_________________________________________________________

Hacking Linux Part II: Password Cracking By gimboyd nickdoidge@talktimeuk.com
_________________________________________________________

Understanding the /etc/passwd file:

The /etc/passwd file on a Linux system is the first place a hacker would search if they wanted to compromise a large number of accounts (for obvious reasons). The /etc/passwd file has a general layout I give two examples below you may see on a Linux system:

root:*:0:0:The super user account:/root:/bin/tcsh
root:7dL94Tssk6zEt:0:0:The super user account:/root:/bin/tcsh

In /etc/passwd the ':' (colon) is used separate fields, The passwd file presents information about the users (in the order shown below).
- Username.
- Password.
- User ID.
- Group ID.
- Comment (usually the users full name, or about their responsibilities).
- Users home directory.
- The users shell (Usually is set as a default of /bin/bash or /bin/sh)

You may have noticed that the two possible entries above differ slightly, and that the difference is in the second field (the password section). This is because the password in the first entry is shadowed (I will explain what this means later), whereas the second password has just been encrypted. Generally nowadays you will not see the second entry as it can easily be cracked. Cracking the Linux password can be easy - but it does take time, time most attackers don't have, so they would prefer to leave this step out to achieving root privileges. Alec Muffets 'Crack' was pretty much, the first UNIX/ Linux password cracking program, it was able to crack passwords encrypted with DES crypt() and MD5 crypt(), now due to the shadow password suite, crack is almost dead. Programs such as John The Ripper are designed to break shadowed password. Since nowadays pretty much every Linux box uses the shadow password suite I will explain how to use John The Ripper later on in the manual.


Understanding the /etc/shadow file:

In the /etc/shadow file you will find entries similar to this:

root:x6FH.R4PFYGL2:11901:0:32767:7:4:12:1073741831

In /etc/shadow the ':' (colon) is used separate fields, The shadow file presents information about the users (in the order shown below).
-
Username.
- Encrypted password.
- Number of days since January 1st 1970, that the password was last changed.

- Number of days before the user is allowed to change their password.
- Number of days before the user must change their password.
- How many days in advance the user is warned of a password change.
- Number of days remaining for the user to change their password (else their account is disabled).
- A reserved field.

The /etc/passwd file needs to be read by all to login therefore has the permissions of 644 (or -rw-r--r--), the /etc/shadow file is only readable by root, and therefore has the permissions 400 (or -r--------). This can greatly increase security, because the encrypted passwords cannot be read by any other user apart from root, this makes dictionary attacks very difficult without root privilages.


Using John The Ripper To Crack Passwords:

After downloading the source, extract it and enter the src directory, then enter make linux-x86-any-elf, this will make a directory called run, this will contain all the binaries you will need to crack the Linux password. I will explain the basic use of John, but I would definitely recommend reading the documentation for full use of the program. Before you do anything I would recommend you edit john.ini, and get a different wordlist instead of using the list given with John, try packetstorm for a large password list. Remember, cracking passwords takes time and processor power - if an attacker were to try to crack your passwords on your server, rather than copying the files and cracking them elsewhere, then you will notice that your server may lag considerably.

Firstly we need to use the unshadow tool (located in the John's run directory) use the following command unshadow /etc/passwd /etc/shadow > passwd.1. The easiest way to crack the password now is to enter john passwd.1. John generally has three modes - single, wordlist (with rules) & incremental, and using john passwd.1 will use those modes in that order. You can check which passwords have been cracked by running the command john -show passwd.1, these passwords are stored in john.pot. If you wish to check if any account with a userid of 0 you can use the command john -show -users:0 passwd.1. If you have a couple of different password files you can get John to work on the files at the same time, by using the following command format: john -single passwd.1 passwd.2. Lastly John has a mailing feature that will e-mail every user whose password has been cracked, you can do this by issuing the command mailer passwd.1.

Issuing the command unshadow /etc/passwd /etc/shadow > passwd.1 will echo information that looks similar to this into the file passwd.1 (some accounts have been removed for brevity).

root:$1£ajQhjtGx$F60uti4xHEEqtpHb8lTs7/:0:0::/root:/bin/tcsh
bin:*:1:1:bin:/bin:
daemon:*:2:2:daemon:/sbin:
adm:*:3:4:adm:/var/log:
nobody:*:99:99:nobody:/:
nick:xsFH.RApFyG12:1001:10:Nick Doidge:/home/nick:/bin/bash

As it cracks the passwords the encrypted string and the password are stored in john.pot the output will look similar to this:

$1£ajQhjtGx$F60uti4xHEEqtpHb8lTs7/:enter

If you wish to print out a list of passwords that have been cracked the command john -show passwd.1 will give output similar to the below:

root:enter:0:0::/root:

1 password cracked, 1 left

************
Countermeasures:

1) Make sure you use MD5 on your passwords instead of DES!
2) Use a password cracker regularly on your own computer to filter out weak passwords.
3) Use different passwords on different systems.
4) Reglarly force users to change their passwords - the root password should be changed even more frequently!
5) Your passwords should be:
.......At least 8 characters long.
.......Have at least one number.
.......Have at least one non-alphanumeric character.
.......Not consist of a dictionary word.
.......Have both upper and lower case letters.
************

Thats pretty much it for password cracking, I know I haven't gone into great depth here, but now you know the basic layout of the password files, and how to break them using John (I havent described even a quarter of John's options etc so definitely read the documentation for extra interesting utilities).


<< Back To Privilage Escalation
Forward To Maintaining Access >>