “bridge” | md5sum | tr -d “-” >> md5hash.txt
echo -n “557” | md5sum | tr -d “-” >> md5hash.txt
echo -n “neranjan123” | md5sum | tr -d “-” >> md5hash.txt
echo -n “WAN@1999lanka” | md5sum | tr -d “-” >> md5hash.txt
7. W.A Neranjan Viduranga COL/A-069224 pg. 13
Figure 3 – Creating more hash values
4] Hash values of the created passwords.
cat md5hash.txt
Figure 4 - Hash values
5] Cracking the MD5 hashes stored in the md5hash.txt file using John the Ripper tool.
john –format = Raw-MD5 md5hash.txt
8. W.A Neranjan Viduranga COL/A-069224 pg. 14
Figure 5 - Cracking the MD5 hashes
6] Cracked and failed passwords.
john –show –format = Raw-MD5 md5hash.txt
Figure 6 - Cracked and failed passwords
9. W.A Neranjan Viduranga COL/A-069224 pg. 15
7] Analysis of password strengths and the time taken to crack them
Table 1 - Analysis of password strengths
Password No. of characters Password
Strength
Time taken to
crack
01 password1 9 (8 lowercase letters
and 1 digit)
Low
(Over 8 characters
but commonly
used. Not unique)
Under 5 minutes
02 river 5 (5 lowercase letters) Low
(Fewer characters.
Not unique)
Under 5 minutes
03 bridge 6 (6 lowercase letters) Low
(Fewer characters.
Not unique)
Under 5 minutes
04 557 3 (3 digits) Low
(Fewer characters.
Not unique)
Under 7 minutes
05 neranjan123 11 (8 lowercase letters
and 3 digits)
Medium
(Over 8 characters
and has letters plus
digits)
Failed to crack
(15 minutes time
frame)
06 WAN@1999lanka 13 (3 uppercase
letters, 1 symbol, 4
digits and 5 lowercase
letters)
Strong
(Unique
combination.
Doesn’t related to
the user name)
Failed to crack
(15 minutes time
frame)
By the time of using John the Ripper tool, there was total of six hash values (passwords)
in the md5hash.txt file. John the Ripper tool took 5 minutes to crack the first 3 passwords
(“river”, “bridge”, “Password1”). Then it took additional 2 minutes to crack the fourth
password which was “557”. After that the learner gave additional 15 minutes to crack the
last 2 passwords (“neranjan123” and “WAN@1999lanka”) but the tool was unable to
crack those passwords.
10. W.A Neranjan Viduranga COL/A-069224 pg. 16
As the fifth password, the learner gave his first name and three numbers (neranjan123)
to the system hoping that the tool (John the Ripper) will be able to crack that password
due to its simplicity. But it had total of 11 characters and those higher number of
character combinations may cause the tool to fail.
The sixth password (WAN@1999lanka) was a unique password with thirteen harder to
guess character combinations. It was created using numbers, uppercases, lowercases
and symbols in order to avoid cracking. So, the tool failed to crack the last password as
the learner expected.
By looking at those results, the learner came to a conclusion that, passwords with
common use, fewer than 8 characters and single type of characters (uppercases only,
lowercases only) are easy to crack. Even though, the 4th
password (557) took additional
2 minutes to crack it cannot be considered as a strong password due to its minimum use
of characters.
Part “B”
1] Creating users.
sudo adduser user01
sudo adduser user02
sudo adduser user03
Table 2 - User details
User
name
Password Full
name
Room
number
Work
phone
Home
phone
Other Info/
correct
(Y/N)
user01 user01 Default Default Default default Default Yes
user02 neranjan Default Default Default Default Default Yes
user03 WAN@1999lanka Default Default default Default Default Yes
15. W.A Neranjan Viduranga COL/A-069224 pg. 21
Figure 12 - Contents of shadow (02)
4] Copying the contents of “passwd” and “shadow” in to text files.
cp /etc /passwd passwd.txt
sudo cp /etc/shadow shadow.txt
16. W.A Neranjan Viduranga COL/A-069224 pg. 22
Figure 13 - Copying passwd and shadow in to a .txt
5] Unshadowing the contents in the text files in to “passwords.txt” file.
sudo chmod 777 shadow.txt
unshadow passwd.txt shadow.txt > passwords.txt
Figure 14 _ Unshadowing
In here, the learner had to use additional command, “sudo chmod 777 shadow.txt”,
which is used to change the permission in order to make the shadow.txt file readable.
