This post will serve as an introduction to password cracking, and show how to use the popular tool John-the-Ripper (JTR) to crack standard Unix password hashes. I am also working on a follow-up post that will provide a far more comprehensive look at password cracking techniques as well as the different tools employed (as well as their pros/cons).
The Scenario
Our scenario is the following: We have just compromised and gained root access to a Unix machine on our target's network. Now, to better maintain access, and to facilitate further intrusion, we will attempt to extract and crack the password hashes on the host.
Where are Password Hashes Stored?
Before we can crack the password hashes, we first need to know where they are stored. Traditionally (according to Wikipedia, before 1988) password hashes for account were stored in the /etc/passwd file. However, this caused security issues since the file was readable by all users on the system. Now, instead of a password hash, this file contains an "x" to indicate that the password details are located in a different place: the /etc/shadow file. This file is only readable by the superuser (root), so there is far less of a security risk associated with this file.
Password File Format
The following diagram will hopefully help illustrate the format used in the passwd (and essentially the shadow) files:
Password Cracking Process
An important thing to note is that these two files have some overlapping content. John the Ripper's tool suite provides a nifty tool to merge these two files into one called "unshadow". To use it, we simply need to specify the passwd file, and the shadow file. For the sake of this post, we will use the /etc/passwd and /etc/shadow files on my local Backtrack VM. However, in the case of our scenario above we will have copied these files from our compromised machine to our Backtrack machine, and then specify the location of these files to unshadow. Then, we send the output to a new file of our choice. This looks like the following:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| root@bt:~# cd /pentest/passwords/john | |
| root@bt:/pentest/passwords/john# ./unshadow /etc/passwd /etc/shadow > ~/passwords.txt | |
| root@bt:/pentest/passwords/john# cat ~/passwords.txt | |
| root:$6$jcs.3tzd$aIZHimcDCgr6rhXaaHKYtogVYgrTak8I/EwpUSKrf8cbSczJ3E7TBqqPJN2Xb.8UgKbKyuaqb78bJ8lTWVEP7/:0:0:root:/root:/bin/bash | |
| daemon:x:1:1:daemon:/usr/sbin:/bin/sh | |
| bin:x:2:2:bin:/bin:/bin/sh | |
| sys:x:3:3:sys:/dev:/bin/sh | |
| sync:x:4:65534:sync:/bin:/bin/sync | |
| games:x:5:60:games:/usr/games:/bin/sh | |
| man:x:6:12:man:/var/cache/man:/bin/sh | |
| lp:x:7:7:lp:/var/spool/lpd:/bin/sh | |
| mail:x:8:8:mail:/var/mail:/bin/sh | |
| news:x:9:9:news:/var/spool/news:/bin/sh | |
| uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh | |
| proxy:x:13:13:proxy:/bin:/bin/sh | |
| www-data:x:33:33:www-data:/var/www:/bin/sh | |
| backup:x:34:34:backup:/var/backups:/bin/sh | |
| list:x:38:38:Mailing List Manager:/var/list:/bin/sh | |
| irc:x:39:39:ircd:/var/run/ircd:/bin/sh | |
| gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh | |
| libuuid:x:100:101::/var/lib/libuuid:/bin/sh | |
| syslog:x:101:103::/home/syslog:/bin/false | |
| sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin | |
| landscape:x:103:108::/var/lib/landscape:/bin/false | |
| messagebus:x:104:112::/var/run/dbus:/bin/false | |
| nobody:x:65534:65534:nobody:/nonexistent:/bin/sh | |
| mysql:!:105:113::/var/lib/mysql:/bin/false | |
| avahi:*:106:114::/var/run/avahi-daemon:/bin/false | |
| snort:*:107:115:Snort IDS:/var/log/snort:/bin/false | |
| statd:*:108:65534::/var/lib/nfs:/bin/false | |
| usbmux:*:109:46::/home/usbmux:/bin/false | |
| pulse:*:110:116::/var/run/pulse:/bin/false | |
| rtkit:*:111:117::/proc:/bin/false | |
| festival:*:112:29::/home/festival:/bin/false | |
| postgres:!:1000:1000::/home/postgres:/bin/sh |
"This is the mode you should start cracking with. It will use the login names, "GECOS" / "Full Name" fields, and users' home directory names as candidate passwords, also with a large set of mangling rules applied. Since the information is only used against passwords for the accounts it was taken from (and against password hashes which happened to be assigned the same salt), "single crack" mode is much faster than wordlist mode. This permits for the use of a much larger set of word mangling rules with "single crack", and their use is always enabled with this mode. Successfully guessed passwords are also tried against all loaded password hashes just in case more users have the same password."
Let's see this in action and attempt to crack the password hash for the root user:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| root@bt:/pentest/passwords/john# john --single ~/passwords.txt | |
| Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt" | |
| Use the "--format=crypt" option to force loading these as that type instead | |
| Loaded 1 password hash (sha512crypt [32/32]) | |
| toor (root) | |
| guesses: 1 time: 0:00:00:00 DONE (Fri Jan 4 10:12:42 2013) c/s: 35.00 trying: toor | |
| Use the "--show" option to display all of the cracked passwords reliably | |
| root@bt:/pentest/passwords/john# john --show ~/passwords.txt | |
| root:toor:0:0:root:/root:/bin/bash | |
| 1 password hash cracked, 0 left |
I hope this short introduction to password cracking helps. Keep an eye out for a more comprehensive post covering more JTR cracking techniques, as well as other password cracking tools and methods. And, as always, don't hesitate to leave any questions or comments below.
-Jordan
