One of the first post exploitation activities when we have compromised a target is to obtain the passwords hashes in order to crack them offline.If we managed to crack the hashes then we might be able to escalate our privileges and to gain administrative access especially if we have cracked the administrator’s hash.In this tutorial we will see how to obtain and crack password hashes from a Unix box.

Lets say that we have exploited a vulnerability and we have gained a remote shell to our target.The next step is to see the directories and files that exist on the remote system with the command ls.

Directories of the remote system

 

The next step is to read the /etc/passwd file which contains all the accounts of the remote system.The next image is showing the list of the local accounts of the machine that we have compromised.Lets analyse the information that we can obtain from the first account which is root.The first field indicates the username,the field x means that the password is encrypted and it is stored on the /etc/shadow file.The number 0 means that this the userID which for root accounts is always zero and the next 0 is the groupID.Next we can see the root where we can find any extra information about the user (in this case there is no other extra information) and the last two fields /root and /bin/bash are the user home directory and the command shell.

Reading the /etc/passwd file

 

Now that we have the list with the accounts of the remote system we can save that list in a file for later use which it will be called passwords.txt.The next step is to obtain the passwords hashes.As we know in unix systems the password hashes are stored in the /etc/shadow location so we will run the command cat /etc/shadow in order to see them.

Reading the password hashes of the target

 

So we will save the hashes as well in a file called shadow.txt and we will use the famous password cracker john the ripper in order to crack those hashes.In backtrack john the ripper is located in the following path: /pentest/passwords/john.

john the ripper directory

 

From the above image we can see all the files that the directory john contains.In that list there is a utility called unshadow.We will run this utility in order to be able to read the shadow file before we try to crack it.So we will need to execute the command ./unshadow /root/Desktop/Cracking/passwords.txt /root/Desktop/Cracking/shadow.txt > /root/Desktop/Cracking/cracked.txt

This command will combine the two files that we have created before into a single file called cracked.txt.Now we are ready to crack those hashes with the command ./john /root/Desktop/Cracking/cracked.txt.As we can see john the ripper cracked easily those password hashes so now we have all the usernames and passwords from our target.

Cracked passwords

 

If we want to see the passwords that we cracked we can run the show command from john.For example ./john –show /root/Desktop/Cracking/cracked.txt

Display all passwords of the target

 

Now that we have all the passwords we can use them in order to connect remotely to our target.For example if our target is running an SSH server then we use that service.In this specific example we will connect under the username sys.The password for the sys account is batman as we have discovered it previously.

Connection through SSH

 

Conclusion

In this article we saw how to obtain and crack the password hashes of the remote system.In penetration testing engagements if we manage to crack a password hash from the target then we have a valid account which will allow us to have permanent access to the box.So obtaining and cracking the hashes it should be one of the first post exploitation activities as penetration testers.

7 Comments

  1. You forgot to mention that you must be “root” equivalent to dump the /etc/shadow file. If you have that privilege already you don’t really need to dump and crack the passwords.

    1. You still need to crack the passwords, as in many cases, weak password credentials are reused within the network and can assist the penetration tester in pivoting to other machines. If you’re attacking several machines in an internal network and you manage to crack several passwords, you can easily fire up a tool like hydra to quickly attempt a login for a cracked user account across the network.

  2. You are right Bryan!You need to be root in order to read the /etc/shadow.However I will not agree with you that there is no need to dump and crack passwords because you will need that in order to discover alternative routes for access on the remote machine.

  3. If you already have root access on the target how do you dump it’s shadow file and passwd file to your attack server so you’re able to run John against the two files? Don’t you need to copy them to your machine to run John against them?

    1. I would assume you need to establish more than an SSH connection to the target to copy files from it back to your attack server. Is that correct?

  4. You can dump the cat info from the passwd and shadow files to a simple text file for each on your end. I then name them passwd and shadow and run unshadow on them to another file and run john against the combined file. Unshadow puts the password hash with the username in the format that John expects.

Leave a Reply to shellnobi Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s