Module #6 Journal Entries - wAlber47/Tech-Journal GitHub Wiki

🚧 Under Construction 🚧

Cracking Administrator Account

Working towards getting the administrator password for the jim.hoag account was much easier that thought. Starting out, we copied the web content to a local server, to avoid any issues using cewl on LinkedIn.

Past that, I narrowed down my cewl list to be only places, then started running brute force attacks with four passwords at a time. Just did this so that the scans might be a little faster. I also started out by focusing on places, as that's what many of the previous passwords were.

By using the same rsmangler and hydra commands as last week I was able to crack the password. These can be found on the loot Wiki page.

Shadow File

Basics

Located at /etc/shadow, this file contains every user details as a single line with nine fields, each field is separated by a colon. An example from our lab can be seen here:

The syntax can be broken up by looking at each colon within the string. The breakdown is as follows:

1. Username: This is your login name.
2. Password: It is your encrypted password. The password should be minimum 8-12 characters long including special characters, digits, lower case alphabetic and more. Usually password format is set to $id$salt$hashed, The $id is the algorithm used On GNU/Linux to encrypt the password:
   1. $1$ is MD5
   2. $2a$ is Blowfish
   3. $2b$ is Blowfish
   4. $5$ is SHA-256
   5. $6$ is SHA-512
3. Last Password Change: Days since Jan 1, 1970 that password was last changed.
4. Minimum: The minimum number of days required between password changes.
5. Maximum: The maximum number of days the password is valid.
6. Warn: The number of days before password is to expire that user is warned that his/her password must be changed.
7. Inactive: The number of days after password expires that account is disabled.
8. Expire: Days since Jan 1, 1970 that account is disabled, i.e. an absolute date specifying when the login may no longer be used.
9. Reserved: Section reserved for future use or other functions.

Working with Shadow

In order to use this file with a program like John the Ripper, we have to first "unshadow" it. This can be done with the unshadow command as follows.

We need to use both the /etc/shadow file and the /etc/passwd file in this step. The /etc/passwd file keeps track of user information, similar to the shadow file. Unlike the name suggests, passwords are not stored in this file. The unshadow command will basically combine the data of these two files into one file with username and password details.

Now the file can be used with John the Ripper.

John the Ripper

John the Ripper is a free password cracking software tool. It works by using the dictionary method favored by attackers as the easiest way to guess a password. It takes text string samples from a word list using common dictionary words. It can also deal with encrypted passwords, and address online and offline attacks.

For the purpose of our lab, we will be combining the rockyou.txt word list with the un-shadowed file that was created. This can be done like this:

This program might take a while to run but will recover the passwords. We could shorten this time by using a smaller list of words, or by trimming down the list of words using command flags. A really good sheet that I located can be found here, it contains all the possible flags and their uses.

Hashcat

This is primarily a password recovery tool, but advertises itself as the "world's fastest password cracker". Even though in this lab, we already recovered the passwords with John the Ripper, it's good to get the experience using Hashcat.

Just like with JTR, we utilized rockyou.txt to help crack the password. Our syntax for the command we run can be seen here:

Although not as nicely formatted, here is a cheat sheet for Hashcat that can be used in the future in order to perform brute force attacks with the tool.

One more important this to know about the tool, Hashcat uses the -m flag to specify the hash type. For our case, we used "1800" which related to "SHA512". The entire list of these flags can be found here. Remember, the hash type can be found within the contents of /etc/shadow.