Project 2: Breaking hash authentication and then fixing it

Purpose: To learn how to read and understand a large non-trivial codebase. To study how data propagates through a large program and “hack” it by calculating a specific input that will allow the flow of execution to change. To implement a component of a large non-trivial codebase. To use dynamic programming to compute string edit distance.

Story: You are an elite member of the CS310 Cyber Command in charge of keeping cyberspace free and open. A rebel group of cats has threatened to take over the Internet!

You have intelligence indicating that they have set up an SSH server at merb.cs.umb.edu on port 6801. You have a mole on the inside of the organization that leaked the source code of the SSH server. They also inserted some debug statements that will leak information so you can figure out the password for the server.

They put the code in the project2 directory at this location: https://github.com/ieee8023/cs310-summer2016

First you explore what is running on port 6801 of merb.cs.umb.edu using netcat (nc) and find this:

$nc -v merb.cs.umb.edu 6801 Connection to merb.cs.umb.edu port 6801 [tcp/*] succeeded! SSH-2.0-Warwick J2SSH Fork/1.0 [SERVER]  It appears it is in fact an SSH server based on the “SSH-2.0-Warwick J2SSH Fork/1.0” string returned. You explore the server by trying to log into it and setting the port to 6801: $ssh -p 6801 merb.cs.umb.edu

_,
//        /)/)
||        / ..\\
\\\\.----' ,_Y/
\\        (
l  \\_/   |
| //| //
\\_)_)\\_))
CATDEBUG: Secret Sha : [10,-39,82]
CATDEBUG: User Sha   : [-38,57,-93]

_,
//        /)/)
||        / ..\\
\\\\.----' ,_Y/
\\        (
l  \\_/   |
| //| //
\\_)_)\\_))


You notice that when you type in an incorrect password there is debug text that is echoed back.

#1 Reverse Engineer Code

For this project you will read the code to figure out how you can use this information to break into the system. Figure out the sequence of function calls that happen once you type in a password until the login is denied. Submit this list of functions names and the classes they are in and specify the order that they are called. Then explain how the login process is working to validate the password. You will need to use your knowledge of hashing to understand how the login process works. You can run the code yourself by running “sh run.sh” then connect to your local server with:

\$ssh -p 6801 localhost


Use your knowledge of hashing and its flaws to figure out two passwords that will allow you into the server. You will only be brute forcing the hash so you do not need to study how SHA-1 works in depth. Explain your approach and submit the code you used to calculate two correct passwords.

#3 Implement Sloppy Authentication

Passwords are a pain anyway. Why do they need to be so exact? Implement a file SloppyAuthenticationProvider.java that will authenticate passwords if they are within an edit distance of 2 from the correct password. The inclusion of a space or the switching of a character is a distance cost of 1. For example if the password is “laptop” the server will accept “lapop”, “lapt”, “maptop”, “ptop”, or “lap top” but not accept “lap”, “desktop”, “clocktower”, “l a p t o p”, or “maptoppp”. Write a dynamic programming edit distance algorithm for this.