Friday, January 4, 2013

Cracking Unix Password Hashes with John the Ripper (JTR)

Introduction

This post will serve as an introduction to password cracking, and show how to use the popular tool John-the-Ripper (JTR) to crack standard Unix password hashes. I am also working on a follow-up post that will provide a far more comprehensive look at password cracking techniques as well as the different tools employed (as well as their pros/cons).
The Scenario

Our scenario is the following: We have just compromised and gained root access to a Unix machine on our target's network. Now, to better maintain access, and to facilitate further intrusion, we will attempt to extract and crack the password hashes on the host.

Where are Password Hashes Stored?

Before we can crack the password hashes, we first need to know where they are stored. Traditionally (according to Wikipedia, before 1988) password hashes for account were stored in the /etc/passwd file. However, this caused security issues since the file was readable by all users on the system. Now, instead of a password hash, this file contains an "x" to indicate that the password details are located in a different place: the /etc/shadow file. This file is only readable by the superuser (root), so there is far less of a security risk associated with this file.

Password File Format

The following diagram will hopefully help illustrate the format used in the passwd (and essentially the shadow) files:



Password Cracking Process

An important thing to note is that these two files have some overlapping content. John the Ripper's tool suite provides a nifty tool to merge these two files into one called "unshadow". To use it, we simply need to specify the passwd file, and the shadow file. For the sake of this post, we will use the /etc/passwd and /etc/shadow files on my local Backtrack VM. However, in the case of our scenario above we will have copied these files from our compromised machine to our Backtrack machine, and then specify the location of these files to unshadow. Then, we send the output to a new file of our choice. This looks like the following:

We can immediately notice the password hash for the user root. Let's fire up JTR, and point it to this passwords.txt file. To perform the cracking, we will use the --single option. From the documentation:

"This is the mode you should start cracking with. It will use the login names, "GECOS" / "Full Name" fields, and users' home directory names as candidate passwords, also with a large set of mangling rules applied. Since the information is only used against passwords for the accounts it was taken from (and against password hashes which happened to be assigned the same salt), "single crack" mode is much faster than wordlist mode. This permits for the use of a much larger set of word mangling rules with "single crack", and their use is always enabled with this mode. Successfully guessed passwords are also tried against all loaded password hashes just in case more users have the same password."


Let's see this in action and attempt to crack the password hash for the root user:

Success! After we finished cracking the password hashes found in the passwords.txt file, we can use the command john --show [file] to display the found account details. These details are displayed in the same format as the password file, with the only exception being that the password hash is now replaced by the password 'toor' (the default password for the root user on Backtrack).

I hope this short introduction to password cracking helps. Keep an eye out for a more comprehensive post covering more JTR cracking techniques, as well as other password cracking tools and methods. And, as always, don't hesitate to leave any questions or comments below.

-Jordan

1 comment: