Cracking Unix Password Hashes with John the Ripper
Few weeks ago we introduced all of you to John the Ripper...now I will show you some cracking Remember that everything is written here is only for educational purposes. Let's begin!
Few weeks ago we introduced all of you to John the Ripper...now I will show you some cracking Remember that everything is written here is only for educational purposes. Let's begin!
Introduction :»
This post will serve as an introduction to password cracking, and show how to use the popular tool John-the-Ripper to crack standard Unix password hashes.
The Scenario :»
My scenario is the following: We have just compromised and gained root access to a Unix machine on our target's network. Now, to better maintain access, and to facilitate further intrusion, we will attempt to extract and crack the password hashes on the host.
Where are Password Hashes Stored?
Before we can crack the password hashes, we first need to know where they are stored. Traditionally (according to Wikipedia, before 1988) password hashes for account were stored in the /etc/passwd file. However, this caused security issues since the file was readable by all users on the system. Now, instead of a password hash, this file contains an "x" to indicate that the password details are located in a different place: the /etc/shadow file. This file is only readable by the superuser (root), so there is far less of a security risk associated with this file.
Password Cracking Process : »
An important thing to note is that these two files have some overlapping content. John the Ripper's tool suite provides a nifty tool to merge these two files into one called "unshadow". To use it, we simply need to specify the passwd file, and the shadow file. For the sake of this post, we will use the /etc/passwd and /etc/shadow files on my local Backtrack VM. However, in the case of our scenario above we will have copied these files from our compromised machine to our Backtrack machine, and then specify the location of these files to unshadow. Then, we send the output to a new file of our choice. This looks like the following:
[code]
root@bt:~# cd /pentest/passwords/john
root@bt:/pentest/passwords/john# ./unshadow /etc/passwd /etc/shadow > ~/passwords.txt
root@bt:/pentest/passwords/john# cat ~/passwords.txt
root:$6$jcs.3tzd$aIZHimcDCgr6rhXaaHKYtogVYgrTak8I/EwpUSKrf8cbSczJ3E7TBqqPJN2Xb.8UgKbKyuaqb78bJ8lTWVEP7/:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
landscape:x:103:108::/var/lib/landscape:/bin/false
messagebus:x:104:112::/var/run/dbus:/bin/false
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
mysql:!:105:113::/var/lib/mysql:/bin/false
avahi:*:106:114::/var/run/avahi-daemon:/bin/false
snort:*:107:115:Snort IDS:/var/log/snort:/bin/false
statd:*:108:65534::/var/lib/nfs:/bin/false
usbmux:*:109:46::/home/usbmux:/bin/false
pulse:*:110:116::/var/run/pulse:/bin/false
rtkit:*:111:117::/proc:/bin/false
festival:*:112:29::/home/festival:/bin/false
postgres:!:1000:1000::/home/postgres:/bin/sh
We can immediately notice the password hash for the user root. Let's fire up JTR, and point it to this passwords.txt file. To perform the cracking, we will use the --single option. From the documentation:
"This is the mode you should start cracking with. It will use the login names, "GECOS" / "Full Name" fields, and users' home directory names as candidate passwords, also with a large set of mangling rules applied. Since the information is only used against passwords for the accounts it was taken from (and against password hashes which happened to be assigned the same salt), "single crack" mode is much faster than wordlist mode. This permits for the use of a much larger set of word mangling rules with "single crack", and their use is always enabled with this mode. Successfully guessed passwords are also tried against all loaded password hashes just in case more users have the same password."
- John the Ripper Documentation
Let's see this in action and attempt to crack the password hash for the root user:
root@bt:/pentest/passwords/john# john --single ~/passwords.txt
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Loaded 1 password hash (sha512crypt [32/32])
toor (root)
guesses: 1 time: 0:00:00:00 DONE (Fri Jan 4 10:12:42 2013) c/s: 35.00 trying: toor
Use the "--show" option to display all of the cracked passwords reliably
root@bt:/pentest/passwords/john# john --show ~/passwords.txt
root:toor:0:0:root:/root:/bin/bash
1 password hash cracked, 0 left
Success! After we finished cracking the password hashes found in the passwords.txt file, we can use the command john --show [file] to display the found account details. These details are displayed in the same format as the password file, with the only exception being that the password hash is now replaced by the password 'toor' (the default password for the root user on Backtrack).
