Due 5:00PM Monday, November 24, 2014. Submit your answers via Moodle as a zip file containing PDF with your answers, plus any source code or data files you used to obtain your answers.
As noted in class on Monday, November 17, this is no longer an exam. Instead, it is an assignment on which you are free to consult with your classmates, Jeff, and so on. Each of you, however, should write your own code and do your own write-up of the problems. If you take a substantial idea from another person, cite them at the bottom of your PDF.
You may not use a password-cracking utility written by somebody else. Note that this isn't a big hardship, since problem #1's grade will depend more on your answers to the analysis questions than on the "list the passwords" question.
On the password-cracking, please take note of the passlib library described below. This will enable you to restrict your CPU-hogging to the computer you're sitting in front of. I'd rather not be the mastermind of a DDOS attack on thacker.
I have designed this assignment to be interesting (I hope), but also easy to grade. Many of the questions call for simple numerical or short-answer responses. I'm still often interested in "why," of course, but keep your explanations brief and to the point. For example, the password section includes two questions beginning "By what factor...." You'll want to tell me the factors, but also tell me where the factors came from. In both cases, a good explanation should be manageable in a single short sentence.
Given my recent history, the likelihood of errors in this assignment is moderately high. Let me know if you see trouble, and I'll communicate any issues to the rest of the class via email.
Have fun!
Passwords (15 points)
I have created for you a fictional copy of the /etc/shadow file stored on the mathcs.carleton.edu file system. (Here's the previous copy of shadow from earlier in the weekend. Not that you need it.) Because this file contains a list of actual user names on the mathcs network, I have stored that file in directory only accessible from on-campus IP addresses. The password hashes in this file were made up by me or my handy random number generator plus this dictionary file of English words. (Note that my dictionary file doesn't contain proper nouns. If there are any passwords based on proper nouns, they came from my head.)
For the present purposes, we will assume that we are working on a Linux system (but see the note at the end of this exercise) that stores its account and password information in /etc/passwd and /etc/shadow, as described here, here, and here.
So, let's pretend that you got a copy of the /etc/shadow file, one way or another, and now you want to discover as many passwords as possible. Your job is to create a Python program to help you do that, and to report on your results and answer a few questions about the process. I want you to write your code in Python for a couple reasons. First, so I don't have to learn more than Python's hashing library. But also, so your timing results will be reasonably comparable between students. (Note, by the way, that Python is slow, but SHA12-based crypt is intentionally very slow as an algorithm regardless of language, so as to thwart just the sort of cracking you are trying to do.)
Answer the following:
Call your program "cracker.py", and include it in the zip file you submit.
Some assistance for you:
Cross-site scripting (15 points)
Spying on Jeff (15 points)
For this exercise, assume that this Wireshark file was obtained at a coffee shop, focusing on the activities of one particular person (let's call him "Jeff"). Your job is to summarize in as much detail as you can what Jeff was up to during this short period of time. In particular: