2017-03-25 ../../

P6: Cloud Computing of Password Complexity

Table of Contents

1 Lab Goals

The purpose of this lab is (i) to get you started with technologies that are used in cracking passwords, but here [in CEG3900] used as a base for cloud computing, (ii) make several tools, techniques and data structures familiar, (iii) to make these tools invocable via Android Front-End with Cloud Back-End. (iv) to make you aware that a Linux/Windows PC can be used as a stepping stone for a cloud storage backend.

This is part of a project in CEG 3900. There is nothing illegal or questionable in this project. Lab work such as this is common in security courses. E.g, see these notes from a course at Purdue U . Our focus is not mastery over cracking, but using this as an interesting domain for cloud computing practice.

2 Background

  1. Password Cracking Tools: John, Hashcat, RainbowCrack.
  2. Rainbow Tables
  3. Docker containers
  4. Word Lists and Password strength metrics
  5. Learn to do Read + Write your Dropbox contents.
  6. The details of [most of the] deliverables are being omitted deliberately. Think what deliverables included in the report will make the task description and results an interesting/ impressive read to a fellow student (who did not take this course).
  7. Do remember to upload src code (not bundles) and APKs to GitHub.

3 Tasks

3.1 Task: Password Complexity Check with John-the-Ripper

  1. Install JTR as explained in Password Cracking Tools. We wish to use it thrice: (A) entirely in a local Linux setup, (B) JTR running on a cloud computing provider, and (C) via an Android front-end APK to JTR instances running in the cloud.
  2. Suppose we run (on a laptop or cloud – choose one) four JTR instances/ processes, each on a fourth-subset of /etc/shadow contents. This is a file taken from an 5+ years old Linux machine. Is the elapsed time measurably shorter than for a single/ sole JTR?
  3. Details on (B): From your Linux Laptop, ssh-connect (i) to your cloud computing providers, (ii) initiate these JTR instances, (iii) retrieve the stdout of these instances onto separate windows. This can be manually done, or script driven.
  4. Deatail of (C): Make an Android APK that is the equivalent of (B).

3.2 Task: Hashcat

  1. Hashcat Install on your laptop.
  2. Switch back to being a normal user. Understand the options and path name arguments in the following command, and prepare their content. Now, invoke it, and save the results – for at least two values for the -a option. Beware of the CPU time.
    % time hashcat -m 0 -a 0 ~/3900/P6/hashes.txt ~/3900/P6/wordlist.txt
    1. For ~/3900/P6/hashes.txt, use, e.g., this file ./hashes-md5.txt.
    2. For ~/3900/P6/wordlist.txt, use, e.g., ./passwords-johny.txt, which is a copy of usr/ share/ john/ password.lst
  3. Hashcat has "rules" in /usr/share/hashcat/rules/*. Pick one rule file, of size 500+ bytes, and explain its content.
  4. Make an Android APK that ssh-connects to your laptop and invokes hashcat. An initial settings dialog should let you specify the upload URLs for the hash file and the word list.

3.3 Task: Computing the Rainbow Tables in the Cloud

  1. Enhance this Hashcat-on-Laptop Android APK so that it does the same on a cloud computing provider. Through the Settings tab, provide for the uploads of (i) a hash file and (ii) a word list from URLs.
  2. [Bonus Optional] The hashcat uses the CPU. Do all the above with its GPU-based counterpart oclHashcat . Read https://hashcat.net/wiki/doku.php?id=oclhashcat.

3.4 Task: Using Docker for Rainbow Tables

  1. Make a Docker container whose main component is A Scalable Rainbow Table creator, RTC, which depends on Apache Cassandra database. (Construction of such docker containers is explained in the lecture notes.)
  2. Install docker on your laptop. Deploy RTC on your laptop.
  3. Deploy RTC on a cloud computing provider.
  4. Notes on How To Build RTC docker: ./Painbow/painbow-cassandra.html

3.5 Task: Enhance Password-Help Task#5 of P5

  1. Enhance the APK of Task 5 of P5. Recall that it is expected to help a non-computer savvy user with a password choice that she/he is about to deploy. For Task 5 of P5, this was limited to checking if a (similar) password appears in the password dumps that are public.
  2. Enhance to incorporate password strength metrics in a visible way.
  3. Incorporate a Password strength estimator in Java. You are welcome to substitute this etimator with some other of your choice.
  4. This APK has a goal of educating the non-computer-savvy user about the "quality" of passwords. The details of how you will do this are left to you. Perhaps, a collection of tutorial web pages? Remember TL;DR. Perhaps, let the user choose say 5 tentative passwords, and our APK rank orders them with some explanations linked.
  5. [Bonus Optional] Write a devloper's document for the estimator you chose.

4 TurnIn

5 End

Copyright © 2017 Dr Prabhaker Mateti • 2017-03-25