One of the first post exploitation activities when we have compromised a target is to obtain the passwords hashes in order to crack them offline.If we managed to crack the hashes then we might be able to escalate our privileges and to gain administrative access especially if we have cracked the administrator’s hash.In this tutorial we will see how to obtain and crack password hashes from a Unix box.

Lets say that we have exploited a vulnerability and we have gained a remote shell to our target.The next step is to see the directories and files that exist on the remote system with the command ls.

Directories of the remote system

 

The next step is to read the /etc/passwd file which contains all the accounts of the remote system.The next image is showing the list of the local accounts of the machine that we have compromised.Lets analyse the information that we can obtain from the first account which is root.The first field indicates the username,the field x means that the password is encrypted and it is stored on the /etc/shadow file.The number 0 means that this the userID which for root accounts is always zero and the next 0 is the groupID.Next we can see the root where we can find any extra information about the user (in this case there is no other extra information) and the last two fields /root and /bin/bash are the user home directory and the command shell.

Reading the /etc/passwd file

 

Now that we have the list with the accounts of the remote system we can save that list in a file for later use which it will be called passwords.txt.The next step is to obtain the passwords hashes.As we know in unix systems the password hashes are stored in the /etc/shadow location so we will run the command cat /etc/shadow in order to see them.

Reading the password hashes of the target

 

So we will save the hashes as well in a file called shadow.txt and we will use the famous password cracker john the ripper in order to crack those hashes.In backtrack john the ripper is located in the following path: /pentest/passwords/john.

john the ripper directory

 

From the above image we can see all the files that the directory john contains.In that list there is a utility called unshadow.We will run this utility in order to be able to read the shadow file before we try to crack it.So we will need to execute the command ./unshadow /root/Desktop/Cracking/passwords.txt /root/Desktop/Cracking/shadow.txt > /root/Desktop/Cracking/cracked.txt

This command will combine the two files that we have created before into a single file called cracked.txt.Now we are ready to crack those hashes with the command ./john /root/Desktop/Cracking/cracked.txt.As we can see john the ripper cracked easily those password hashes so now we have all the usernames and passwords from our target.

Cracked passwords

 

If we want to see the passwords that we cracked we can run the show command from john.For example ./john –show /root/Desktop/Cracking/cracked.txt

Display all passwords of the target

 

Now that we have all the passwords we can use them in order to connect remotely to our target.For example if our target is running an SSH server then we use that service.In this specific example we will connect under the username sys.The password for the sys account is batman as we have discovered it previously.

Connection through SSH

 

Conclusion

In this article we saw how to obtain and crack the password hashes of the remote system.In penetration testing engagements if we manage to crack a password hash from the target then we have a valid account which will allow us to have permanent access to the box.So obtaining and cracking the hashes it should be one of the first post exploitation activities as penetration testers.

Advertisements