1. (5 points)  On your Linux VM, you will find a password cracking tool called “John the Ripper”.  
Demonstrate that you are able to use this program by performing the following steps. 
a. (1 points) Set up a new user account on your VM called _tocrack, with 
password=ID>).   You will need to set the password as root in 
order to create this (weak) password.  Output the contents of the /etc/shadow file and take 
a snapshot that shows your newly created account. 
 
b. (1 points) What is the password hash for your _tocrack account?  You can 
find it in the /etc/shadow file.  Refer to this website to determine which part of the entry for 
your user is the actual hash: https://www.2daygeek.com/understanding-linux-etc-shadow-
file-format/ .   
• Note that there is one minor error in the above URL--- “hash_salt: This field is 
contain encrypted password instead of actual password.” Should read 
“hash_salt: this field contains the salt appended to the password prior to 
hashing”. 
 
c. (2 points) Crack the password using John the Ripper (the command is “john”, but you must 
decide which options are the most sensible).   Refer to the OpenWall website for 
information about the different cracking modes: 
http://www.openwall.com/john/doc/MODES.shtml . 
i.  (1 point) What command line options are optimal for guessing your password?   
ii.  (1 point) Use the optimal command line options from (i) above to run john, and 
provide a screenshot of the full output that it produced (including timing 
information).  Make sure the output includes your cracked password.  
 
d. (1 point) The password you were asked to choose in part (a) is obviously quite weak.  
Password policies aim to prevent poor password choices by regular users and typically 
specify a password must be >=8 characters in length.  However, password crackers such as 
Ophcrack and Rainbowcrack use rainbow tables and as such are very fast.  Given the 

rainbow tables that are available for purchase today (see http://project-
rainbowcrack.com/table.htm ), what would be a more prudent password policy? 
 
2. (1.25 points) Set up auditing to monitor and report modifications from “Everyone” to the same Run 
and RunOnce keys (if present) from Week 4 Tutorial Assignment Question 2.  See the following 
article (point #3: Registry auditing) for how to set this up: https://betanews.com/2015/11/18/how-
to-monitor-registry-changes/.  Then add a subkey under one of the “RunOnce” keys, named 
A5_ (e.g., for this course’s TA, it would be “A5_IsratJui”).  Finally, open up the Event 
Viewer and locate the registry logs related to the creation and/or access of this new key, and take a 
screenshot showing at least one of these logs (the screenshot must show your new key name, which 
contains your name).