Exercise 22: Cracking Shadow File Passwords Using Offline Attacks

Objective: Use offline dictionary-based or brute-force techniques to crack password hashes stored in the /etc/shadow file, and understand how to secure password storage against such attacks.

---

Scenario: The /etc/shadow file on Linux systems contains hashed passwords for user accounts. If an attacker gains access to this file, they can attempt to crack the password hashes using offline techniques. Your task is to simulate this process using tools like John the Ripper and Hashcat, and implement strategies to secure password storage.

---

Lab Setup

1. Environment:
   • A Linux system with access to the /etc/shadow and /etc/passwd files.
2. Tools Required:
   • John the Ripper or Hashcat for cracking passwords.
   • A wordlist (e.g., rockyou.txt) for dictionary attacks.

---

Lab Steps

Step 1: Obtain the /etc/shadow File

1. View the contents of /etc/shadow (requires root privileges): sudo cat /etc/shadow
   • Example entry: user:$6$randomsalt$hashedpassword:18446:0:99999:7:::
     • $6$: Indicates the SHA-512 hashing algorithm.
     • randomsalt: The salt used for hashing.
     • hashedpassword: The actual hashed password.
2. Extract the relevant entries and save them to a file: sudo cat /etc/shadow | grep user > hashes.txt
3. Obtain the corresponding /etc/passwd entry for user account information: cat /etc/passwd | grep user

Step 2: Prepare for Cracking

1. Combine the /etc/passwd and /etc/shadow files into a format readable by cracking tools: unshadow /etc/passwd /etc/shadow > combined.txt
   • unshadow combines the two files into a format suitable for tools like John the Ripper.

Step 3: Perform a Dictionary Attack

1. Use John the Ripper to perform a dictionary attack: john --wordlist=/path/to/wordlist.txt combined.txt
   • Replace /path/to/wordlist.txt with the path to your wordlist (e.g., rockyou.txt).
2. Monitor progress and results: john --show combined.txt
   • Example output: user:password123

Step 4: Perform a Brute-Force Attack

1. If the dictionary attack fails, use a brute-force attack: john --incremental combined.txt
2. This method tries all possible combinations of characters and can take significantly longer.
3. Monitor the cracking process and record any discovered passwords.

Step 5: Use Hashcat for Advanced Cracking

1. Identify the hash type:
   • SHA-512 corresponds to Hashcat mode 1800.
2. Use Hashcat to crack the hash with a dictionary: hashcat -m 1800 -a 0 hashes.txt /path/to/wordlist.txt
3. For a brute-force attack: hashcat -m 1800 -a 3 hashes.txt ?a?a?a?a?a
   • Replace ?a?a?a?a?a with the desired length and character set.

---

Solution

Explanation:

• The /etc/shadow file stores password hashes, which can be cracked offline if accessed by attackers.
• Tools like John the Ripper and Hashcat use dictionary and brute-force attacks to recover plaintext passwords.

Prevention:

1. Use Strong Hashing Algorithms:
   • Ensure passwords are hashed using secure algorithms like SHA-512, bcrypt, or Argon2.
2. Enforce Salting:
   • Salt ensures that even if two users have the same password, their hashes will differ.
3. Implement Strong Password Policies:
   • Require long and complex passwords with a mix of characters.
   • Example password policy: sudo apt install libpam-pwquality Configure /etc/security/pwquality.conf with rules such as: minlen=12 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1
4. Restrict Access to /etc/shadow:
   • Ensure only the root user can read the file: chmod 600 /etc/shadow
5. Use Two-Factor Authentication:
   • Add an extra layer of security to user accounts.

---

Testing and Verification

1. Test password policies by creating user accounts with weak passwords and verifying they are rejected.
2. Attempt to crack the hashes after implementing stronger hashing and salting mechanisms to confirm the difficulty of cracking.
3. Verify that only root can access the /etc/shadow file.

---

Reflection

This exercise demonstrates how attackers can crack password hashes using offline techniques and highlights the importance of securing password storage. By completing this lab, you’ve gained insights into strengthening authentication mechanisms on Linux systems.