Linux Credential Dumping

Dumping Linux Password Hashes

• Linux has multi-user support and as a result, multiple users can access the system simultaneously. This can be seen as both an advantage and disadvantage from a security perspective, in that, multiple accounts offer multiple access vectors for attackers and therefore increase the overall risk of the server.

• All of the information for all accounts on Linux is stored in the passwd file located in: /etc/passwd

• We cannot view the passwords for the users in the passwd file because they are encrypted and the passwd file is readable by any user on the system.

• All the encrypted passwords for the users are stored in the shadow file. it can be found in the following directory: /etc/shadow

• The shadow file can only be accessed and read by the root account, this is a very important security feature as it prevents other accounts on the system from accessing the hashed passwords.

• The passwd file gives us information in regards to the hashing algorithm that is being used and the password hash, this is very helpful as we are able to determine the type of hashing algorithm that is being used and its strength. We can determine this by looking at the number after the username encapsulated by the dollar symbol ($).

Attack Flow: Extracting and Cracking Hashes on Linux

1. Retrieve Hash Values from /etc/shadow

To extract password hashes, you can directly access the /etc/shadow file. This file contains password hashes for user accounts, but it is typically only accessible by the root user.

Command:

cat /etc/shadow

Steps:

• Gain root or sufficient privileges to read the /etc/shadow file.

• Extract the hash values for the user accounts listed.

2. Use Metasploit to Dump Hashes via Meterpreter

If you have a Meterpreter shell on the target server, you can use the post/linux/gather/hashdump module to automatically dump the password hashes from the server.

Steps:

• Open your Meterpreter session.

• Use the following Metasploit command to load the hashdump module and execute it:

use post/linux/gather/hashdump
run

• This command will collect all password hashes and save them to your local system for further analysis.

3. Crack the Hashes Using Metasploit

Once you have the hashes, you can use the Metasploit framework to attempt to crack them.

Command:

use auxiliary/analyze/crack_linux

Steps:

• Open the Metasploit console.

• Load the crack_linux module:

use auxiliary/analyze/crack_linux

• Set the necessary options, such as specifying the path to the hash file, and run the module to start the cracking process.

Example Commands:

set HASH_FILE /path/to/hashfile.txt
set WORDLIST /path/to/wordlist.txt
run

• Replace /path/to/hashfile.txt with the path to the file containing your hashes and /path/to/wordlist.txt with the path to your wordlist file.

Hacker's Mantra:The key to social engineering is influencing a person to do something that allows the hacker to gain access to information or your network. - Kevin Mitnick