Cracking Linux Passwords

Cracking Linux passwords is essentially the same as cracking Windows passwords in the sense that you start by getting the hashes and then you try to find the matching passwords.

But, being completely different operating systems, the tools and procedures also have to be distinct.

Create test users

Use the following command:

sudo adduser [username]

Create users with these passwords:

test1 abc

test2 abcde

test3 password

test4 Alcanena

test5 Pa$$w0rd

Install John the Ripper Password Cracking Tool

John the Ripper is not installed by default in most Linux distros. If you are using Debian/Ubuntu Linux, enter:

sudo apt-get install john

In CentOS, Fedora or Redhat Linux, just use the appropriate package manager

sudo dnf install john

or

sudo yum install john

Unshadow the passwords

Generally, all modern Linux operating systems use some sort of the shadow password suite, where the file /etc/passwd has asterisks or other symbol instead of passwords hashes, and the hashes are in the /etc/shadow file which is readable by the superuser only.

This is a passwd file:

The /etc/shadow file stores actual password hashes for each user’s account with additional properties related to user password i.e. it stores secure user account information. All fields are separated by a colon (:) symbol and it contains one entry per line for each user listed in /etc/passwd file:

First use the unshadow command to combine the /etc/passwd and the /etc/shadow files so John can use them properly. You can attack the shadow file directly but then you won’t be able to take full advantage of John capabilities.

NOTE: The unshadow application is distributed with John the Ripper software

On a normal system, you’ll need to run unshadow as root to be able to read the shadow file.

On Ubuntu type:

sudo /usr/sbin/unshadow /etc/passwd /etc/shadow > /tmp/hash.list

On CentOS / Fedora Linux type:

/usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/hash.list

Now it might be a good idea to create a copy of your hashes just in case you want to use them in some other experimenting.

cp /tmp/hash.list /tmp/hash.list.original

Use John to crack passwords

John the Ripper can work in the following modes:

• Wordlist: John will simply use a file with a list of words to launch a dictionary attack.
  
• Single crack: In this mode, john will try to crack the password using the login/GECOS information as passwords.
  
• Incremental: This is the mode where John launches a brute force attack.

To use John, you just need to supply it a file created using unshadow command along with desired options. If no mode is specified, john will try “single” first, then “wordlist” and finally “incremental” password cracking methods.

Using John in single mode

Just type:

john /tmp/hash.list

In less than a minute, the first three passwords are cracked. Then it’s better to interrupt the processing because it might take forever…

To see the cracked passwords, enter:

john --show /tmp/hash.list

 

Using John in wordlist mode

When I showed you how to crack Windows passwords, I demonstrated the effectiveness of using a good wordlist. John comes with a small wordlist and you can try to use it just to see what happens.

Start by replacing the original hash.list file, using the copy you made previously

cp /tmp/hash.list.original /tmp/hash.list

To force John to crack those same hashes again, you have to remove the john.pot file.

rm ~/.john/john.pot

Start John in wordlist mode using the proper parameter:

john /tmp/hash.list --wordlist=/usr/share/john/password.lst

 

Not bad, however it’s highly recommended that you obtain a larger wordlist. But first, create a proper place to place it:

sudo mkdir /usr/share/john/wordlists

Use your browser and go to http://bit.do/Word_Lists. Download the two files and extract them to the directory you’ve just created.

To save the files:

To extract them:

sudo unzip /home/rui/Downloads/'*.zip' -d /usr/share/john/wordlists/

Replace the hash.list file and delete the john.pot file again. Repeat the attack using the rockyou.txt file as a wordlist.

I interrupted the procedure, but you can see that even after a long time it won’t crack test4’s password because it’s a Portuguese word and you won’t find it in any English wordlist.

Repeat all the above procedures to launch an attack using the other wordlist:

Now John only found test4’s password because that’s the only word it could find in the used wordlist. So why don’t we use more than one wordlist?

