JTR-Cracking Linux passwords-Long Version_11_29_2023

The lab Breakdown READ : If your hashing algorithm use “$6$ use --format= sha512crypt and if it uses “$y$” use --format=crypt Lab summary: We are going to create a few users whose passwords we are going to crack using john the ripper ( JTR ). This is a two part lab, in the first part of the lab we are going to use a wordlist named “ rockyou.txt ” that is included with Kali Linux, it contains about 14 Million possible passwords. In the second part of the lab, we will create and use a custom wordlist to crack the passwords. Phases of the lab Phase#1 : Create some test users on the Kali VM with passwords.. Phase#2 : Use the “ pwunconv ” command to combine the /etc/passwd and /etc/shadow files into another file. Phase#4 : Use the “ rockyou.txt ” wordlist to attempt to crack the passwords Phase#3 : Create a custom “wordlist” (password file) containing the user’s password. Phase#4 : Use john the ripper to attempt to crack the passwords using the custom password. Remember john needs 3 things  A wordlist ( Wordlists are text files that contains potential passwords that password crackers like john the ripper uses to crack passwords. )  A file containing the username+password hash pair  The name of the hashing algorithm used by the Operating system ( --format=NT or --Format=sha512crypt) Basic Syntax John --format=?? --wordlist=path/to/wordlist.txt path/to/filetocrack.txt

Hands-on DO: Start the “ kali Linux VM ”, logon as “ root ” and create some test users with passwords that are easy to crack. User Creation Let’s create a few users and set their passwords Syntax: username –m <username> ; create a new user account Syntax: passwd <username> ; set/reset a user’s password DO : Type “ useradd -m cbrown ” ; create a new user named cbrown DO: Type “passwd cbrown ” ; set his password to six ones (111111) DO : Use the “cbrown” example as reference and create the other users in the table below with the indicated passwords. The “ RED ” characters are UPPERCASE letters. Note : snoopy and linus have the same password Username password cbrown 111111 woodstock W !nter2020 snoopy P @$$w 0 rd ; 0 is the number zero lucy B @rtic@ linus P @$$w 0 rd ; 0 is the number zero pigpen p@ssw o rd ; o is the letter ‘oh” DO : Reset root’s password to “w!nter2009” Q: What command did you type? _____________________________________________

DO: Type “ pwunconv ” ; this will combine the /etc/passwd and /etc/shadow files into one file the /etc/passwd file. The shadow file will no longer exist The following picture illustrates the effect of “ pwunconv ” command using sholmes to illustrate. READ: Now that we have all accounts and hashes in one file, we are going to use the “grep” command copy the accounts of interest to a file named “filetocrack.txt” …which we will tell john to crack DO : Type “ grep root /etc/passwd ” ; display all entries with the string “root’ in them

DO : Type “ grep -w root /etc/passwd ” ; Tell grep to display only lines that have the word (w) root.. Look at the following screenshot. DO: Type the “grep ” commands in the following picture to extract only the entries of interest from the /etc/passwd file and send them to a file named “ filetocrack.txt ”. The “filetocrack.txt” is the file we will tell john to crack. Note: Alternately, you can use the following command to do the same thing as the screenshot grep -E ‘^(root|cbrown|woodstock|snoopy|lucy|linus|pigpen)’ /etc/passwd > filetocrack.txt

Let’s get the “rockyou.txt” wordlist Note: To use the “rockyou.txt” wordlist you must first uncompress it DO : Type “ ls –lh /usr/share/wordlists/rockyou.txt.gz ” ; displays the file What’s the compressed size of the file? ______________________________ DO : Type “ gunzip /usr/share/wordlists/rockyou.txt.gz ” ; uncompress the file DO : Type “ ls –lh /usr/share/wordlists/rockyou.txt ”. What’s the uncompressed size of the file? _______________________________ DO : Type “ wc –l /usr/share/wordlists/rockyou.txt ” ; use the word count (wc) command to counts the number of lines (entries) in the file. How many lines (potential passwords) are in the file (The leftmost number) ?_____________ DO : Type “ grep head /usr/share/wordlists/rockyou.txt ”; list possible password that have the string “head” as part of them. DO : Type “ grep head /usr/share/wordlists/rockyou.txt | wc –l ” ; uses the word count (wc) command to count how many potential passwords have the string “head” in them…Don’t do anything just wait until it finish on it’s own. DO: Type “ cp /usr/share/wordlists/rockyyou.txt /root ” ; copy the file to /root to avoid having to type in a long path. DO : Type ls ; list the content of the current directory, you should see the rockyou.txt file READ : Before we attempt to crack the passwords, lets determine how many of the passwords we intend to crack are in the ‘rockyou.txt” file, this will tell us how many of the passwords will eventually be cracked by john.

NOTES :  If the password is in the file it means that eventually john will be able to crack it, if the password is not in the file it means that john will not be able to crack the password. READ : In the following commands, be sure to surround the passwords with single quotes , the one that shares the same key as the double quotes . DO : Type grep -w ‘111111’ rockyou.txt ; is the password in the file? Y/N DO : Type grep -w ‘ P @$$w0rd’ rockyou.txt ; is the password in the file?Y/N DO : Type grep -w ‘ W !nter2020’ rockyou.txt ; is the password in the file?Y/N DO : Type grep -w ‘p@ssword’ rockyou.txt ; is the password in the file?Y/N DO : Type grep -w ‘ B @rtic@’ rockyou.txt ; is the password in the file?Y/N DO : Type grep -w ‘w!nter2009’ rockyou.txt ; is the password in the file? Y/N DO: List the users whose passwords will eventually be cracked: _____________________ ________________________________________________________________________

DO: Press “ CTRL+C” or the letter “ q ” to temporarily pause the cracking process go to the command prompt. DO : Type “john - -show filetocrack.txt ”; display cracked passwords You should see the following DO: Type “john - -restore ” ; resume the cracking

DO: Press “ any ” key to display the current potential password that JTR is trying. DO: WAIT 30 minutes and see if JTR can crack any other, then press “ CTRL+ C ” to exit Q: Were any other passwords cracked after 30 minutes? Y/N DO: List the names of the users whose passwords were cracked ________________________________________________________________________ DO: List the names of the users whose passwords were not cracked ________________________________________________________________________ DO: Type “john - - show filetocrack.txt ” ; displays the names and corresponding cracked passwords. DO: Take a screenshot and paste it below

DO : Type “ cat mywordlist.txt ” to display the content of the file. You should see the following. READ: If you do not see all six passwords, exactly as shown in the previous screen, then type “ rm –rf mywordlist.txt ” to delete the file, and then re-type the “ echo ” commands. OK let’s get cracking DO : Type” john - -format=sha512crypt - -wordlist=my wordlist.txt filetocrack.txt ” READ: All passwords that are in the”mywordlist.txt” file should cracked within a few seconds, and you will exit from john because it has run out of potential passwords to try. . Note: Pigpen(p@ssword) and root’s(w!nter2009) passwords are not in the custom wordlist so they were not cracked.

DO:Type “ cat .john/john.pot ” ;; shows all cracked passwords and corresponding hashes (but not names). Refer to the following screenshot.

Let’s delete the “john.pot” file DO: Type “ rm -rf .john/john.pot “ ; This will delete the “john.pot” file let’s crack again DO : Type” john - -format=sha512crypt - -wordlist=my wordlist.txt filetocrack.txt”

DO: Type “ cat .john/john.pot ” ; display cracked passwords (no names are shown) DO: Type “ john - -show filetocrack.txt ” ; you should see the following, which shows both the cracked passwords and the corresponding names.