SA 584 mputer and System Intrusin

Case Study 1 Password Cracking

Selmir Ljevakvi

Ena Kurtvi

yber Seurity
Amerian University in Bsnia and Herzegvina
71000 Sarajev, BiH

yber Seurity
Amerian University in Bsnia and Herzegvina
71000 Sarajev, BiH

Abstrat This paper will describe steps taken to break shadowed salted MD5 password hashes obtained during a black-box
pentest
Keywrds password, attack, brute-force, rainbow tables, wordlist, hash

I.

CASE STUDY INTRDUTIN

A pentest team from our IT security company successfully found a vulnerability in a government agency, and extracted hash files.
Now our team members are depending on us to crack the hash files and obtain passwords. To successfully complete the black-box
pentest after signing the contract, we need to prove that not only that agency has network vulnerabilities, but the encryption and
protection they use for password protection presents a severe safety concern. In this paper we will present the steps taken to crack
the passwords and the tools and methodology used in the process.
II. FILE EXAMINATION
We have been provided two files, /etc/shadow and /etc/passwd. The shadow. bin content is presented as follows:

Fig 1. Shadow.bin file content

After a closer examination of the content, we discovered the following:

domena_i.mujic:$1$zm@Fozb}$IHfSf4awX8Tt9Ny7SPXU20:14754:0:99999:7:::

This is a hash from the /etc/shadow file

domena_i.mujic presents the username.

The $1$ indicates the type of encryption used:

1 stands for MD5, 2 = Blowfish, 5 = SHA-256 and 6 = SHA-512.

The zm@Fozb} is the Salt

"salt" stands for the up to 16 characters following "$id$" in the salt. The encrypted part of the password
string is the actual computed password. The size of this string is fixed:
MD5 | 22 characters
SHA-256 | 43 characters
SHA-512 | 86 characters

The last part IHfSf4awX8Tt9Ny7SPXU20 is the acutual password encrypted by the algorithm in the 'id' section.

So, the shadow file format goes like this: domain_username:$id$salt$encryptedeverything is separated by the $.

The additional data on the end is just information about the account.
:14754:0:99999:7:::

It starts with the : and is a series of 6 different fields of information:

The first field : 14754: means "last changed": Days since that password was last changed.

The :0: is Minimum: The minimum number of days required between password changes i.e. the number of days left
before the user is allowed to change his/her password

The :99999: is Maximum: The maximum number of days the password is valid (after that user is forced to change
his/her password)

The :7: is Warn: The number of days before password is to expire that user is warned that his/her password must be
changed

The Last two fields are normally just two ::, but they mean:
:: Inactive : The number of days after password expires that account is disabled
:: Expire : days since that account is disabled i.e. an absolute date specifying when the login may no longer be
used [1]

Since we have gathered enough information on what we are about to crack, we can now go to next steps: unshadowing the
passwords, cracking some of them using brute-force, and obtaining the password pattern for making a wordlist for using a more
efficient attack method.
III. THE ATTACK PHASE
Our weapon of choice is John the Ripper, used in Kali Linux 2.0. The first step is in cracking shadowed passwords to use the
unshadow command in order to combine the passwd and shadow file so we can use it with Johnny. Johnny is the GUI version of
John The Ripper.

Fig. 2 Unshadowing with John the Ripper

The command is: unshadow /etc/passwd.bin /etc/shadow.bin > passwords.txt, since we have put our source files in the etc
directory. [2]
So after executing the command we have a new file, that we have named passwords1 that we will be using to crack passwords
from.

Fig. 3 Unshadowed file created

Afterwards, we execute Johnny[3], load our passwords1.txt (the unshadowed file) and choose the attack type we want in the
options. The first thing we used was Single crack mode. The cracking may take a lot of time considering the type of attack we are
using. However it did not took long until we cracked a few passwords.

Fig. 4 Johnny GUI Single crack mode

Afterwards, we tried the incremental mode, where we as well cracked 2 or 3 hashes.
Considering that we have had some passwords like: aadmir, aasim, aalma we have decided to make a wordlist using the pattern
that appears in the cracked passwords.
The next tool used was Crunch. Crunch is a tool used to generate wordlists of any types and parameters.[4]

Fig. 5 Wordlist creation using Crunch

Crunch 6 6 abcdefghijklmnoprstuvz0123456789 t aa@@@@ -o /root/lista-aa.lst

We used this command to create a wordlist with exactly 6 characters which include abcdefghijklmnoprstuvz0123456789 with a
pattern that the password begins with aa. It is important to mention that considering that the passwords we cracked were Bosnian
names we excluded w, q, x and y. So after we created the wordlist beginning with aa we proceeded with creating the same
wordlist with every letter we use.(aa, bb, cc, dd.etc.)

Fig. 6 Full wordlist generation

After weve created wordlists for every letter we gained 22 wordlist documents that we will be using. However as the process of
cracking is time consuming and as was is not feasible e to change the wordlist after one completes, we needed to merge all of the
worldlistis into 1 document.

Fig.7 All wordlist files

The chosen tool for this job was Hashcat. Hashcat is the self-proclaimed Worlds fastest password cracker and first and only
GPGPU based rule engine.[5]

Fig. 7 Merging wordlists

The command format used is as follows:
Command cat (specify file locations of all the wordlists) > and specify output file location.
After we did so, we created a 1 wordlist to use which consisted of all 22. The filesize was around 150MB. Now we got back to
Johnny just using a different approach. We used wordlist attack mode.

Fig. 8 Wordlist attack using Johnny

After a few hours of cracking we managed to crack 43 passwords using only that wordlist.

Fig. 9 Cracked passwords using Johnny in wordlist attack mode

IV. CONCLUSION
Although we have not cracked all 120 passwords provided due to time restrictions and processing power, 48 cracked are more
than enough for a malicious attacker to make severe damage to the target system and escalate privileges. We also had in mind
using some other tools, and creating more wordlists. We have proven that the encryption and protection mechanisms used to
secure the passwords of the pentested government organization are not secure, and now our team can present the evidence of the
successful pentest, point out vulnerabilities and suggest methods for security improvement.
REFERENES
[1]
[2]
[3]
[4]
[5]

http://www.backtrack-linux.org/forums/showthread.php?t=39771
http://www.openwall.com/john/doc/EXAMPLES.shtml
http://openwall.info/wiki/john/johnny
http://sourceforge.net/projects/crunch-wordlist/
http://hashcat.net/oclhashcat/