Using John with multiple wordlists

By default, John the Ripper will use only one wordlist at a time. However, you can use it with multiple wordlists, combined or sequentially. If you want to combine all your wordlists into a single file and feed it into John:

cat /usr/share/john/wordlists/* | john …

Or you can use your wordlists one after another:

ls /usr/share/john/wordlists | xargs -t -I files john /tmp/hash.list --wordlist=/usr/share/john/wordlists/files

This command will list the ‘wordlists’ directory, pipe it to xargs, which will then create the command for each iteration. Then it’s just the standard John arguments.

Using John with Rules

Rule sets are defined in the john.conf file (usually found in /etc/john.conf) and are prefixed with a name so that you can specify them.

They look something like this:

Rules will tell John how to generate words to try, based on the words already present on your wordlist. Examples:

• john password_hashes.txt -w=password.lst --rules=single
  
• john password_hashes.txt -w=password.lst --rules=jumbo
  
• john password_hashes.txt -w=password.lst --rules=wordlist

Final note: John the Ripper is a great tool but it can be easily defeated if you follow my advices to create strong passwords. If you do, any attack will take a very long time to succeed… if ever!

 

Previous post: Cracking Windows 10 Passwords

Cracking Windows 10 passwords

Creating the passwords

Time to continue our tour on the basic Windows cracking techniques. Let´s repeat the initial procedures explained in the previous post, but this time under Windows 10. Start by creating a few accounts and please use the exact same passwords:

net user test1 9#Yo~3 /add

net user test2 [1aZ4~ /add

net user test3 õç2}5$ /add

net user test4 7%hª5b /add

net user test5 9Ayo7Bz /add

net user test6 G85pdDL /add

net user test7 Ã49ÇaõF /add

net user test8 3É6Óêph /add

net user test9 3b567gh0 /add

net user test10 77xpy6vh /add

net user test11 4ã8ç6ê7õ /add

net user test12 56é2à4óç /add

Install CAIN and Win10Pcap (http://www.win10pcap.org/download/)

Try the dictionary attack using all three wordlist files previously used

 

No luck? Try Ophcrack.

The Live CD is unable to load the Windows 10 hashes!

Solution? Dump the hashes using another program.

Dumping the hashes

CAIN can do it but it’s not the best solution because it only exports the hashes in LophtCrack format and Ophcrack will only read PwDump format hashes.

Windows 10 requires the use of the latest in password dumping technology, Pwdump v7.1. The main difference between pwdump7 and other pwdump tools is that this tool runs by extracting the binary SAM and SYSTEM file from the Windows filesystem and then the hashes are extracted.

Visit http://www.tarasco.org/security/pwdump_7/ and download the tool’s latest version.

Note: This tool can only be used against SAM and SYSTEM local files. Active directory passwords are stored in the ntds.dit file and that requires a completely different approach

Running pwdump 7.1 in the latest Windows 10, fully updated, produces a file with some noticeable features:

No user names are displayed! The hashes are usable by Ophcrack but without the matching username they are almost useless.

We need another tool to dump Windows 10 hashes, properly formatted for Ophcrack.

Get the ISO file for Reset Windows Password from the website:

http://www.passcape.com/reset_windows_password

Boot from the ISO and select the appropriate settings

Select the appropriate path for the SAM and SYSTEM files

Choose the proper format for your output file

This is the result:

But this is not exactly the proper PwDump format

We still need to fix it:

This text file will be properly loaded by Ophcrack

Time to crack these hashes using a much bigger set of rainbow tables; the 8 Gb Vista Special.

After more than one hour…

Conclusion:

Can you see the pattern?

The passwords I used were created taking into account the advertised success rate of the 8 Gb Vista Special rainbow tables. 99%… right?

However, only half of them were cracked! Why?

