This assignment is worth 125 points. Partial credit will be given for all questions — it is in your best interest to not leave any blank. Some of these questions may require you to conduct research beyond what we learned in class. You are free to leverage any public resources you'd like to complete this assignment, but make sure to cite your sources in your answers. Refer to this course's honor code policy for more information on what is appropriate reuse.

For this assignment, record your responses to the following activities in the file in the homework04 folder of your assignments GitLab repository and push your work (including any code you developed) by 11:59 PM Thursday, February 27.

Activity 0: Branching

As discussed in class, each homework assignment must be completed in its own git branch; this will allow you to separate the work of each assignment and for you to use the merge request workflow.

First, follow these instructions to setup your git environment.

To create a homework04 branch in your local repository, follow the instructions below:

$ cd path/to/cse-40567-sp20-assignments   # Go to assignments repository

$ git checkout master                     # Make sure we are in master branch

$ git pull --rebase                       # Make sure we are up-to-date with GitLab

$ git checkout -b homework04              # Create homework04 branch and check it out

$ cd homework04                           # Go into homework04 folder

Once these commands have been successfully performed, you are now ready to add, commit, and push any work required for this assignment.

Activity 1: Setting up your environment

This assignment connects our study of cryptanalysis with software security. Here we will look at a classic area of computer security that remains tremendously relevant in 2020: password cracking. While the basics haven't changed much since software-based password crackers appeared in the 1980s, there have been significant innovations in cracking strategies and hardware parallelization. In this assignment, you will learn how to configure and use the modern hashcat tool to perform dictionary-based and brute force attacks against two hashes recovered from two /etc/shadow files. The following assignment is best completed under a Linux distribution under your control (although it is possible to complete under other operating systems). As in previous assignments, do this in an Ubuntu VirtualBox VM if you don't have access to a Linux distribution that you can easily install software on. Note that if you opt to use a VM, more time will be required to complete the assignment, but if you get started early, you will still have plenty of time to answer the following questions.

Before answering the questions, you will need to install and configure the hashcat software. If you are doing this under Linux or Windows, download and unarchive the following stable pre-built version of hashcat. You are also free to build the software from source (which may give you macOS support), or install via apt-get if using a recent version of Ubuntu Linux.

hashcat is implemented using OpenCL, a GPU programming framework for high-speed parallel computing. The first time you run the hashcat32.bin or hashcat64.bin (depending on your platform) binary, you may encounter an OpenCL error, if you haven't previously installed the necessary drivers and runtimes for your platform. If you are running hashcat natively and have access to an AMD, NVIDIA, or Intel GPU, configure your environment to use it — this assignment will go very fast if you take this route. If you don't have access to a good GPU, or if you're having trouble configuring your environment for your GPU, you can also run hashcat on a CPU (this will be an easier option if you are using a VM). For CPU operation, download and install the latest OpenCL Drivers and Runtimes.

Tip 1: get an early start to this assignment in case you run into trouble with your environment. Don't hesitate to reach out to the TA or Prof. Scheirer for assistance.

Activity 2: Dictionary-based Password Cracking

Consider the following password hash recovered from the /etc/shadow file found on a recent Ubuntu Linux installation:


Question 1 (15 points): Identify the algorithm that produced this password hash. Considering the relative performance of the commonly used hash functions, will this particular hash be fast or slow to crack?

Question 2 (50 points): Dictionary attacks are a simple and effective way of recovering hashed passwords. The idea is to hash each plaintext entry of a given dictionary using a chosen hash function. Crack the above password hash using hashcat and this dictionary. The dictionary, rockyou.txt, is a collection of over 14 million common and previously cracked passwords. It is one of the most comprehensive dictionaries available, and the one you should try first when mounting a dictionary attack. As your answer to this question, provide the plaintext password and the amount of time it took. Also describe the hardware you used (e.g., CPU or GPU model).

Activity 3: Brute-Force Password Cracking

Consider this second password hash recovered from a different /etc/shadow file:


Assume that the system this hash was found on enforces the following password policy. All passwords must be five characters in length, where the first character is any lowercase letter, the second character is any digit, the third and fourth characters are any letter, and the fifth character is any digit.

Question 3 (50 points): When the search space is restricted in such a way, a brute force attack is possible. hashcat gives you the option of crafting a special mask to reduce the password candidate space to something that is more efficient than searching all possibilities. Use that feature to crack the above password hash. As your answer to this question, provide the plaintext password, the amount of time it took to crack the password, the amount of time hashcat estimated it would take you to crack the password.

Question 4 (10 points): based on your experience in this assignment, which approach is probably more efficient in general: the dictionary attack or the mask-based brute force attack?


If you have any questions, comments, or concerns regarding the course, please provide your feedback at the end of your


Remember to put your name in the file. To submit your assignment, please commit your work to the homework04 folder of your homework04 branch in your assignment's GitLab repository:

$ cd path/to/cse-40567-sp20-assignments   # Go to assignments repository
$ git checkout master                     # Make sure we are in master branch
$ git pull --rebase                       # Make sure we are up-to-date with GitLab
$ git checkout -b homework04              # Create homework04 branch and check it out
$ cd homework04                           # Go to homework04 directory
$ $EDITOR                       # Edit appropriate
$ git add                       # Mark changes for commit
$ git commit -m "homework04: complete"    # Record changes
$ git push -u origin homework04           # Push branch to GitLab

Procedure for submitting your work: create a merge request by the process that is described here, but make sure to change the target branch from wscheirer/cse-40567-sp20-assignments to your personal fork's master branch so that your code is not visible to other students. Additionally, assign this merge request to our TA (sabraha2) and add wscheirer as an approver (so all class staff can track your submission).