In our previous tutorial we gained root access to our target Linux machine running metasploitable. So now what can we do? Let’s try to crack some passwords and system credentials.
First thing is to grab the password hashes. This is simply done by typing
We get an output like above. Select the results, copy and paste a text file which we will save as passwd.txt on our Kali machine.
Next we do the same for the shadow file run the command
and then copy the results to a text file which is saved as shadow.txt
We now have 2 text files saved on our Linux machine. The next thing we will do is combine the two files together using John The Ripper tools so it can then be cracked.
Run the following command
┌──(kali㉿kali)-[~] └─$ unshadow /home/kali/Desktop/passwd /home/kali/Desktop/shadow > /home/kali/Desktop/passwords.db
Replace the directory string to be where you saved the passwd and shadow .txt files.
Now the files are combined, we will run a dictionary attack to try and crack the hashes. We will use the popular rockyou.txt dictionary of passwords.
┌──(kali㉿kali)-[~] └─$ sudo john --wordlist=/home/kali/Desktop/rockyou.txt /home/kali/Desktop/passwords.db
we define the wordlist to use, it’s location and the location of our combined passwd and shadow file.
It can take some time to run through the whole dictionary of thousands of words. Above we can see the results of 4 accounts, and we have identified the administrator account msfadmin is the username and password. Press ctrl + c to cancel cracking anymore.
We can always see what has been cracked already by using the command
sudo john /home/kali/Desktop/passwords.db --show
This will show us what has been cracked already and what is pending. You can see we have 4 cracked and 3 pending.
If you run the crack command again, it will continue trying to crack the remaining 3.
Of course if the password you are trying to crack doesn’t exist in your dictionary, it will fine no results. There are some huge dictionaries available online for download that contain many potential and common passwords.
So what did we learn from this tutorial? Well, it’s important to secure your system. Use some kind of random password for strong security. Combine it with upper and lower cases, special characters. If someone is running a dictionary attack to try and crack the password the likelihood of a random string combination being in the dictionary is far less than using an actual word.
If you followed this tutorial from the previous, you will see that we were able to gain root access, grab the hashes, and crack them all because of one security hole. The vulnerable unrealIRC that was exploited.
Now we have the passwords, there are other services we have seen running on our Metasploitable machine that could be vulnerable. Some of these services will require us to enter username and passwords in order to exploit. Now we have those to hand we can explore other vulnerabilities we can exploit.