Because I used characters outside of the standard ASCII set. Namely, a number of characters widely used in my native language (Portuguese) like õ, ç, Ã or ê. These characters were not used in the generation of the rainbow tables and are also not normally used by the standard cracking tools, either to brute force or to play with the dictionary contents.

Therefore, even short passwords containing these characters are harder to crack than longer but stupid passwords. And that means you’ll be safer even against an attack done with the huge, sold rainbow tables because these are not generated to cover all possible characters. Go the Ophcrack’s website, notice the size of the existing tables and try to guess how big should a table be to cover all possible combinations for 10 characters using the extended ASCII set.

The same thing goes for the vast majority of the wordlist you’ll and find or even generate! And most cracking tools are programmed to perform only combinations within the standard ASCII set. It is possible to go beyond that, but it would make any attack extremely slow!

That are other many other tools available, some are better others are not, But the fact remains: Knowing the basic attack procedures will help you creating safer, better passwords by using proper characters and the right amount.

Password Security Tips

• Create passwords at least 10 characters long;
  
• Add complexity by using not only numbers and special characters but also by using extended ASCII characters like ê, ç, ò, ž, ä, etc;
  
• Use a password manager to help you generate and store your passwords;
  
• Use multifactor authentication.

Stay safe!

Previous post: Cracking Windows passwords

Next post: Cracking Linux passwords

Cracking Windows Passwords

Creating passwords to crack

You’ll need a Windows machine (real or virtual) with administrator access. It can run any version of Windows, XP or later, except Windows 10. If you want to use Windows Server 20xx, you’ll need to disable the "Password must meet complexity requirements" policy.

Click Start, type in CMD and press Shift+Ctrl+Enter.

If a "User Account Control" box appears, click Yes.

In the Administrator Command Prompt window, execute these commands:

net user test1 abc /add

net user test2 abcde /add

net user test3 password /add

net user test4 entrincheirado /add

net user test5 Pa$$w0rd /add

Those commands create five new system users. 

 

Downloading and installing Cain & Abel

Open a browser and go to http://www.oxid.it/cain.html

Scroll down and click "Download Cain & Abel v4.9.56 for Windows NT/2000/XP".

Save the installer on your PC.

Double-click the installer. Install the software with the default options.

NOTE: Cain & Abel will be detected as malware by your virus scanner. You will need to allow it to install, which is pretty easy if you use Microsoft Security Essentials or Defender. If you don't want to install it on your real machine, use a VM.

The installer will also ask to install WinPCap. In order to guarantee full functionality and stability, install it too.

Displaying the password hashes

Run CAIN from the Desktop shortcut, as an Administrator

If a "User Account Control" box appears, click Yes.

In the Cain window, at the top, click the Cracker tab. Move the mouse to the center right, where a blank white pane appears with a gray grid.

Right-click and select "Add to list".

In the "Add NT Hashes from" box, click Next.

The password hashes appear, as shown in the figure below. The LM hashes will all be the same if you are using Windows Vista or later, but the NT hash contains the password information.

 

Cracking passwords

Right-click test1, point to "Brute-Force Attack", and click "NTLM Hashes".

Note: we are cracking the NTLM hashes, not the old, weak LM hashes. The NTLM hashes are much more difficult to crack, so this attack will only be feasible for short passwords.

In the "Brute-Force Attack" box, click the Start button. It should find the three-letter password immediately. Close the "Brute-Force Attack" box.

NOTE: You can select different settings for the Brute Force Attack

Repeat the procedure for test2. The attack should find the five-letter password within a few seconds. Close the "Brute-Force Attack" box.

Repeat the procedure for test3 but, before starting the attack, choose a smaller charset only with characters, and tell CAIN to disregard all passwords shorter than 8 characters.

Notice that even without any complexity, a long password is hard to guess because it will take time to try all the different combinations.

After a few minutes, you should give up and be happy to have the two passwords you found, in the NT Password column of the Cain window.

