An opportunity to play with root privilege and try out practical password cracking tools.

Preparation | Procedure

Preparation

We are, after a fair amount of work, finally able to netboot Kali Linux in CSF-2112 while disconnected from the campus network. In one sense there’s nothing "special" about Kali: it’s just a Debian variant pre-bundled with a bunch of hacking tools. Having our own self-contained netboot environment, however, allows us to do two things we can’t do in a regular LabNet environment:

  1. run tools like network scanners and attack tools

  2. give students root privilege

The only downside of this setup is that we don’t have access to the LabNet file server. So, in order to persist data after the lab, please bring a USB stick to save your results on.

Procedure

For this lab, our ephemeral Kali images will use the username l33t and the password opposable thumbs.

  1. Using the /etc/passwd and /etc/group files, as well as the id and finger commands, identify all of the "real" users (i.e., not system "users" like nobody or messagebus) on your computer. How can you distinguish "real" users from system "users"?

  2. Gain privilege

    1. Attempt to switch to the root user via the su command. Explain why this attempt fails.

    2. Use sudo to gain root privilege. Explain, with reference to the /etc/sudoers file, why this succeeds.

  3. Exfiltrate password hashes

    1. Examine the /etc/shadow file. What does this contain? Using information from the shadow manual page, what does the ! in many of the lines from /etc/shadow mean?

    2. Copy the /etc/passwd and /etc/shadow files to the l33t user’s home directory and exit your root shell.

  4. Prepare for cracking

    1. Attempt to combine the information in your copies of the passwd and shadow files into one file using the unshadow command (which comes with John the Ripper). Explain, with reference to specific Unix permissions, why you receive a Permission denied error.

    2. Change the permissions of shadow to allow unshadow to succeed and output the results into a new file.

    3. What three characters do all of these password hashes start with? Using man 5 crypt, what does this signify?

    4. Copy all of the additional password hash files contained in /usr/share/password-hashes into your home directory.

    5. Copy the RockYou wordlist from /usr/share/wordlists to your home directory and extract it into a .txt file. How many passwords does it contain?

  5. Hashcat

    1. On this system, the hashcat tool has been compiled to avail of your GPU (an nVidia Quadro P400). Run hashcat in its benchmarking mode (see man hashcat) to evaluate how many hashes it can check per second with the following hash-type:

      1. Plain MD5

      2. Salted MD5

      3. Plain SHA-1

      4. Salted SHA-1

      5. HMAC-SHA256

      6. Plain SHA-512

      7. sha512crypt (a.k.a., SHA-512(Unix))

    2. Copy the unshadowed password file into a new file called hashes.txt. Edit this file so that it contains only password hashes (i.e., no usernames, UIDs, shells, etc.), and that all the hashes are of the same type (since hashcat can’t crack more than one hash type at a time). When you’re done, there should be no colon (:) characters in the file. Or you could do this with a one-line awk script…​

    3. Crash the hashes in hashes.txt using the hashcat tool, which on this system has been compiled to avail of your GPU (an nVidia Quadro P400). You may find the -O and -r options to be helpful…​ try looking at some of the rulesets in /usr/share/hashcat/rules. Leave this tool running while you proceed to the next part of the lab; at the end of the lab report how many hashes hashcat was able to crack (and what they were). You should find your cracking results in ~/.local/share/hashcat/hashcat.potfile.

  6. John the Ripper

    1. Run John the Ripper (john) against the Windows NT password file (ntlm.txt). Use the RockYou wordlist (using the --wordlist argument to john). You may need to use the --format=XXXX argument to help John interpret the hash, as it doesn’t include information about its format (e.g., $6$). See man john, john --help and john --list=formats to find out how john describes the NTLM (Windows NT LAN Manager) hash format.

    2. Use the hashid tool to identify the possible hash algorithms for each password hash in each of the hashN.txt files that you copied from /usr/share/password-hashes. Crack each password. You may benefit from the --session argument to john when running multiple instances at the same time.

  7. Crack password-protected files (ENGI 9807 only, may be completed at home)

    1. Use zip2john together with john to crack the password for secure.zip.

    2. Use rar2john together with john to crack the password for secure.rar.

    3. Use ssh2john together with john to crack the passphrase for the SSH public key id_rsa.