Skip to main content

Password Cracking - Linux

Setup #

If you have not completed the Brute Forcing Logins exercise, stop here and go do that exercise because you need the credentials gathered from the exercise to continue

In order to complete this lab, you will need hashcat installed on your virtual machine. You can install it using the terminal.

# Updating the apt package repository
sudo apt update

# Installing hashcat
sudo apt install hashcat

You will also need a copy of the custom wordlist from the brute forcing logins exercise. If you are in a new folder, copy it into your current working directory

Gathering and Cracking Hashes #

Upon logging into the dashboard page of our lab, located at “https://lab2.astarml.com/dashboard", there is a terminal interface that sends commands to the underlying container (pretend this is a standard linux server) and returns the output.

astarml_dashboard_page.png

You can confirm this by running the command whoami and it returns root.

terminal_command_whoami.png

Password hashes are stored in the /etc/shadow file. We can read this file using cat

cat /etc/shadow

shadow_file.png

Copy the bottom rows of this file and paste it into a text file. Using nano is likely easiest as it handles formatting well.

hashes.png

We now need to locate the right hashcat module to use. To do this, we first to need to identify the hash type. You can use hashes.com to do this. Simply take one of the hashes from the shadow file and paste it in the form and hit submit. This identifies the hash as sha512crypt.

hashes-com.png

We can then use this information to search for the module.

hashcat -h | grep sha512crypt

sha512crypt-hashcat.png

This identifies the module as 1800, so we can now build out hashcat command

# Command template
hashcat -m <module number> <hash file> <wordlist>

# Actual command
hashcat -m 1800 hashes.txt custom_wordlist.txt

Because the wordlist is small, it should complete pretty quickly. You see the cracked hash, in this case the result is: isaimartinez.

hashcat_completed.png

NOTE: Hashcat will not crack the same hash twice, if you run it once and are success at cracking, you can view it later by appending the --show flag to the command. You can also remove the cached files containing previous results by running: rm -f ~/.local/share/hashcat/hashcat.potfile