Information Assurance - F19

CSE 365

Assignment 5 — Crack That Pass

Assignment 5 is due 11/11/19 on or before 11:59:59pm MST.

For this assignment, we’re going to explore what happens when password hashes are released. There will be four challenges that will involve discovering a password. You are free to use any resource or program to help you solve this challenge, except for each other. Open source software such as john the ripper, hashcat, or any number of password cracking software.

You can find your hashes on the submission website

Part 1 — MD5 (40 points)

This is a standard MD5 hash.

As a check adam hashes to 1d7c2923c1684726dc23d2901c4d8157 and ASU hashes to b62ba115efc8e9dc0509fc81d2b3facd.

Our intelligence shows that this is a 6 character password.

Part 2 — SHA256 (25 points)

This is a standard SHA256 hash.

As a check adam hashes to f7f376a1fcd0d0e11a10ed1b6577c99784d3a6bbe669b1d13fae43eb64634f6e and ASU hashes to 23ae442892c1b454376f6d471534a59d49000da0c80ae5ff92b51f6238ab57f4.

Our intelligence shows that this is a 7 character password, composed of lowercase letters (a-z), uppercase letters (A-Z), and digits (0-9).

Part 3 — bcrypt (25 points)

This is a standard bcrypt hash (note that bcrypt hashes include a salt).

As a check adam can hash to $2b$12$mvHp.XDphRCOcU/.0VGavOf3LRA3IEbVS86QfON0.bHVKm1JXc/cm or $2b$12$y4UmhMIJtbsl91IHxZBGDe6bM0oE2swTwzcl/Jhz4NY6qpgjTbxLu and ASU can hash to $2b$12$KKa3GLQzwS4/t2pE7/WbA.2DYZpf43145XOt1UYJOwS3LXbVAqnQO and $2b$12$pFiuYaIdKesghda9pOnvSOyw9WgRDwE2/iRFdrrO4.u9s8umAAMzy.

Our intelligence shows that this is a commonly used password.

Part 4 — custom (10 points)

This is a custom hash function.

First, you take the input to hash and run it through MD5 1000 times (feeding the output of MD5, as a hex string, into the next). Then, you run that result 1000 times through SHA256. Then, you run that result 1000 times through SHA512.

In mathematical notation, something like:

SHA512( SHA512( ... ( SHA256( SHA256( ... ( MD5( MD5( ... ( "string" )...)

As a check adam hashes to d99f2d9017739aee0c12ac7812b748c7e67c7165a008310f659ae790df048299196fbab9ffc722000fdcd69c02b6b2f864349539152f651fa65850ab20039032, ASU hashes to e8a981bb2a89d7c0e2b8c85f7b9c499b4bd7e3cecc3e7543e211c7d6ca6ff9682bb23c37f9e9bc962a11082c24ea5b4ec06ab0c01faf34d000c11da2aae52c68, and security hashes to 4bb64b626cd0fe93e44458306330f6ebf1d7518000470e12194fecf04287c01a6c81899b8c8c2d005ebde80f3e39e55dfb6b66f6ebc899936171ff841951a5f4.

Our intelligence tells us that the user was quite lazy and the password is five characters lowercase letters (a-z).

Part 5 — custom (10 points of extra credit)

This is the same custom hash function from part 4, but it is more difficult. No intelligence is available.

Submission Instructions

You will need to submit the password for each part for credit, and in addition you will submit a README per part that contains your name, ASU ID, and description of how you broke/reversed the hash.

Submission Site

Create an account to submit your homework on the course submisison site.

Please don’t forget your password.