Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Selmir Ljevakvi
Ena Kurtvi
yber Seurity
Amerian University in Bsnia and Herzegvina
71000 Sarajev, BiH
yber Seurity
Amerian University in Bsnia and Herzegvina
71000 Sarajev, BiH
Abstrat This paper will describe steps taken to break shadowed salted MD5 password hashes obtained during a black-box
pentest
Keywrds password, attack, brute-force, rainbow tables, wordlist, hash
I.
A pentest team from our IT security company successfully found a vulnerability in a government agency, and extracted hash files.
Now our team members are depending on us to crack the hash files and obtain passwords. To successfully complete the black-box
pentest after signing the contract, we need to prove that not only that agency has network vulnerabilities, but the encryption and
protection they use for password protection presents a severe safety concern. In this paper we will present the steps taken to crack
the passwords and the tools and methodology used in the process.
II. FILE EXAMINATION
We have been provided two files, /etc/shadow and /etc/passwd. The shadow. bin content is presented as follows:
domena_i.mujic:$1$zm@Fozb}$IHfSf4awX8Tt9Ny7SPXU20:14754:0:99999:7:::
The last part IHfSf4awX8Tt9Ny7SPXU20 is the acutual password encrypted by the algorithm in the 'id' section.
So, the shadow file format goes like this: domain_username:$id$salt$encryptedeverything is separated by the $.
The additional data on the end is just information about the account.
:14754:0:99999:7:::
The first field : 14754: means "last changed": Days since that password was last changed.
The :0: is Minimum: The minimum number of days required between password changes i.e. the number of days left
before the user is allowed to change his/her password
The :99999: is Maximum: The maximum number of days the password is valid (after that user is forced to change
his/her password)
The :7: is Warn: The number of days before password is to expire that user is warned that his/her password must be
changed
The Last two fields are normally just two ::, but they mean:
:: Inactive : The number of days after password expires that account is disabled
:: Expire : days since that account is disabled i.e. an absolute date specifying when the login may no longer be
used [1]
Since we have gathered enough information on what we are about to crack, we can now go to next steps: unshadowing the
passwords, cracking some of them using brute-force, and obtaining the password pattern for making a wordlist for using a more
efficient attack method.
III. THE ATTACK PHASE
Our weapon of choice is John the Ripper, used in Kali Linux 2.0. The first step is in cracking shadowed passwords to use the
unshadow command in order to combine the passwd and shadow file so we can use it with Johnny. Johnny is the GUI version of
John The Ripper.
After a few hours of cracking we managed to crack 43 passwords using only that wordlist.
http://www.backtrack-linux.org/forums/showthread.php?t=39771
http://www.openwall.com/john/doc/EXAMPLES.shtml
http://openwall.info/wiki/john/johnny
http://sourceforge.net/projects/crunch-wordlist/
http://hashcat.net/oclhashcat/