HTDark | Underground Hacking Forum and Cybersecurity Community
  • Earn real money by being active: Hello Guest, earn real money by simply being active on the forum — post quality content, get reactions, and help the community. Once you reach the minimum credit amount, you’ll be able to withdraw your balance directly. Learn how it works.

Cracking Cracking Unix Password Hashes with John the Ripper (JTR)

Status
Not open for further replies.
S

sQuo

~ KillmeMories ~
Shadow
User
Joined
Oct 16, 2011
Messages
5,851
Reputation
0
Reaction score
22,904
Points
688
Credits
0
‎13 Years of Service‎
24%


Cracking Unix Password Hashes with John the Ripper (JTR)

by Jordan








Introduction

This post will serve as an introduction to password cracking, and show how to use the popular tool
This link is hidden for visitors. Please Log in or register now.
to crack standard Unix password hashes. I am also working on a follow-up post that will provide a far more comprehensive look at password cracking techniques as well as the different tools employed (as well as their pros/cons).

The Scenario

Our scenario is the following: We have just compromised and gained
This link is hidden for visitors. Please Log in or register now.
to a Unix machine on our target's network. Now, to better maintain access, and to facilitate further intrusion, we will attempt to extract and crack the password hashes on the host.

Where are Password Hashes Stored?

Before we can crack the password hashes, we first need to know where they are stored. Traditionally (according to Wikipedia,
This link is hidden for visitors. Please Log in or register now.
) password hashes for account were stored in the
This link is hidden for visitors. Please Log in or register now.
file. However, this caused security issues since the file was readable by all users on the system. Now, instead of a password hash, this file contains an "x" to indicate that the password details are located in a different place: the
This link is hidden for visitors. Please Log in or register now.
file. This file is only readable by the superuser (root), so there is far less of a security risk associated with this file.

Password File Format

The following diagram will hopefully help illustrate the
This link is hidden for visitors. Please Log in or register now.
used in the passwd (and essentially the shadow) files:


This link is hidden for visitors. Please Log in or register now.




Password Cracking Process

An important thing to note is that these two files have some overlapping content. John the Ripper's tool suite provides a nifty tool to merge these two files into one called "unshadow". To use it, we simply need to specify the passwd file, and the shadow file. For the sake of this post, we will use the /etc/passwd and /etc/shadow files on my local Backtrack VM. However, in the case of our scenario above we will have copied these files from our compromised machine to our Backtrack machine, and then specify the location of these files to unshadow. Then, we send the output to a new file of our choice. This looks like the following:

Code: 
>root@bt:~# cd /pentest/passwords/john
root@bt:/pentest/passwords/john# ./unshadow /etc/passwd /etc/shadow > ~/passwords.txt
root@bt:/pentest/passwords/john# cat ~/passwords.txt
root:$6$jcs.3tzd$aIZHimcDCgr6rhXaaHKYtogVYgrTak8I/EwpUSKrf8cbSczJ3E7TBqqPJN2Xb.8UgKbKyuaqb78bJ8lTWVEP7/:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
landscape:x:103:108::/var/lib/landscape:/bin/false
messagebus:x:104:112::/var/run/dbus:/bin/false
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
mysql:!:105:113::/var/lib/mysql:/bin/false
avahi:*:106:114::/var/run/avahi-daemon:/bin/false
snort:*:107:115:Snort IDS:/var/log/snort:/bin/false
statd:*:108:65534::/var/lib/nfs:/bin/false
usbmux:*:109:46::/home/usbmux:/bin/false
pulse:*:110:116::/var/run/pulse:/bin/false
rtkit:*:111:117::/proc:/bin/false
festival:*:112:29::/home/festival:/bin/false
postgres:!:1000:1000::/home/postgres:/bin/sh
We can immediately notice the password hash for the user root. Let's fire up JTR, and point it to this passwords.txt file. To perform the cracking, we will use the --single option. From the documentation:

"This is the mode you should start cracking with. It will use the login names, "GECOS" / "Full Name" fields, and users' home directory names as candidate passwords, also with a large set of mangling rules applied. Since the information is only used against passwords for the accounts it was taken from (and against password hashes which happened to be assigned the same salt), "single crack" mode is much faster than wordlist mode. This permits for the use of a much larger set of word mangling rules with "single crack", and their use is always enabled with this mode. Successfully guessed passwords are also tried against all loaded password hashes just in case more users have the same password."

This link is hidden for visitors. Please Log in or register now.







Let's see this in action and attempt to crack the password hash for the root user:

Code: 
>root@bt:/pentest/passwords/john# john --single ~/passwords.txt
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Loaded 1 password hash (sha512crypt [32/32])
toor (root)
guesses: 1 time: 0:00:00:00 DONE (Fri Jan 4 10:12:42 2013) c/s: 35.00 trying: toor
Use the "--show" option to display all of the cracked passwords reliably
root@bt:/pentest/passwords/john# john --show ~/passwords.txt
root:toor:0:0:root:/root:/bin/bash

1 password hash cracked, 0 left
Success! After we finished cracking the password hashes found in the passwords.txt file, we can use the command john --show [file] to display the found account details. These details are displayed in the same format as the password file, with the only exception being that the password hash is now replaced by the password 'toor' (the default password for the root user on Backtrack).

I hope this short introduction to password cracking helps. Keep an eye out for a more comprehensive post covering more JTR cracking techniques, as well as other password cracking tools and methods. And, as always, don't hesitate to leave any questions or comments below.

This link is hidden for visitors. Please Log in or register now.


-Jordan

 
Status
Not open for further replies.
Back
Top