[Thornsby, J., 2020.]
6] Cracking the passwords using John the Ripper tool.
john –format = sha512crypt passwords.txt
17. W.A Neranjan Viduranga COL/A-069224 pg. 23
Figure 15 - Password cracking
7] Cracked and failed passwords.
john –show passwords.txt
Figure 16 - Cracked and failed passwords
18. W.A Neranjan Viduranga COL/A-069224 pg. 24
8] Analysis of password strengths and the time taken to crack them
Table 3 - Analysis of password strengths
User
Name
Password No. of
characters
Password
Strength
Time taken
to crack
01 user01 user01 6
(4 lowercase
letters and 2
digits)
Low
(Usage of user
name as the
password and
lower characters)
One minute
02 user02 neranjan 8
(all lowercase
letters)
Medium
(Has 8 characters
and slightly
unique. But
contains only
lowercases)
Failed to
crack
(13 minutes
time frame)
03 user03 WAN@1999lanka 13
(3 uppercase
letters, 1
symbol, 4
digits and 5
lowercase
letters)
Strong
(Unique
combination.
Doesn’t related to
the user name)
Failed to
crack
(13 minutes
time frame)
By the time of using John the Ripper tool, there was total of three passwords in the
passwords.txt file. John the Ripper tool took only one minute to crack the first password
which was “user01”. Then the learner gave another 12 minutes to crack the other
passwords but the tool (John the Ripper) was unable to do that.
As the second password, the learner gave his first name (neranjan) to the system hoping
that the tool (John the Ripper) will be able to crack that password due to its simplicity.
But it had total of 8 characters and those higher number of character combinations may
cause the tool to fail.
The sixth password (WAN@1999lanka) was a unique password with thirteen harder to
guess character combinations. It was created using numbers, uppercases, lowercases
19. W.A Neranjan Viduranga COL/A-069224 pg. 25
and symbols in order to avoid cracking. It was successful and shows some of the
characteristics that should be in a strong password.
Activity 02
Part “A” – John the Ripper Tool
John the Ripper tool is a password cracking tool which was released to the public in
1996 for UNIX based systems. John the ripper tool is designed to test different
passwords for their strength, hashed passwords (Brute – Force encrypted passwords)
and to crack passwords using dictionary attacks.
Mainly, there are two versions of John the ripper tools are available. General Public
Licenced (GNU/GPL) and Proprietary (Pro) versions. GNU/GPL versions are designed
for light users like students while professionals like, cyber security engineers and
penetration testers use the Pro version with more advanced features like multilingual
wordlists and 64 bit architecture support.
[Sharma, A., 2020.]
Different cracking modes in John the Ripper tool
1. “Single Crack” mode
Single crack mode is considered as the quickest password cracking mode in john
the ripper tool. This mode uses the data and information from “passwd” files such
as login names, GECOS or full name fields and user’s home directory names to
crack passwords by guessing the password. This mode uses the collected
information only to crack passwords which are related to those information.
Because of that reason, this mode is way faster than other modes when it comes
to password cracking. But, to successfully crack a password using this mode, the
password must be based on commonly available phrases or combinations in the
username that it related to. Also, it should not be an uncommon and strong
password. Otherwise it will take much longer time or fail to crack the password.
E.g.- admin123 / 1234 / kasun345
[Openwall.com. 2013.]
