Project 20: Cracking Linux Password Hashes with Hashcat 10 Points

Project 20: Cracking Linux Password Hashes with Hashcat 10 Points

Background

The file /etc/passwd file stores one line entry for each Unix / Linux user. One of the fields in the /etc/passwd denotes where the user password is stored. Typically, hashed (encrypted) user passwords in Unix and Linux are stored in /etc/shadow file.

Hashcat is a password recovery tool for numerous hashed and encrypted password types. See for more information

What You Need for This Project

• A Kali Linux machine, real or virtual
• Hashcat (include with Kali Linux)

Update Hashcat (Already completed in NetLabs)

Hashcat expires and will not let you run an old version.

In a Terminal window, execute these commands:

apt-get update

apt-get install hashcat

Change the Date

Hashcat is date sensitive. Since the version is Netlabs maybe not be the latest version, you may need to change the system date

In a Terminal window, execute this command to set the date to 11/5/2014:

date 1105144814

Creating a Test Users

Use the adduser command to create a new Kali Linux user.

In a Terminal window, execute this command:

adduser jose

At the "Enter new UNIX password" enter a password ofpassword

At the "Retype new UNIX password" enter a password ofpassword

Press Enter to accept defaults for the other options.

Viewing the Password Hash

The /etc/shadow file stores the actual password in an hashed (encrypted) format for user's account with additional properties related to user. All fields are separated by a colon (:) symbol. It contains one entry per line for each user listed in /etc/passwd file. Generally, a shadow file entry looks as follows:

1. Username: Login name up to 8 characters. Case-sensitive, usually all lowercase. A direct match to the username in the /etc/passwd file.
2. SALT / Password: The SALT is listed between the dollar signs and the hashed (encrypted) password follows. A blank entry (eg. ::) indicates a password is not required to log in (usually a bad idea), and a ``*'' entry (eg. :*:) indicates the account has been disabled.
3. Last password change (lastchanged): Days since Jan 1, 1970 that password was last changed
4. Minimum: The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password
5. Maximum: The maximum number of days the password is valid (after that user is forced to change his/her password)
6. Warn: The number of days before password is to expire that user is warned that his/her password must be changed
7. Inactive: The number of days after password expires that account is disabled
8. Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used.

In a Terminal window, execute this command:

tail /etc/shadow

The last line shows the password hash for jose, as shown below (your hash will be different):

Finding Your Salt Value

Look at the salt following the username "jose". The $6$ value indicates a type 6 password hash (SHA-512, many rounds). The characters after $6$, up to the next $, are the SALT.

In my example, the SALT isjtV4P/WN **** Note - your salt will be different****

Understanding the Hash Algorithm

The hash algorithm is defined in the file /etc/login.defs. To see the portion of that file discussing the password hash algorithm, execute this grep command to see 18 lines after the line containing the string "ENCRYPT_METHOD":

grep -A 18 ENCRYPT_METHOD /etc/login.defs

As you can see, Kali Linux uses SHA-512 hashes, with the default value of 5000 rounds:

Making a Hash File

Use the grep command to extract the line from /etc/shadow file that contains the user jose and send the output to the file crack1.hash.

In a Terminal window, execute these commands:

grep jose /etc/shadow > crack1.hash

Edit the Hash File

Using the nano text editor, clean the hashfile of unneeded text.

In a Terminal window, execute these commands:

nano crack1.hash

In the nano text editor, carefully delete the usernamejoseand the colon after it, and all the text at the end of the file, including all the colons, leaving only the hash. Since the hash is a long string, it may not fully display on the screen.

Screenshots show striked out text to be deleted.

PressCtrl+X,Y,Enterto save the file.

Cracking the Hash

In a Terminal window, execute these commands:

hashcat -m 1800 -a 0 -o found1.txt --remove crack1.hash /usr/share/wordlists/nmap.lst

Explanation of hashcat options:

• Unix type 6 password hashes (-m 1800)
• Using a dictionary attack (-a 0) ****Note – this is a zero****
• Putting output (-o) in the filefound1.txt
• Removing each hash (--remove)
• Getting hashes fromcrack1.hash
• Using the dictionary/usr/share/wordlists/nmap.lst

Viewing the Hash and Password

Use the cat command to view the hash and the password.

In a Terminal window, execute these commands:

cat found1.txt

You should see the hash, with the cracked password of "password" at the end (after the colon), as shown below:

Capturing the Screen Image

Make sure the Terminal window is visible, showing the cracked password of "password".

Click on the host machine's desktop, outside the virtual machine to make the host machine's desktop active.

Press the PrintScrn key to copy the whole desktop to the clipboard.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT.

Open Paint and paste in the captured image. Save it as as a JPEG, with the filename "Your Name Project 20.jpg".

Turning in your Project

Email the JPEG image to: with a subject line of "2640: Project 20 From Your Name", replacing Your Name with your own first and last name. Send a CC to yourself.

Sources

Last modified 12-6-15 - jw

1

CIT2640