An opportunity to play with root privilege and try out practical password cracking tools.

Preparation | Procedure


We are, after a fair amount of work, finally able to netboot Kali Linux in CSF-2112 while disconnected from the campus network. In one sense there’s nothing "special" about Kali: it’s just a Debian variant pre-bundled with a bunch of hacking tools. Having our own self-contained netboot environment, however, allows us to do two things we can’t do in a regular LabNet environment:

  1. run tools like network scanners and attack tools

  2. give students root privilege

The only downside of this setup is that we don’t have access to the LabNet file server. So, in order to persist data after the lab, please bring a USB stick to save your results on.


For this lab, our ephemeral Kali images will use the username l33t and the password opposable thumbs.

  1. Using the /etc/passwd and /etc/group files, as well as the id and finger commands, identify all of the "real" users (i.e., not system "users" like nobody or messagebus) on your computer. How can you distinguish "real" users from system "users"?

  2. Gain privilege

    1. Attempt to switch to the root user via the su command. Explain why this attempt fails.

    2. Use sudo to gain root privilege. Explain, with reference to the /etc/sudoers file, why this succeeds.

  3. Exfiltrate password hashes

    1. Examine the /etc/shadow file. What does this contain? Using information from the shadow manual page, what does the ! in many of the lines from /etc/shadow mean?

    2. Copy the /etc/passwd and /etc/shadow files to the l33t user’s home directory and exit your root shell.

  4. Prepare for cracking

    1. Attempt to combine the information in your copies of the passwd and shadow files into one file using the unshadow command (which comes with John the Ripper). Explain, with reference to specific Unix permissions, why you receive a Permission denied error.

    2. Change the permissions of shadow to allow unshadow to succeed and output the results into a new file.

    3. What three characters do all of these password hashes start with? Using man 5 crypt, what does this signify?

    4. Copy all of the additional password hash files contained in /usr/share/password-hashes into your home directory.

    5. Copy the RockYou wordlist from /usr/share/wordlists to your home directory and extract it into a .txt file. How many passwords does it contain?

  5. Crack 'em!

    1. In separate windows / tmux sessions / etc., start running John the Ripper (john) against your unshadowed password file and against the Windows NT password file (ntlm.txt). Use the RockYou wordlist (using the --wordlist argument to john). You may need to use the --format=crypt argument to help John interpret the unshadowed hashes, and a different format for the NTLM (Windows NT LAN Manager) hash format…​ see man john, john --help and john --list=formats. You may also benefit from the --session argument to john when running multiple instances at the same time. Leave these running while you answer other questions. At the end of the lab, report all passwords that you were able to crack.

    2. Use the hashid tool to identify the possible hash algorithms for each password hash in each of the hashN.txt files that you copied from /usr/share/password-hashes. Crack each password.

  6. Crack password-protected files (ENGI 9807 only, may be completed at home)

    1. Use zip2john together with john to crack the password for

    2. Use rar2john together with john to crack the password for secure.rar.

    3. Use ssh2john together with john to crack the passphrase for the SSH public key id_rsa.