NOTE: This page is essentially a part 2 to Lab 5.1: Password-Guessing, so it is recommended to have an idea what happened in that lab (and password guessing techniques!)

In this lab we used various password cracking techniques to get more passwords from the target (see Lab 5.1: Password-Guessing).

Notes

First I downloaded seclists (contains a lot of various word lists) with the command:

• sudo apt install seclists

Then I used the "peregrin.took" account on the target (10.0.5.21) to become root and dump the last 3 entries of /etc/passwd with the command:

• tail -n 3 /etc/passwd

And then the last 3 entries from /etc/shadow with the command:

• tail -n 3 /etc/shadow

Once these were dumped to the screen, I copied them into the files "etc_passwd.txt" and "etc_shadow.txt" respectively. I used just copy and pasting here but I also could have used scp as well.

Examining the "etc_shadow.txt" file, I was tasked with dissecting the shadow entry for the user "galadriel". Below is essential information when dissecting a shadow entry:

• The username comes first, then password after :
• The format for a password in the shadow file is "$id$salt$hashed"
• • Link that talks about salts and hashes > https://auth0.com/blog/adding-salt-to-hashing-a-better-way-to-store-passwords/
• • May be rounds between $id and $salt
• • $hashed ends at the :
• • $salt and $hash can have /
• • Below is a list of all of the different id's
• • • $1$ = MD5
• • • $2a$ = Blowfish
• • • $2y$ = Blowfish
• • • $5$ = SHA-256
• • • $6$ = SHA-512
• Other fields after the password entry include:
• • Last password change
• • Minimum
• • Maximum
• • Warn
• • Inactive
• • Expire
• Overall good reference for the /etc/shadow file > https://www.cyberciti.biz/faq/understanding-etcshadow-file/

Example below of the galadriel shadow entry (highlighted in red is the salt and in blue the hash!):

After spending time dissecting the the /etc/shadow file, I used the unshadow command to create a usable file for John the Ripper (JtR):

• unshadow etc_passwd.txt etc_shadow.txt > unshadowed.txt

NOTE: unshadow only prints to the screen so it needs it's input placed in a file manually

And then I used the following JtR command to crack the file hashes (rockyou wordlist):

• john --wordlist=/usr/share/wordlists/rockyou.txt unshadow.txt

Example of above command:

NOTE: Above command is fairly self explanatory, essentially set --wordlist= to the wordlist and indicate the file you want to crack it's hashes unshadow.txt. Also, cracking can and will take awhile (especially on a VM) so stronger hardware should be used if possible. See this link to champlain's humpty setup (stronger hardware.)

Then I practiced reverse engineering the shadow file using python. To practice this I reverse engineered the shadow entry for the user "boromir" (after cracking the users password.) I used the following python command to take the password and salt and remake the shadow entry (after sha512_crypt, press enter and continue from print):

python3 -c "from passlib.hash import sha512_crypt
print(sha512_crypt.hash('BoRomir2000Z',rounds=1000,salt='UvKLGar/VWtqFGCE'))"

To continue practicing my password cracking skills, I used hashcat to crack the user "boromir" password (rockyou wordlist) with the command:

• hashcat -m 1800 -a 0 -o boromir_cracked.txt boromir_unshadowed.txt /usr/share/wordlists/rockyou.txt

NOTE: Used unshadow on boromir shadow entry before hashcat command (boromir_unshadowed.txt)

Breakdown of above hashcat command (good Hashcat Reference):

• -m 1800 = setting the hash type (1800 is SHA-512)
• -a 0 = setting attack mode (0 is Straight)
• -o boromir_cracked.txt = designate outfile
• boromir_unshadowed.txt = desginate infile

This gave the following file:

Table of all cracked passwords from 5.1 and 6.1

Username	Password	Service
gandalf.grey	gandalfrockyou	SSH
peregrin.took	28Peregrin	SSH
bilbo.baggins	Frodo2013	SSH
samwise.gamgee	Mallorn79	SSH
boromir	BoRomir2000Z	SSH
galadriel	galadrielarwen111	SSH
samwise	RosieRosie	HTTP
bilbo	Rivendell107	HTTP
pippin	adminPippin	HTTP

Reflection:

• Password cracking takes awhile
• • Cracking hashes takes awhile, and should be given ample time to do so. This time cracking SHOULD be used for working on something else productive.
• Hashcat or JtR?
• • I have used neither tool enough to determine which one is "better" or which I would rather use. I did like that I could check with status with Hashcat but JtR seemed faster (at least on humpty). Comparing humpty stats, Hashcat took 1 hour for 1 password and JtR finished 3 passwords in 1 hour (though I was using humpty alone for about an half an hour so that might have affected results!) With that small sample size, I can't make definitive conclusions but I will probably continue to use JtR on humpty.
• Python one-liners
• • I did not know you could do python one-liners in the console and I am very interested to see what more this could do (inside or outside of class.)

Sources:

• https://www.kali.org/tools/seclists/
• https://www.cyberciti.biz/faq/understanding-etcshadow-file/
• https://superuser.com/questions/1717970/what-format-is-etc-shadow-in
• https://www.binarytides.com/cracking-linux-password-with-john-the-ripper-tutorial/#:~:text=The%20unshadow%20command%20will%20basically,Usage%20is%20quite%20simple.
• https://www.cyberciti.biz/faq/understanding-etcshadow-file/
• https://www.techtarget.com/searchsecurity/definition/shadow-password-file#:~:text=A%20shadow%20password%20file%2C%20also,from%20breaking%20into%20the%20system.
• https://gist.github.com/andrewslotin/9bb1a55b45c4028d501b2db67c535ab1
• https://hashcat.net/wiki/doku.php?id=hashcat#supported_attack_modes