2. “Wordlist” mode
Wordlist mode is considered as the simplest password cracking mode in John the
ripper tool. That’s because, in this mode, the user only have to specify a wordlist
and password files. (“Wordlist” is a text file which contains single word per line)
20. W.A Neranjan Viduranga COL/A-069224 pg. 26
This mode uses a user specified wordlist and password files to crack passwords
by applying each passwords again and again until the correct password is found.
In this mode, the user can enable “word managing rules” to modify or change the
combinations of words in the specified wordlist in order to make new passwords.
By enabling this feature, users can get multiple likely passwords per every line in
the wordlist. So, it increases the chance of cracking password by multiple times.
John the ripper tool does not contain the ability to sort wordlists due to the large
quantity of resources that need. So, every wordlist that is intended to use on john
the ripper must be sorted beforehand. Users can sort their wordlists by more
likely passwords listed first or in the alphabetical order. Alphabetical order of a
wordlist allows the tool to crack passwords that are longer than the maximum
supported password length for the hash type that you are cracking.
[Openwall.com. 2013.]
3. “Incremental” mode
Incremental mode is considered as the most powerful password cracking mode
in John the ripper tool. Although, technically this mode can try all possible
phrases and character combinations as likely passwords, it is assumed that the
incremental password cracking will never terminate due to the large number of
possible character combinations. Due to that reason, incremental mode deals
with different trigraph frequencies for each and every character positions and
password lengths separately, in order to crack each possible password within a
limited time frame. But, users can set this mode to terminate automatically by
setting low password lengths or giving it a small charset to use.
John the ripper tool provides some pre-defined incremental modes like ASCII,
LM_ASCII, Alnum, Alpha, LowerNum, UpperNum, LowerSpace, Lower, Upper
and Digits. (Below chart shows the content of above pre-defined incremental
modes)
Table 4 - Pre-defined incremental modes
Pre-defined incremental
mode
Contents of the mode
ASCII All of the 95 printable ASCII characters.
LM_ASCII All the ASCII characters that are used in LM
hashes.
Alnum All of the Alphanumeric characters.
21. W.A Neranjan Viduranga COL/A-069224 pg. 27
Alpha All of the 52 letters. (Uppercase and Lowercase
letters)
LowerNum All of the lowercase letters with 0 to 9 digits
(Total of 36 characters)
UpperNum All of the uppercase letters with 0 to 9 digits
(Total of 36 characters)
LowerSpace All of the lowercase letters with the space. (Total
of 27 characters)
Lower All of the lowercase letters.
Upper All of the uppercase letters.
Digits Digits only.
Apart from using pre-defined incremental modes, users can give specific
parameters like password length limits and charset to create their custom
incremental mode.
[Openwall.com. 2013.]
4. “External” mode
External mode allows the user to write their own rules for generating password
guesses. By using this mode, users can define and create their own custom
password cracking mode in john the ripper tool.
[Clarke, M., 2015.]
Part “B” – Password policy and principles
Password Policy for Rythmo Art Gallery
1.0] Overview
Information security is one of the major concerns of a modern company. Passwords hold
the last standing protection against unauthorized access and resource exploitation of the
company. To prevent that, all the employees and suppliers of “Rythmo Art Gallery” who
22. W.A Neranjan Viduranga COL/A-069224 pg. 28
has the access to the system must take appropriate actions and actions as outlined
below.
2.0] Purpose
The main purpose of this password policy is to create and establish a well-managed,
standard password policy in order to ensure the security of the system. This password
policy will establish a standard to create strong passwords and frequent password
changes.
3.0] Scope
The scope of the password policy of “Rythmo Art Gallery” includes all of the employees,
suppliers and people who have the authorized access to the company’s system, network
or any kind of user account that belongs to the company.
4.0] Policy
4.1] General
All of the passwords must be changed after using for 90 days.
All of the passwords that were expired in last year cannot be reused again for
next 2 years.
All of the expired passwords can be used again after 3 year time period but
characters of every password must be rearranged.
