Information Assurance - F18

CSE 365

Assignment 4

Assignment 4 is due 11/12/18 on or before 11:59:59pm MST.

Part 1 — Bandit (20 points)

For a future homework assignment you will be hacking on a Linux server. The goal of this assignment is to familiarize yourself with accessing a Linux environment via SSH, along with developing skills on command line interaction and wargames.

First, register for a wechall account. You will need to submit your wechall username so that we can track your progress on the levels. After registering, you will need to link OverTheWire.org to your wechall account by doing the following:

  1. Click “Account” on the top of wechall.net
  2. Clink on the “Linked Sites” button
  3. On the “Select a site” dropdown, select “OverTheWire.org”
  4. Then click the “Link Site” button

Now, OverTheWire.org should show up in your list of linked sites, and we will be able to track your progress on Bandit from your user profile.

Then, the goal is to solve the 10 levels (in other words reach level 11) on the overthewire.org Bandit challenges.

Before you start, be sure to read how to register your bandit progress with wechall and do so. This way, your bandit progress will be captured on wechall, which we will use to grade your progress.

Also, keep track in your README how you solved each level.

Note that Bandit is an open system, and the goal of this assignment is to practice and develop your own skills, so be honorable and do not read walkthroughs.

Submission Instructions

You will need to submit a README. Your README file should contain your name, ASU ID, wechall username, and a description of how your broke each level.

Crack That Pass (80 points total)

For this part of the assignment, we’re going to explore what happens when password hashes are released. There will be four challenges (parts 2–5 in the overall assignment) that will involve discovering a password. You are free to use any resource or program to help you solve this challenge, except for each other. Open source software such as john the ripper or any number of password cracking software.

You can find your hashes on the submission website

Part 2 — MD5 (20 points)

This is a standard MD5 hash.

As a check adam hashes to 1d7c2923c1684726dc23d2901c4d8157 and ASU hashes to b62ba115efc8e9dc0509fc81d2b3facd.

Part 3 — SHA256 (20 points)

This is a standard SHA256 hash.

As a check adam hashes to f7f376a1fcd0d0e11a10ed1b6577c99784d3a6bbe669b1d13fae43eb64634f6e and ASU hashes to 23ae442892c1b454376f6d471534a59d49000da0c80ae5ff92b51f6238ab57f4.

Part 4 — bcrypt (20 points)

This is a standard bcrypt hash (note that bcrypt hashes include a salt).

As a check adam can hash to $2b$12$mvHp.XDphRCOcU/.0VGavOf3LRA3IEbVS86QfON0.bHVKm1JXc/cm or $2b$12$y4UmhMIJtbsl91IHxZBGDe6bM0oE2swTwzcl/Jhz4NY6qpgjTbxLu and ASU can hash to $2b$12$KKa3GLQzwS4/t2pE7/WbA.2DYZpf43145XOt1UYJOwS3LXbVAqnQO and $2b$12$pFiuYaIdKesghda9pOnvSOyw9WgRDwE2/iRFdrrO4.u9s8umAAMzy.

Part 5 — custom (20 points)

This is a custom hash function.

First, you take the input to hash and run it through MD5 1000 times (feeding the output of MD5, as a hex string, into the next). Then, you run that result 1000 times through SHA256. Then, you run that result 1000 times through SHA512.

In mathematical notation, something like:

SHA512( SHA512( ... ( SHA256( SHA256( ... ( MD5( MD5( ... ( "string" )...)

As a check adam hashes to d99f2d9017739aee0c12ac7812b748c7e67c7165a008310f659ae790df048299196fbab9ffc722000fdcd69c02b6b2f864349539152f651fa65850ab20039032, ASU hashes to e8a981bb2a89d7c0e2b8c85f7b9c499b4bd7e3cecc3e7543e211c7d6ca6ff9682bb23c37f9e9bc962a11082c24ea5b4ec06ab0c01faf34d000c11da2aae52c68, and security hashes to 4bb64b626cd0fe93e44458306330f6ebf1d7518000470e12194fecf04287c01a6c81899b8c8c2d005ebde80f3e39e55dfb6b66f6ebc899936171ff841951a5f4.

Your sources tell you that the user was quite lazy and the password is five characters lowercase letters (a-z).

Part 6 — custom (10 points of extra credit)

This is the same custom hash function from part 5, but it is more difficult.

Submission Instructions

You will need to submit the password for each part for credit, and in addition you will submit a README per part that contains your name, ASU ID, and description of how you broke/reversed the hash.

Submission Site

Create an account to submit your homework on the course submisison site.

Please don’t forget your password.