IL Exercise 12: Password Cracking Tools

This exercise focuses on methods for brute-forcing hashed passwords to get their plaintext values. You will be using two different password cracking tools: John the Ripper (hereafter referred to as JtR) and Hydra. You will do the work on the Immersive Labs platform, so make sure you have set up access before you begin.

Cracking Raw Hashes With JtR

  1. Login to Immersive Labs and start the lab on JtR. While you wait for the Linux VM to spin up, reveal the information panel by clicking on the Info button at the top-right of screen. Take the time to read this information. Click on the button again to dismiss the panel.

  2. When the Linux desktop UI is visible, double-click on the Hashes folder to see the files containing the four hashes that are the target for this lab. Right-click on a file and choose Open with Mousepad to view a hash.

  3. Now double-click on the Terminator icon to start up a terminal window. In the terminal window, examine the size of the word list that you will be using with JtR:

    wc --lines /usr/share/wordlists/rockyou.txt

    This command shows you the number of lines in the file, and therefore the number of different passwords that JtR will try (since the file contains one password per line). Note that we could use a much smaller word list than this, which would speed up cracking considerably but also reduce the likelihood of cracking a hash successfully.

  4. In the terminal window, cd into the Desktop/Hashes directory and then run JtR on the md5.txt file using a command like the one shown on the info panel. Use the path given above to specify the word list, and specify the format as raw-md5. JtR should display the plaintext password corresponding to the hash, amongst other details. Make a careful note of this password, as you’ll need it later.

    JtR caches its results, so if you run the command a second time it will do nothing! You can display the cached password like so:

    john --show --format=raw-md5 md5.txt
  5. Now run JtR on the other hash files. You’ll need to specify the appropriate format in each case: raw-sha1, raw-sha256 or raw-sha512. You may notice that JtR runs a bit slower as the hash size increases. In each case, make a careful note of the password recovered from the hash.

  6. Click on the Tasks button at the top-right of the screen. Answer the questions on the tasks panel, using the passwords you recovered by running JtR. Click Submit when you are done. This will complete the lab.

Cracking Salted Hashes With JtR

  1. Start the lab entitled Password Hashes II. As before, use the information panel to learn more about the tasks.

  2. On the desktop of the Linux VM, you’ll see a file named shadow.txt. Right-click on it, choose Open in Mousepad and take a moment to examine the file contents. This is a simulation of the shadow password file used on Linux systems to store usernames, salted password hashes and other details such as home directory and default shell. Acquiring the shadow password file is a separate task for a hacker to carry out, which we don’t consider further here.

    The fields of the shadow password file are separated by colons. The second field is the salted hash, consisting of three elements, separated by the ‘$’ symbol: the first is a numeric code indicating the hashing algorithm that has been used; the second is the salt (Base64-encoded); the third is the hash of salt + password (again Base64-encoded).

  3. Open a terminal window and run JtR on shadow.txt. Specify the word list as before, but this time do not use the --format option (as the format will be deduced from the shadow password file). This will take a while to run! Make a note of the three passwords that are found.

  4. Click on the Tasks button and use the passwords recovered by JtR to help you answer the questions displayed on the tasks panel. Click Submit when you are done. This will complete the lab.

Brute-Forcing a Server With Hydra

  1. Start the lab entitled Hydra: Brute Force. As before, use the information panel to learn more about the tasks.

  2. Once a Linux desktop is visible, click on the Network button at the top-right of the screen to display a panel of network information. You’ll see that there are two VMs running: Kali Linux (whose desktop you are looking at right now) and an FTP server. Make a note of the FTP server’s IP address.

  3. Now double-click on the Chromium icon to start a web browser and enter the IP address noted previously in the browser address bar. You should see a simple web page displayed, reminding you of the task. This confirms that the VM hosting the FTP server is running properly.

  4. Open a terminal window. Try connecting to the FTP server with:

    ftp IP_ADDRESS

    Replace IP_ADDRESS in the above command with the actual IP address of the server VM.

    You should be prompted to enter a username followed by a password. Enter anything you like here and you should see “Login failed” in return. Type close to close the connection. If you want to try again, enter open followed by the IP address. Enter exit to quit the FTP client.

  5. Click on the Tasks button at the top-right of the screen, to view the questions for this lab. Then, in the terminal window of the Kali Linux VM, enter the following command:

    hydra -h

    This will list all the possible options and some examples of how to run Hydra on the command line. Use the information displayed here to answer Questions 1-4. Then see if you can figure out the exact command needed to brute-force the FTP server. If you manage to figure it out, go ahead and run that command; otherwise, see the next step!

  1. The command you need to use is

    hydra -l USERNAME -P /usr/share/wordlists/metasploit/password.lst ftp://IP_ADDRESS

    You need to replace USERNAME here with the actual username for the account we are attacking (see the information or tasks panels). You need to replace IP_ADDRESS with the FTP server’s actual IP address.

  2. Once Hydra has found the password, try running the FTP client again and check that you can use the username and the found password to access the server and transfer files.

  3. Finally, provide the password as the answer to the final question on the tasks panel, then click Submit. This will complete the lab.