Lab 6.1 Password Cracking - Linux

Download seclists

seclists | Kali Linux ToolsKali Linux

SecLists is a collection of multiple types of lists used during security assessments. List types include usernames, passwords, URLs, sensitive data grep strings, fuzzing payloads, and many more.

• sudo apt install seclists

Explore the /usr/share/seclistsdirectory and also the Passwords/Common-Credentialssubdirectory.

Login with the Admin user

Using the passwords that were cracked from Lab 5.1 Password Cracking, login to the accounts to see if you can find the admin user.

• groups [username]

• id -command used to confirm the identity of the Linux use

Dump the /etc/shadow file

• tail -n 3 /etc/passwd

Deliverable 1. Provide screenshots similar to the ones above showing the last 3 entries in /etc/passwd and /etc/shadow.

sudo tail -n 3 /etc/passwd

sudo tail -n 3 /etc/shadow

Deliverable 2. Research what hashing algorithm is being used on this server, one of the fields in /etc/shadow points to the format. Explain this.

Example output

1. Username

2. Password

   1. $1$ is MD5

   2. $2a$ is Blowfish

   3. $2y$ is Blowfish

   4. $5$ is SHA-256

   5. $6$ is SHA-512

   6. $y$ is yescrypt

3. Last password change

4. Minimum

5. Maximum

6. Warn

7. Inactive

8. Expire

• copy the excerpts to week6 and name them etc_password.txt and etc_shadow.txt

  • open a new terminal tab with your local user

  • copy and paste from one terminal into the other

Deliverable 3. Examine user Galadriel's shadow entry.

galadriel:$6$rounds=1000$poPWvLT/CfA/sxS/$lHbu1oMqRV2aM18fkFPbJw25U2.POqhonSmaUpbzPIPVKl2IxS86Qq8q9v3fYu5Y6qlWwbmqekbL3g1vtPmlQ/:19143:0:99999:7:::

• Salt: poPWvLT/CfA/sxS/

  • The salt is used to encrypt the password, and it is chosen at random (6 to 96 bits).

• Hashed password:poPWvLT/CfA/sxS/$lHbu1oMqRV2aM18fkFPbJw25U2.POqhonSmaUpbzPIPVKl2IxS86Qq8q9v3fYu5Y6qlWwbmqekbL3g1vtPmlQ/

rounds=1000 refers to how many iterations the hash uses. If the hash has more rounds, it will take longer to crack.

John the Ripper

Deliverable 4. Figure out how to use the unshadow utility to create a file usable by John the Ripper(JtR) and then crack the unshadowed files hashes using JtR. Provide a screenshot showing your results.

//makes the file readable for john
unshadow etc_password.txt etc_shadow.txt > passwords.out

• unshawdow is a command that makes files readable for John the Ripper

• /etc/passwd

  • contains usernames but does not store acutal password hashes

• /etc/shadow

  • contains the actual password hashes

• johnIs the John the ripper tool

• --format=crypt

  • specifies that the password hashes are in traditional crypt(3) format

  • this is the format used in Unix/Linux systems

//command to crack the hashes
sudo john --wordlist=CommonPasswords.txt --format=sha512crypt ./unshadowed.txt 

I was finding that it was taking way to long to crack the hashes with --format=crypt It narrowed it down to format=sha512crypt so that John knew he was specifically cracking sha512 hashes.

Warning: Only 1 candidate buffered for the current salt, minimum 16 needed for performance

When I did not have a wordlist defined, I kept getting the error message above. To mitigate this I unzipped the rockyou common passwords list into the file CommonPasswords.txt and told John to use that wordlist when cracking the hashes. Defining the wordlist also helped speed up the time it took to crack.

Cracked Passwords with John the Ripper

I am not able to do the john --show unshadowed.txt command to show the cracked hashes, but they have all been cracked.

Reverse Engineering with Python

Deliverable 5. Let's see if you can reverse engineer the shadow file using Python. The grayed-out area has the plaintext password for Gandalf. In the clear text part, you can see the rounds and the salt. Provide a screenshot similar to the one below. Use Boromir or Galadriel's shadow entry.

Example code

The main goal here is to re-create the hash for each of the users passwords with Python. To do so, we need to give it the rounds, the salt, and the plaintext password that we cracked with John the Ripper. The one-liner below takes the salt and rounds from the original /etc/shadow file entry and then will encrypt it into a hash. The purpose of doing this is so we can check if we decrypted the original hash correctly. If we did, the hash we make with this one-liner should match the hash that we have stored from etc_shadow

//this is a python one-liner 

python3 -c "from passlib.hash import sha512_crypt;
print(sha512_crypt.hash('galadrielarwen111', rounds=1000,salt='poPWvLT/CfA/sxS/'))"

• passlib.hash import sha512_crypt

  • Uses the passlib library to generate sha512 hash for the plaintext password

Make sure to change your salt to match the named user

Python One-Liner. Yellow is the hash output

• Check the hash in the original unshadowed file

  • cat unshadowed.txt | grep galadriel

  • Should match the hash from the Python one-liner!

Original hash in the shadow file

Hashcat

// Correct syntax: hashcat -m <hash_mode> <hash_file> <wordlist_file>

hashcat -m 1800 -a 0 -o cat_cracked.txt unshadowed.txt CommonPassword.txt

End of cracking message!

Deliverable 6. Crack at least one of the hashes using hashcat and show the passwords

CSV/Markdown file of Passwords

Deliverable 7. Start a text or csv or markdown file similar to the one below. Include your successful guesses from Week 5 as well as the cracks from this week. We will need this data in our future adventures. A listing or screenshot of all your acquired passwords. This type of material is normally called "loot" in hacker parlance. Documenting uncracked hashes is also a great idea. You may have better luck cracking them as you learn more about your target or decide to crack on a real workstation instead of a Kali VM.

User	password	service
samwise	RosieRosie	httpd
bilbo	Rivendell107	httpd
pippin	adminPippin	httpd
frodo	1Brandywine	httpd
samwise.gamgee	Mallorn79	ssh
bilbo.baggins	Frodo23	ssh
peregrin.took (wheel user)	28Peregrin	ssh
frodo.baggins	Strider2020	ssh
gandalf.grey	gandalfrockyou	ssh
boromir	BoRomir2000Z	ssh
galadriel	galadielarwen111	ssh