Lab 6.1 - Zacham17/my-tech-journal GitHub Wiki

Lab 6.1: Cracking Linux Passwords with JtR and Hashcat

Preperation/Grabbing Password Hashes

  • I used this lab on three users on the bios host, gandalf, boromir, and galadriel
  • I saved the lines of /etc/shadow and /etc/passwd for the users gandalf, boromir, and galadriel into files called etc_shadow.txt and etc_passwd.txt
    • These lines included password hashses and salt values among other information

Viewing the shadow file

  • Reading the shadow file can reveal certain aspects of a hashed password.
  • In the shadow file for the three users I am inspecting, a $6 was found at the beginning of the line right after the username. This means that each user was hashed using SHA512 hashing.
  • The next field is the hash salt, and after that is the hashed password.
    • Note: Fields in the /etc/shadow file are seperated by a $
  • The user I analyzed also have an additional field that specifies how many rounds were used when hashing.
  • More on viewing the shadow file can be found here

Using Unshadow Command

  • The unshadow utility can be used to create a file usable by John the Ripper to crack the unshadowed hashes.
  • To use the unshadow utility, you need /etc/passwd entries and /etc/shadow entries.
  • The command I used to unshadow for the three users I am analyzing was sudo unshadow etc_passwd.txt etc_shadow.txt > unshadowed.txt
    • This command put the command results into the unshadowed.txt file

Cracking with JohntheRipper(JtR)

  • Using the ushadowed.txt file that I just created and the rockyou.txt wordlist, I ran JtR using the command john --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
    • The command took a little under 2 hours to finish and produced the passwords for all three users: gandalf.grey, galadriel, and boromir

Reverse Engineer a Hash with Python

  • I used python to reverse engineer the galadriel user's shadow entry.
  • To do this, I needed the hashing algorith, the rounds used for hashing, the hash salt, and password for galadriel(which I got from JtR).
  • I used the command:
python3 -c "from passlib.hash import sha512_crypt
print(sha512_crypt.hash('galadrielarwen111',rounds=1000,salt='poPWvLT/CfA/scS/'))"
  • That command produced an output that is the same as the galariel user's shadow entry

Cracking with hashcat

  • Hashcat is another password cracking tool
  • The unshadow.txt file from earlier can also be used with hashcat
  • Before using hashcat, I made a smaller wordlist by grepping for "gandalf", "galadriel", and "boromir" in the rockyou.txt file. This produced a smaller wordlist containing all the lines containing the three searched words. This was to quicken the cracking process. I put this wordlist in a file called small_pass_list.txt
  • The command I used was hashcat -m 1800 -a 0 -o cracked.txt unshadowed.txt small_pass_list.txt
    • This command found the passwords from the hash for each user in unshadowed.txt and output the results to a file called cracked.txt

Creating a CSV file for passwords

  • I put all of the passwords that I found for the users from this week06 and week05 in a CSV file for organization.
  • I used a format similar to this:
user,password,service
frodo,frodospassword,httpd
gandalf.grey,gandalfspassword,ssh
etc....
  • I could then copy the contents of the file into a spreadsheet for easier viewing purposes

Notes

Reflection

In this lab I learned new things about password cracking and passwords in general. I learned more about the /etc/shadow file and the format that it uses, as well as how easy it is to crack passwords that aren’t very secure or are available in wordlists. I didn’t encounter many challenges in this lab, but I did notice that it can take quite a while to crack passwords using brute force methods to unhash them. Using password generators can be a good way to generate passwords that aren’t in wordlists. I realized from this lab that passwords can be easy to crack when they use predictable formats, and password generators aim to generate passwords that are not predictable(or at least very hard to guess), and password managers are helpful in providing a safe place to keep generated passwords.