Lab 6.1 Password Cracking ‐ Linux - Jacob-Mayotte/SEC335_Tech_Journal GitHub Wiki
SecLists:
sudo apt install seclistson main machine
https://www.kali.org/tools/seclists/
Deliverable 1:
Using peregrin.took the user from last lab with sudo priv's I ssh'd into 10.0.5.21 to become root and dump the 3 last entries in
- /etc/passwd:
- /etc/shadow:
Deliverable 2: "Research what hashing algorithm is being used on this server, one of the fields in /etc/shadow points to the format. Explain this."
$6Hashing algorithm prefix used, in this case it's a SHA-512 hash, which consists of 512 bits. Source used to answer the above
Deliverable 3: Examine user Galadriel's shadow entry.
The salt is highlighted in orange and the blue is the hash:
Useful info when it comes to dissecting a shadow file/entry:
- Username first, then the password comes after
: - May see "rounds" between
$id&$salt - $hash ends at the
: - $salt & $hash may contain
/
Hash ID's:
$1$= MD5$2a$= Blowfish$2y$= Blowfish$5$= SHA-256$6$= SHA-512`
Useful resources I used for deliv 2 and 3: Source & Source used to answer the above
Deliverable 4: Figure out how to use the unshadow utility to create a file usable by John the Ripper(JtR) and then crack the unshadowed files hashes using JtR
Screenshot above is the unshadow tool in use.
Unshadow CMD: sudo unshadow etc_passwd.txt etc_shadow.txt > hashlist.txt
CMD to crack hashes that are now located in hashlist.txt: john hashlist.txt --wordlist=[path/to/word/list.txt]
Sources for cmd above: Source & Source
Deliverable 5:
Since we have the plaintext password (from Deliv 4) this deliverable was straightforward. Just following the screenshot in the lab and replacing the greyed out area with the users plaintext PW, in my case I used BoRomir2000Z.
Deliverable 6:
Starting off I created a new file named: boromir_unshadowed.txt. Then I added boromir:$6$rounds=1000$UvKLGar/VWtqFGCE$DcfWOzRolV4T6GABOUOFFXfg4lpmD4mKriKX1n5sN3ugJSY3nnicjuGfbT9hgEeo.b6dpWSitnK3z3jjBQ2w//:1006:1006::/home/boromir:/bin/bash, retrieved from the shadowed, hashlist.txt I wanted to run unshadow on boromir specifically since he was my target.
unshadow boromir_unshadowed.txt > boro_shadow.txt
Then I tried the following command: sudo hashcat -m 1800 -a 0 -o boromir_cracked.txt boromir_unshadowed.txt /usr/share/wordlists/rockyou.txt
-m 1800= sets the hash type, 1800 is SHA512-a 0= Set attack mode with-a// 0 is straight-o boromir_cracked.txt= outfileboromir_unshadowed.txt= infile
Output file:
Deliverable 7: "Loot" // All cracked passwords from 5.1 & 6.1:
| User: | PW: | Service: |
|---|---|---|
| gandalf.grey | gandalfrockyou | ssh |
| peregrin.took | 28Peregrin | ssh |
| bilbo.baggins | Frodo2013 | SSH |
| samwise.gamgee | Mallorn79 | SSH |
| boromir | BoRomir2000Z | SSH |
| galadriel | galadrielarwen111 | SSH |
| samwise | RosieRosie | HTTP |
| bilbo | Rivendell107 | HTTP |
| pippin | adminPippin | HTTP |
| frodo | 1Brandywine | http |
| frodo.baggins | Strider2020 | ssh |
Reflection:
This lab introduced entirely new tools/topic for me. The concept of cracking passwords with hashes is very infatuating a new tool in my toobelt, but it seems to be extremely resource intensive and time consuming. While the hashcat command ran I touched up this entry. One deliverable I did struggle with was Deliv 4, the unshadow command. The command itself was not the issue, it was rather me failing to copy and paste the entirety of the etc/passwd & /etc/shadow file contents to .txt files. Once I redid the tail -3 command on 10.0.5.21, and ensured I copy and pasted everything as needed, it ended up working. Lastly, the Python command we used in the lab was really interesting, I am curious how else can this be used.
Resources:
- https://www.kali.org/tools/seclists/
- https://www.cyberciti.biz/faq/understanding-etcshadow-file/
- https://auth0.com/blog/adding-salt-to-hashing-a-better-way-to-store-passwords/
- https://countuponsecurity.files.wordpress.com/2016/09/jtr-cheat-sheet.pdf
- https://www.freecodecamp.org/news/crack-passwords-using-john-the-ripper-pentesting-tutorial/