Information Assurance - S20

CSE 365

Assignment 5 — Crack That Pass

Assignment 5 is due 4/6/20 on or before 11:59:59pm MST.

For this assignment, we’re going to explore what happens when password hashes are released. There will be four challenges that will involve discovering a password. You are free to use any resource or program to help you solve this challenge, except for each other. Open source software such as john the ripper, hashcat, or any number of password cracking software.

Get your hash by submitting to the Assignment on GradeScope called “Crack That Pass Hashes”.

Part 1 — MD5 (40 points)

This is a standard MD5 hash.

As a check adam hashes to 1d7c2923c1684726dc23d2901c4d8157 and ASU hashes to b62ba115efc8e9dc0509fc81d2b3facd.

Our intelligence shows that this is a 6 character password.

Part 2 — SHA256 (25 points)

This is a standard SHA256 hash.

As a check adam hashes to f7f376a1fcd0d0e11a10ed1b6577c99784d3a6bbe669b1d13fae43eb64634f6e and ASU hashes to 23ae442892c1b454376f6d471534a59d49000da0c80ae5ff92b51f6238ab57f4.

Our intelligence shows that this is a 7 character password, composed of lowercase letters (a-z), uppercase letters (A-Z), and digits (0-9).

Part 3 — bcrypt (25 points)

This is a standard bcrypt hash (note that bcrypt hashes include a salt, so there are many possible outputs).

As a check adam can hash to $2b$12$mvHp.XDphRCOcU/.0VGavOf3LRA3IEbVS86QfON0.bHVKm1JXc/cm or $2b$12$y4UmhMIJtbsl91IHxZBGDe6bM0oE2swTwzcl/Jhz4NY6qpgjTbxLu and ASU can hash to $2b$12$KKa3GLQzwS4/t2pE7/WbA.2DYZpf43145XOt1UYJOwS3LXbVAqnQO and $2b$12$pFiuYaIdKesghda9pOnvSOyw9WgRDwE2/iRFdrrO4.u9s8umAAMzy.

Our intelligence shows that this is a commonly used password.

Part 4 — custom (10 points)

This is a custom hash function.

First, you take the input to hash and run it through MD5 100 times (feeding the output of MD5, as a hex string, into the next). Then, you run that result 100 times through SHA256. Then, you run that result 100 times through SHA512.

In mathematical notation, something like:

SHA512( SHA512( ... ( SHA256( SHA256( ... ( MD5( MD5( ... ( "string" )...)

As a check adam hashes to 6415d24f9fc04a9e0ed53c17eae60f6a7d97c1a5765a6d8d15a16f06c5be4c6dd047361bb01e5a2f424516b2992de23d69e8aee1cc6e0581cf6e2e3f63a22cd5, ASU hashes to 0825e489207e60af88cd0ab364a1328055f65471930ec46801affeb63223bf4f2bd1bdcb60d9e1ac1a8c47e77223deac4e7c4a78f090830b9bfc0ce9169076ee, and security hashes to 88466c23009271eb909e586c6707120f30a2dd6ae53fb025badb2f9d0f6765b90f124e3524d2d63719e8e668cf164411a61b1fea077ec1dd3b1db8889622095c.

Our intelligence tells us that the user was quite lazy and the password is five characters lowercase letters (a-z).

Part 5 — custom (10 points of extra credit)

This is the same custom hash function from part 4, but it is more difficult. No intelligence is available, and none will be given.

Submission Instructions

You will need to submit a README on GradeScope to the assignment “Crack That Pass” that contains your name, ASU ID, and description of how you broke/reversed the hash.

You will also need to include the password that you broke for each part. You need to use the following format for auto-grading (if you didn’t solve a part, feel free to leave it blank, and submit as many times as you want):

1
2
3
4
5
MD5: <part 1 password>
SHA256: <part 2 password>
bcrypt: <part 3 password>
custom: <part 4 password>
custom ec: <part 5 password>