Monday, July 9, 2012

My old blog content is here:

http://noobscripts.blogspot.com/

Cracking your shadow!


If you really need to know the password for one of your Linux accounts, you can use some creative means to capture the necessary files and John the Ripper.

As long as your system is not using full disc encryption, you can boot your system with Backtrack 5 R2.  Once the system is up, you'll need to mount the hard drive and copy the passwd and shadow files.

     mkdir /mnt/crack
     mount /dev/sda1 /mnt/crack


     cp /etc/passwd /mnt/crack
     cp /etc/shadow /mnt/crack

Once you have the files copied to your temporary directory you can use John the Ripper to crack the passwords.  Backtrack 5 R2 comes with a decent password dictionary for starters.  You will need to join the passwd and shadow files before you can run JTR.  You'll need to be in the working directory of JTR or use the full path.

     ./unshadow /mnt/crack/passwd /mnt/crack/shadow > /mnt/crack/linux_hashes.txt
     ./john /mnt/crack/linux_hashes.txt


The cracking process will take time depending on a number of factors.  The complexity of your passwords, quality of your wordlist, and the speed of your hardware will determine the speed or your request.  You noticed that with these simple passwords, it took over 5 minutes to crack the passwords.  Your results make look similar to below:
     root@root:~# /pentest/passwords/john/john ./linux_hash.txt Loaded 3 password hashes with 3
     different salts (generic crypt(3) [?/32])
     evil             (hacker)
     guesses: 1  time: 0:00:01:14 31.33% (1) (ETA: Mon Jul  9 17:01:11
     2012)  c/s: 48.82  trying: tkirk - 7jkirk
     password         (joe)
     red              (jim)
     guesses: 3  time: 0:00:05:50 DONE (Mon Jul  9 17:03:05 2012)  c/s:
     50.07  trying: ncc1701d - 1022
     Use the "--show" option to display all of the cracked passwords reliably 
     root@root:~#