Exercise 4: Cracking Password Hashes

Objective: Understand how attackers crack password hashes using tools like John the Ripper or Hashcat, and learn how to mitigate such attacks.

Scenario: As a penetration tester, you gain access to a Linux system and manage to extract password hashes from the /etc/shadow file. Your task is to crack these hashes to retrieve plaintext passwords, demonstrate how these can be used to access user accounts, and discuss mitigation strategies to prevent password hash cracking.

Lab Setup

1. Environment: A Linux system with sample password hashes in /etc/shadow.
2. Tools Required:
   • John the Ripper
   • Hashcat
   • Wordlists (e.g., rockyou.txt)

Lab Steps

Step 1: Extract Password Hashes

Access the /etc/shadow file with root or elevated privileges.

cat /etc/shadow

Copy the hashes for analysis. For example:

root:$6$randomsalt$9G5FPKDZ1hHkR...encryptedhash...:18446:0:99999:7::: user:$6$anothersalt$yZ1QD1FpK8Dq...encryptedhash...:18446:0:99999:7:::

Note: The $6$ prefix indicates the hash uses SHA-512.

Save the extracted hashes to a file for cracking:

echo 'user:$6$anothersalt$yZ1QD1FpK8Dq...encryptedhash...' > hashes.txt

Step 2: Crack Password Hashes with John the Ripper

Install John the Ripper if not already installed:

sudo apt install john

Use John the Ripper to crack the hashes:

john --wordlist=/path/to/wordlist.txt hashes.txt

Replace /path/to/wordlist.txt with your chosen wordlist, e.g., rockyou.txt.

Monitor the cracking process and note any cracked passwords:

john --show hashes.txt

Example output:

user:password123

Step 3: Crack Password Hashes with Hashcat (Optional)

Install Hashcat:

sudo apt install hashcat

Identify the hash type using Hashcat’s documentation or tools like hashid.

Example: SHA-512 corresponds to Hashcat mode 1800.

Crack the hash using Hashcat:

hashcat -m 1800 -a 0 hashes.txt /path/to/wordlist.txt

Review the results:

hashcat --show hashes.txt

Step 4: Demonstrate Unauthorized Access

Use the cracked password to log in as the targeted user:

su user

Verify access by running: whoami

Solution

Explanation:

• Password hashes stored in /etc/shadow are one-way encrypted representations of passwords. Tools like John the Ripper and Hashcat exploit weak or common passwords by comparing hash outputs from a wordlist or brute-force attempts to the target hash.

Prevention:

1. Use Strong Hashing Algorithms: Ensure passwords are hashed with secure algorithms like bcrypt, scrypt, or Argon2, instead of MD5 or SHA-1.
2. Salting Hashes: Add a unique salt to each password hash to prevent precomputed attacks (e.g., rainbow tables).
3. Enforce Strong Password Policies:
   • Minimum length of 12-16 characters.
   • Require a mix of uppercase, lowercase, numbers, and special characters.
4. Account Lockout Mechanisms: Limit login attempts to prevent brute-force attacks.
5. Regular Audits: Monitor and rotate passwords periodically.
6. Use Multi-Factor Authentication (MFA): Add an extra layer of security to user accounts.

Testing and Verification

1. Confirm that strong passwords and secure hashing algorithms mitigate cracking attempts.
2. Test different wordlists and hashing methods to simulate attacker capabilities.
3. Document findings and the time required to crack hashes for reporting.

Reflection

This exercise demonstrates the risk of weak or poorly hashed passwords and provides practical steps to crack and secure them. By completing this lab, you’ve gained hands-on experience with password hash cracking and learned how to prevent such vulnerabilities in real-world systems.