Password Crack ( John The Ripper)

- 암호 클랙의 방법과 종류

암호 추측 공격하기(Password Guess, Manually guess using information obtained about a target)

기본 암호를 사용하기(Default password attack, The device has default password, such as router)

사전 파일 사용 공격(Dictionary attack, Use an automated attack that tries all the possible dictionary words)

무작위 대입 공격(Brute-force, Try all the possible character combinations)

하이브리드 공격(Hybrid, Combining dictionary with brute-force)

- 암호 클랙 공격의 종류 

Offline Password Crack Attack(Local Password Attack) : John The Ripper 

Online Password Crack Attack(Remote Password Attack) : Hydra 

- passwd / shadow

(kali)

# cat /etc/passwd | grep root

root:x:0:0:root:/root:/bin/bash

> ID : x (예전에 passwd 있던 위치 ) : UID : GID : 코멘트 : 홈디렉토리 : 쉘

# cat /etc/shadow

root:$6$.k9323Tm$knFsOFxb/9wdDddozr.0KNmrfJNmneHdYuy02TTbluvYkxbsnOtW 7JSg5oytApNi0R9IWWMNYG89cPrAmciu9/:17450:0:99999:7:::

> ID

> 암호화 알고리즘 $6$ 

> salt key $.k9323Tm$

> 암호화된 암호 $knFsOFxb/9wdDd .....

# man shadow

# man 3 crypt

[참고] pwconv / pwunconv 명령어

/etc/passwd ---- pwconv CMD ----> /etc/passwd, /etc/shadow

/etc/passwd, /etc/shadow ---- pwunconv CMD ----> /etc/passwd (위험)

- john the ripper 실습

# john

John the Ripper password cracker, version 1.8.0.6-jumbo-1-bleeding [linux-x86-64-avx] Copyright (c) 1996-2015 by Solar Designer and others Homepage: http://www.openwall.com/john/ Usage: john [OPTIONS] [PASSWORD-FILES] --single[=SECTION]        "single crack" mode --wordlist[=FILE] --stdin wordlist mode, read words from FILE or stdin                   --pipe  like --stdin, but bulk reads, and allows rules --loopback[=FILE]         like --wordlist, but fetch words from a .pot file --dupe-suppression        suppress all dupes in wordlist (and force preload) --prince[=FILE]           PRINCE mode, read words from FILE --encoding=NAME           input encoding (eg. UTF-8, ISO-8859-1). See also                           doc/ENCODING and --list=hidden-options. --rules[=SECTION]         enable word mangling rules for wordlist modes --incremental[=MODE]      "incremental" mode [using section MODE] --mask=MASK               mask mode using MASK --markov[=OPTIONS]        "Markov" mode (see doc/MARKOV) --external=MODE           external mode or word filter --stdout[=LENGTH]         just output candidate passwords [cut at LENGTH] --restore[=NAME]          restore an interrupted session [called NAME] --session=NAME            give a new session the NAME --status[=NAME]           print status of a session [called NAME] --make-charset=FILE       make a charset file. It will be overwritten --show[=LEFT]             show cracked passwords [if =LEFT, then uncracked] --test[=TIME]             run tests and benchmarks for TIME seconds each --users=[-]LOGIN|UID[,..] [do not] load this (these) user(s) only --groups=[-]GID[,..]      load users [not] of this (these) group(s) only --shells=[-]SHELL[,..]    load users with[out] this (these) shell(s) only --salts=[-]COUNT[:MAX]    load salts with[out] COUNT [to MAX] hashes --save-memory=LEVEL       enable memory saving, at LEVEL 1..3 --node=MIN[-MAX]/TOTAL    this node's number range out of TOTAL count --fork=N                  fork N processes --pot=NAME                pot file to use --list=WHAT               list capabilities, see --list=help or doc/OPTIONS --format=NAME             force hash of type NAME. The supported formats can                           be seen with --list=formats and --list=subformats

- 사용자 생성 (user01/ user01  hacker/h4ckEr1.)

# useradd -m -s /bin/bash user01    /* -m  홈디렉토리 생성 -s 쉘 설정 ( 기본 본쉘 ) */

# passwd user01

# useradd -m -s /bin/bash hacker

# passwd hacker

# cd /root/bin

# unshadow /etc/passwd /etc/shadow | egrep '(^root|^user01)' > passwd.txt 

# unshadow /etc/passwd /etc/shadow | egrep '(^root|^user01|^hacker)' > passwd2.txt 

# cat passwd.txt 

root:$6$.k9323Tm$knFsOFxb/9wdDddozr.0KNmrfJNmneHdYuy02TTbluvYkxb snOtW7JSg5oytApNi0R9IWWMNYG89cPrAmciu9/:0:0:root:/root:/bin/bash user01:$6$mbAsWwje$PM2a0F94VpIUodMg8r1Q0GhduoVQjs8Tau9gD70aLbsVm5bQ GdQ102BgT8HfJRXUF95BDbZL7weIx3gZw6YJe/:1000:1000::/home/user01:/bin/bash

# cat passwd2.txt 

root:$6$.k9323Tm$knFsOFxb/9wdDddozr.0KNmrfJNmneHdYuy02TTbluvYkxbsnO tW7JSg5oytApNi0R9IWWMNYG89cPrAmciu9/:0:0:root:/root:/bin/bash user01:$6$mbAsWwje$PM2a0F94VpIUodMg8r1Q0GhduoVQjs8Tau9gD70aLbsVm5 bQGdQ102BgT8HfJRXUF95BDbZL7weIx3gZw6YJe/:1000:1000::/home/user01:/bin/bash hacker:$6$iUmex2mh$gBTCO1iUrqTt189SadkZlU355M.jwrXFHb6hUMaZW.n6Kmoit i6Z/rn0ClWop0h4rkoR6E/hvkwRIJgVNyJ5l0:1001:1001::/home/hacker:/bin/bash

# john passwd.txt

Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt" Use the "--format=crypt" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x]) Press 'q' or Ctrl-C to abort, almost any other key for status toor             (root) user01           (user01) 2g 0:00:00:00 DONE 1/3 (2017-11-13 21:55) 25.00g/s 187.5p/s 200.0c/s 200.0C/s user01..User01User01 Use the "--show" option to display all of the cracked passwords reliably Session completed

# john passwd2.txt

Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt" Use the "--format=crypt" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 3 password hashes with 3 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x]) Remaining 1 password hash Press 'q' or Ctrl-C to abort, almost any other key for status

> 유지 

-새로운 터미널

# john --show passwd2.txt

root:toor:0:0:root:/root:/bin/bash user01:user01:1000:1000::/home/user01:/bin/bash 2 password hashes cracked, 1 left

# john --show=LEFT passwd2.txt

Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt" Use the "--format=crypt" option to force loading these as that type instead hacker:$6$iUmex2mh$gBTCO1iUrqTt189SadkZlU355M.jwrXFHb6hUMaZW.n6K moiti6Z/rn0ClWop0h4rkoR6E/hvkwRIJgVNyJ5l0 2 password hashes cracked, 1 left

> hacker 사용자는 크랙되지 않았다.