🔐Linux Credential Dumping
Dumping Linux Password Hashes
Linux has multi-user support and as a result, multiple users can access the system simultaneously. This can be seen as both an advantage and disadvantage from a security perspective, in that, multiple accounts offer multiple access vectors for attackers and therefore increase the overall risk of the server.
All of the information for all accounts on Linux is stored in the passwd file located in: /etc/passwd
We cannot view the passwords for the users in the passwd file because they are encrypted and the passwd file is readable by any user on the system.
All the encrypted passwords for the users are stored in the shadow file. it can be found in the following directory: /etc/shadow
The shadow file can only be accessed and read by the root account, this is a very important security feature as it prevents other accounts on the system from accessing the hashed passwords.
The passwd file gives us information in regards to the hashing algorithm that is being used and the password hash, this is very helpful as we are able to determine the type of hashing algorithm that is being used and its strength. We can determine this by looking at the number after the username encapsulated by the dollar symbol ($).
Attack Flow: Extracting and Cracking Hashes on Linux
1. Retrieve Hash Values from /etc/shadow
/etc/shadow
To extract password hashes, you can directly access the /etc/shadow
file. This file contains password hashes for user accounts, but it is typically only accessible by the root user.
Command:
Steps:
Gain root or sufficient privileges to read the
/etc/shadow
file.Extract the hash values for the user accounts listed.
2. Use Metasploit to Dump Hashes via Meterpreter
If you have a Meterpreter shell on the target server, you can use the post/linux/gather/hashdump
module to automatically dump the password hashes from the server.
Steps:
Open your Meterpreter session.
Use the following Metasploit command to load the hashdump module and execute it:
This command will collect all password hashes and save them to your local system for further analysis.
3. Crack the Hashes Using Metasploit
Once you have the hashes, you can use the Metasploit framework to attempt to crack them.
Command:
Steps:
Open the Metasploit console.
Load the
crack_linux
module:
Set the necessary options, such as specifying the path to the hash file, and run the module to start the cracking process.
Example Commands:
Replace
/path/to/hashfile.txt
with the path to the file containing your hashes and/path/to/wordlist.txt
with the path to your wordlist file.
Hacker's Mantra:
The key to social engineering is influencing a person to do something that allows the hacker to gain access to information or your network. - Kevin Mitnick
Last updated