SecLists is a collection of multiple types of lists used during security assessments. List types include usernames, passwords, URLs, sensitive data grep strings, fuzzing payloads, and many more.
sudo apt install seclists
Explore the /usr/share/seclistsdirectory and also the Passwords/Common-Credentialssubdirectory.
Login with the Admin user
Using the passwords that were cracked from Lab 5.1 Password Cracking, login to the accounts to see if you can find the admin user.
groups [username]
id -command used to confirm the identity of the Linux use
Dump the /etc/shadow file
tail -n 3 /etc/passwd
Deliverable 1. Provide screenshots similar to the ones above showing the last 3 entries in /etc/passwd and /etc/shadow.
sudo tail -n 3 /etc/passwd
sudo tail -n 3 /etc/shadow
Deliverable 2. Research what hashing algorithm is being used on this server, one of the fields in /etc/shadow points to the format. Explain this.
Example output
Username
Password
$1$ is MD5
$2a$ is Blowfish
$2y$ is Blowfish
$5$ is SHA-256
$6$ is SHA-512
$y$ is yescrypt
Last password change
Minimum
Maximum
Warn
Inactive
Expire
copy the excerpts to week6 and name them etc_password.txt and etc_shadow.txt
open a new terminal tab with your local user
copy and paste from one terminal into the other
Deliverable 3. Examine user Galadriel's shadow entry.
Salt: poPWvLT/CfA/sxS/
The salt is used to encrypt the password, and it is chosen at random (6 to 96 bits).
rounds=1000 refers to how many iterations the hash uses. If the hash has more rounds, it will take longer to crack.
John the Ripper
Deliverable 4. Figure out how to use the unshadow utility to create a file usable by John the Ripper(JtR) and then crack the unshadowed files hashes using JtR. Provide a screenshot showing your results.
unshawdow is a command that makes files readable for John the Ripper
/etc/passwd
contains usernames but does not store acutal password hashes
/etc/shadow
contains the actual password hashes
johnIs the John the ripper tool
--format=crypt
specifies that the password hashes are in traditional crypt(3) format
this is the format used in Unix/Linux systems
I was finding that it was taking way to long to crack the hashes with --format=crypt It narrowed it down to format=sha512crypt so that John knew he was specifically cracking sha512 hashes.
Warning: Only 1 candidate buffered for the current salt, minimum 16 needed for performance
When I did not have a wordlist defined, I kept getting the error message above. To mitigate this I unzipped the rockyou common passwords list into the file CommonPasswords.txt and told John to use that wordlist when cracking the hashes. Defining the wordlist also helped speed up the time it took to crack.
Cracked Passwords with John the Ripper
I am not able to do the john --show unshadowed.txt command to show the cracked hashes, but they have all been cracked.
Reverse Engineering with Python
Deliverable 5. Let's see if you can reverse engineer the shadow file using Python. The grayed-out area has the plaintext password for Gandalf. In the clear text part, you can see the rounds and the salt. Provide a screenshot similar to the one below. Use Boromir or Galadriel's shadow entry.
Example code
The main goal here is to re-create the hash for each of the users passwords with Python. To do so, we need to give it the rounds, the salt, and the plaintext password that we cracked with John the Ripper. The one-liner below takes the salt and rounds from the original /etc/shadow file entry and then will encrypt it into a hash. The purpose of doing this is so we can check if we decrypted the original hash correctly. If we did, the hash we make with this one-liner should match the hash that we have stored from etc_shadow
passlib.hash import sha512_crypt
Uses the passlib library to generate sha512 hash for the plaintext password
Make sure to change your salt to match the named user
Python One-Liner. Yellow is the hash output
Check the hash in the original unshadowed file
cat unshadowed.txt | grep galadriel
Should match the hash from the Python one-liner!
Original hash in the shadow file
Hashcat
End of cracking message!
Deliverable 6. Crack at least one of the hashes using hashcat and show the passwords
CSV/Markdown file of Passwords
Deliverable 7. Start a text or csv or markdown file similar to the one below. Include your successful guesses from Week 5 as well as the cracks from this week. We will need this data in our future adventures. A listing or screenshot of all your acquired passwords. This type of material is normally called "loot" in hacker parlance. Documenting uncracked hashes is also a great idea. You may have better luck cracking them as you learn more about your target or decide to crack on a real workstation instead of a Kali VM.