As you saw, the Brute Force Attack is only effective for very short and simple passwords, unless you have lots of time and very powerful computation resources to try all possible combination, using all possible characters

It’s time to try a different approach; a Dictionary Attack

Right-click test3, point to "Dictionary Attack", and click "NTLM Hashes".

Before starting the attack, you need to add a dictionary file i.e. a wordlist containing all the words you want CAIN to test

Right-click the dictionary area and add a file.

CAIN has a small wordlist. Use it!

Notice all the possible combinations, using the words from the list.

Start the attack! A few seconds later…

Try the same thing for user test4!

Maybe you need a better, bigger wordlist. Go to http://bit.do/Word_Lists and download the file “wordlistPT_Small.zip”. Unpack it to any folder of your choice and add it to CAIN.

Launch the attack again! A few seconds later…

Try the same thing for user test5!

Maybe you need an even bigger wordlist... Or a totally different kind of attack!

 

Downloading Ophcrack

Visit the website http://ophcrack.sourceforge.net/ and download the LiveCD.

The LiveCD is a completely self-contained, bootable version of Ophcrack 3.6.0 with rainbow tables (just a sample).

Choose the Vista/7 LiveCD.

On the next webpage, Ophcrack LiveCD should begin automatically downloading a single ISO file.

This file can be used to create a bootable CD or USB key that you can use it to boot your machine, physical or virtual.

Insert the Ophcrack LiveCD disc into your optical drive (or USB port) and restart your computer. After the usual POST screen, wait for the Ophcrack menu to appear.

At this stage you don't need to do anything because the boot process will continue automatically after the timer at the bottom of the screen expires.

Watch for Hard Drive Partition information to display.

The next screen is the Ophcrack LiveCD software itself and it will automatically attempt to recover by brute force the passwords for all Windows user accounts that it can find on your computer.

Surprisingly, the initial attack could not crack one of the easy passwords. Keep in mind the attack was too fast! Therefore, only short passwords were tested, maybe just up to 3 characters.

Now you’ll need to load the SAM. This is the storage for local password and is usually found in c:\windows\system32\config

Press the Load button, Choose SAM, and navigate to the appropriate folder.

Add the rainbow tables available in the LiveCD. Press Tables and navigate to the proper folder as shown in the picture. Keep in mind that pending on your partitions configuration, the /media/sr0 path can be different.

This will add the Vista tables, created for the most probable passwords.

Press Crack

After 20 minutes…

After 43 minutes…

We need something else, right? But before that, why don’t we enhance the difficulty a bit more?

Exit Ophcrack and restart your Windows OS. Let’s create some more users, shall we?

net user test6 P@ssw0rd /add

net user test7 abc123!@# /add

net user test8 pazzword123 /add

net user test9 omgqwerty /add

net user test10 qwerty7890 /add

Visit the website http://ophcrack.sourceforge.net/tables.php and download an additional set of rainbow tables, the Vista free based on a dictionary. It’s a file named tables_vista_free.zip. Unpack it to a directory of your choice inside your Windows environment.

Restart your machine again and boot from the Ophcrack Live CD.

Reload the SAM, install all the rainbow tables and start a new cracking procedure.

More passwords, a longer wait… for a very disappoint result!

What can we conclude from this result?

Are the previously created password really safe?

Don’t give up. Not just yet… Restart your machine to Windows.

Let’s try CAIN again with an even bigger wordlist. Go to http://bit.do/Word_Lists and download the file “rockyou.zip” file. Unpack it to any folder and notice the size of the text file.

Let’s attack all accounts at once!

Add the new text file to CAIN’s list of dictionary files and don’t forget to reset all dictionary files to their initial positions.

You can even only the basic option to speed things up.

Wait one minute…

Conclusion?

The free and small rainbow tables are useless for any real application

But with a proper dictionary file, cracking silly passwords is a walk in the park!

 

Previous post: Sniffing for Passwords with Wireshark

Next post: Cracking Windows 10 passwords