Passwords or a part of a password must not be transmitted through any form of
electronic communication media under any kind of circumstances.
All of the passwords must conform to the guidelines below.
4.2] Guidelines for password creation
1. A password must include minimum of 8 characters. 15 characters are
recommended.
2. A password must not be same as the User ID or User name.
3. A password must not use birthdays, addresses or any kind of personal
information.
4. A password must not be a dictionary word, common name or proper name.
5. A password must include uppercases, lowercases, digits and symbols.
6. A password must be changed after using for 90 days.
7. A password should not be identical to the previous passwords.
8. Ensure passwords must only be reset for authorized users.
23. W.A Neranjan Viduranga COL/A-069224 pg. 29
9. Do not use personal passwords as the work account passwords.
4.3] Guidelines for password protection
1. Do not use any kind of digital or electronical media to store your password
without strong encryption.
2. Do not write down your password in a book, paper or any kind of a surface.
3. Do not share your password with your supervisor, co-workers or other
employees.
4. Do not share your password with your family members.
5. Do not talk about your password in front of people.
6. Do not use your password in front of people (public)
7. Do not enable the “See password” option when you are logging in to the
system/account.
8. Do not use “Remember password” or “Remember me” option on an application.
9. Do not reveal your password on questionnaires or security forms.
10. Do not use your password to log in to other applications that are suspicious.
11. Do not use the same password for different accounts.
12. If someone demands a password, please refer them to this document or the IT
department.
Security check-ups may be performed randomly by the information security officer. Users
will be informed and require changing their passwords if a password is guessed or
cracked during these security check-ups.
4.4] Guidelines for password deletion
All of the passwords and accounts that are no longer needed must be deleted
immediately. When an account no longer needed,
Employee should notify his/her superior officer.
Suppliers should notify the supply manager.
After that, that supply manager or superior officer should notify IT department. The
information security officer (of IT department) should delete the password and suspend
the user account within the day.
4.5] Guidelines for application development
To ensure the security of the system and information, application developers of the
Rythmo Art Gallery must follow the guidelines in below.
24. W.A Neranjan Viduranga COL/A-069224 pg. 30
1. Applications should not show the passwords in clear text when logging in to the
system.
2. User authentication should be done in individual basis, not the group basis.
3. Passwords should not be stored in clear text (in databases). All the stored
passwords must be encrypted using a strong encryption method.
4. Some sort of role management should be provided.
4.6] Guidelines for remote access
Remote access to the Rythmo Art gallery must be limited to fewer numbers of authorized
employees. Remote access must be controlled by using a Virtual Private Network (VPN)
/ form of advanced authentication method (biometrics) or combination of both methods.
5.0] Penalties
All the employees and suppliers of Rythmo Art Gallery should not violate this policy. Any
employee, who violated this policy, may be subjected to disciplinary action or even
termination of employment. Suppliers who violated this policy may be subjected to
termination of supply contract.
Principles behind password policy
Above password policy (Password policy of Rythmo Art Gallery) is completely based on
below principles in order to ensure the security of password as well as the system and
information.
A password should be lengthy.
Always, a password should have at least 8 different characters. Passwords,
which consist of less than 8 characters, are easy to crack or guess using John
the ripper tool or any other kind of password cracking tool. By increasing the
characters and character combinations of a password, users can reduce the
possibility of someone cracking their password. Even though 8 characters are
safer, 15 characters are recommended in order to increase the security of a
password further more.
A password should be unique and strange.
Passwords should be as strange as possible to others. It should not consist of
User ID, User name, nick name, birthday or your phone number. People, who are
familiar with you, can easily get these data and use it to break or guess your
25. W.A Neranjan Viduranga COL/A-069224 pg. 31
password. Always should use unique and strange combinations without using
any common phrases which are easy to guess.
A password should be complex.