I hope this short introduction to password cracking helps you. Keep an eye out for a more comprehensive post covering more JTR cracking techniques, as well as other password cracking tools and methods.
This post will serve as an introduction to password cracking, and show how to use the popular tool John-the-Ripper to crack standard Unix password hashes.
The Scenario :»
My scenario is the following: We have just compromised and gained root access to a Unix machine on our target's network. Now, to better maintain access, and to facilitate further intrusion, we will attempt to extract and crack the password hashes on the host.
Where are Password Hashes Stored?
Before we can crack the password hashes, we first need to know where they are stored. Traditionally (according to Wikipedia, before 1988) password hashes for account were stored in the /etc/passwd file. However, this caused security issues since the file was readable by all users on the system. Now, instead of a password hash, this file contains an "x" to indicate that the password details are located in a different place: the /etc/shadow file. This file is only readable by the superuser (root), so there is far less of a security risk associated with this file.
Password Cracking Process : »
An important thing to note is that these two files have some overlapping content. John the Ripper's tool suite provides a nifty tool to merge these two files into one called "unshadow". To use it, we simply need to specify the passwd file, and the shadow file. For the sake of this post, we will use the /etc/passwd and /etc/shadow files on my local Backtrack VM. However, in the case of our scenario above we will have copied these files from our compromised machine to our Backtrack machine, and then specify the location of these files to unshadow. Then, we send the output to a new file of our choice. This looks like the following:
[code]
root@bt:~# cd /pentest/passwords/john
root@bt:/pentest/passwords/john# ./unshadow /etc/passwd /etc/shadow > ~/passwords.txt
root@bt:/pentest/passwords/john# cat ~/passwords.txt
root:$6$jcs.3tzd$aIZHimcDCgr6rhXaaHKYtogVYgrTak8I/EwpUSKrf8cbSczJ3E7TBqqPJN2Xb.8UgKbKyuaqb78bJ8lTWVEP7/:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
landscape:x:103:108::/var/lib/landscape:/bin/false
messagebus:x:104:112::/var/run/dbus:/bin/false
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
mysql:!:105:113::/var/lib/mysql:/bin/false
avahi:*:106:114::/var/run/avahi-daemon:/bin/false
snort:*:107:115:Snort IDS:/var/log/snort:/bin/false
statd:*:108:65534::/var/lib/nfs:/bin/false
usbmux:*:109:46::/home/usbmux:/bin/false
pulse:*:110:116::/var/run/pulse:/bin/false
rtkit:*:111:117::/proc:/bin/false
festival:*:112:29::/home/festival:/bin/false
postgres:!:1000:1000::/home/postgres:/bin/sh
We can immediately notice the password hash for the user root. Let's fire up JTR, and point it to this passwords.txt file. To perform the cracking, we will use the --single option. From the documentation:
"This is the mode you should start cracking with. It will use the login names, "GECOS" / "Full Name" fields, and users' home directory names as candidate passwords, also with a large set of mangling rules applied. Since the information is only used against passwords for the accounts it was taken from (and against password hashes which happened to be assigned the same salt), "single crack" mode is much faster than wordlist mode. This permits for the use of a much larger set of word mangling rules with "single crack", and their use is always enabled with this mode. Successfully guessed passwords are also tried against all loaded password hashes just in case more users have the same password."
- John the Ripper Documentation
Let's see this in action and attempt to crack the password hash for the root user:
root@bt:/pentest/passwords/john# john --single ~/passwords.txt
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Loaded 1 password hash (sha512crypt [32/32])
toor (root)
guesses: 1 time: 0:00:00:00 DONE (Fri Jan 4 10:12:42 2013) c/s: 35.00 trying: toor
Use the "--show" option to display all of the cracked passwords reliably
root@bt:/pentest/passwords/john# john --show ~/passwords.txt
root:toor:0:0:root:/root:/bin/bash
1 password hash cracked, 0 left
Success! After we finished cracking the password hashes found in the passwords.txt file, we can use the command john --show [file] to display the found account details. These details are displayed in the same format as the password file, with the only exception being that the password hash is now replaced by the password 'toor' (the default password for the root user on Backtrack).
I hope this short introduction to password cracking helps you. Keep an eye out for a more comprehensive post covering more JTR cracking techniques, as well as other password cracking tools and methods.
No comments:
Post a Comment
Thanx for all your Feedback .... and don't post to promote your site's ...
I kept the option as Comment moderation mode. So if you try to promote your site from here.. I do delete your comment's ..