Always, a password should be complex enough that others cannot guess or
crack it. This is the principle behind the use of uppercases, lowercases, digits and
symbols as a combination. Passwords with pure numbers or letters can be easily
cracked or guesses. So users should always use at least 3 of those different
varieties of characters to construct their passwords. It turns the password in to a
complex password while increasing the security of it.
Two passwords should not be similar.
When using a digital media, internet or a computer, users required to have
multiple accounts with multiple passwords. So, it’s easy to use the same
password throughout different accounts and platforms. But, it is not a good
practice. This principle shows that, the use of same password can compromise
your security easily. If someone finds your password, he/she can get access to all
of your sensitive data quite easily. But if you use different passwords for different
accounts and applications, no one can steal all of your data easily.
A password should be changed regularly.
This is one of the most important principles behind password policies. A good
password should be changed regularly. Even though your password is strong and
hard to crack, that doesn’t mean it couldn’t be cracked. Strength of a password is
slowly decreasing as long as it’s used. To increase your security, passwords
should be changed at least once per three months (90 days).
A system or application should not remember your password.
Almost all of the modern day applications, websites and systems provide a option
called “Remember me”. This option store your user name and password in order
to provide speed login for their users. Most of the users are willing to use this
option due to its convenience. But this practice is very dangerous. Hackers and
outsiders can easily see those passwords as long as they have related viewing
softwares.
[Asunsoft.com. 2019.]
26. W.A Neranjan Viduranga COL/A-069224 pg. 32
Conclusion
By doing this course work, learner has learnt to use “Kali Linux” operating system as well
as “John the Ripper tool”. Also, this course work helped the learner to get a deep
understanding of how password cracking works and how to construct stronger
passwords in order to ensure the security of a password and information.
The first part (Activity 01) of this course work encouraged the learner to do self-studies
about “Kali Linux” and “John the Ripper” tool and helped to do practical work using
“Single crack” mode of John the ripper tool. It showed the strength of different kinds of
passwords and different combinations that can increase or compromise the security of a
password.
The second part (Activity 02) of this course work allowed the learner to explore the
technical side of John the ripper tool. By doing research, the learner had been able to
gain knowledge about different cracking modes of John the ripper tool and their uses.
Also, in ths part, learner had to create a professional password policy for an
organization. By doing that the learner gained the knowledge to create professional
paper works and policies.
Overall, learner had been able to gain new knowledge about password cracking,
password construction, identify weak or strong passwords and organizational password
policies. This new knowledge will be helpful for the learner in his future education and
work life.
27. W.A Neranjan Viduranga COL/A-069224 pg. 33
References
1] Thornsby, J., 2020. Chmod 777: What Does It Really Mean? - Make Tech Easier. [online]
Make Tech Easier. Available at: <https://www.maketecheasier.com/file-permissions-what-does-
chmod-777-means/> [Accessed 17 December 2020].
2] Sharma, A., 2020. John The Ripper Explained: An Essential Password Cracker For Your
Hacker Toolkit. [online] CSO Online. Available at:
<https://www.csoonline.com/article/3564153/john-the-ripper-explained-an-essential-password-
cracker-for-your-hacker-toolkit.html> [Accessed 16 December 2020].
3] Openwall.com. 2013. John The Ripper - Cracking Modes. [online] Available at:
<https://www.openwall.com/john/doc/MODES.shtml> [Accessed 16 December 2020].
4] Clarke, M., 2015. John The Ripper - External Mode - Recover Partially Remembered Password
| Jumping Bean - We Build, We Support, We Train. [online] Jumpingbean.co.za. Available at:
<https://www.jumpingbean.co.za/blogs/mark/john-the-ripper-partially-remembered-
password#:~:text=External%20mode%20allows%20one%20to%20write%20rules%20for%20gene
rating%20password%20guesses.> [Accessed 17 December 2020].
5] Asunsoft.com. 2019. Ten Principles To Set A Secure Computer Password. [online] Available at:
<https://www.asunsoft.com/password-management-and-protection/ten-principles-to-set-a-secure-
computer-password.html> [Accessed 20 December 2020].