February 2024

Cracking a “shadow” password using John the Ripper

Posted on February 13, 2024 by tutorials 0

In this short article, I’ll walk you through the steps of cracking a password stored in the /etc/shadow file on a Linux machine. Keep in mind that in order to access the shadow and passwd files, you need root access.

Step 1:

Extract the user’s entry from the passwd file and the shadow file and put them in text files for John the ripper (replace the USERNAME with the username of your choice):

sudo cat /etc/passwd | grep USERNAME > passwd.txt
sudo cat /etc/shadow | grep USERNAME > shadow.txt

Step 2:

Use the unshadow tool that is part of John the ripper tool set to create a single text file that contains both entries of the user into on line:

unshadow passwd.txt shadow.txt > unshadow.txt

The resulting file would be a combination of the user’s entries from passwd and shadow. This step organizaes the data needed by John in a format that John recognizes.

Step 3:

Choose a dictionary of possible passwords, such as Kali’s rockyou.txt (contains over 14 million passwords), and run John:

john --wordlist=/usr/share/wordlists/rockyou.txt unshadow.txt

If the password is found within the given wordlist, you’d see the output like this:

password (USERNAME)

Step 4:

If you get the famous “No password hashes loaded”, then the cryptographic hashing algorithm used is not easily recognized by John.

Take a look at the unshadow.txt file. The field after the username (with a number or letter between two dollar signs) is the one that identifies the hash type used. It could be one of the following:

  1. $1$ is MD5
  2. $2a$ is Blowfish
  3. $2y$ is Blowfish
  4. $5$ is SHA-256
  5. $6$ is SHA-512
  6. $y$ is yescrypt

For $y$, for example, you can use the command:

john --format=crypt --wordlist=/usr/share/wordlists/rockyou.txt unshadow.txt

 

How to install MITRE ATT&CK Navigator locally

Posted on February 6, 2024 by tutorials 0

MITRE ATT&CK framework has become a de facto standard when working in threat hunting, incident response, among other areas in defensive security. The online navigator provided by MITRE can be useful in understanding the current state of the attack campaign, what to do next, and can also help in attack attribution. However, I don’t feel very comfortable using an “online” tool hosted by someone else in mapping an ongoing attack in an organization. You might be a bit old-school like me, and that’s what landed you on this page. This is only possible because MITRE has provided a version that you can host and use locally.

Make sure that you have Docker installed before you start. If you don’t have it installed, you can install it using the steps mentioned here.

The following steps show how to install and run the MITRE ATT&CK Navigator locally as a container on an Ubuntu machine:

git clone https://github.com/mitre-attack/attack-navigator.git
cd attack-navigator/nav-app/src/assets
wget https://raw.githubusercontent.com/mitre/cti/ATT%26CK-v14.1/enterprise-attack/enterprise-attack.json
wget https://raw.githubusercontent.com/mitre/cti/ATT%26CK-v14.1/mobile-attack/mobile-attack.json
wget https://raw.githubusercontent.com/mitre/cti/ATT%26CK-v14.1/ics-attack/ics-attack.json

The first command will download the whole repo, and the last three commands will download the required assets from the website so that your setup can get it locally, without contacting the server.

The next step is to change the configuration of the navigator to use the local assets instead of the internet-based ones. Edit the ~/attack-navigator/nav-app/src/assets/config.json file to change each of the “data” fields in the “ATT&CK v14” space to the local resources:

Change

"data": ["https://raw.githubusercontent.com/mitre/cti/ATT%26CK-v14.1/enterprise-attack/enterprise-attack.json"]

to:

"data": ["assets/enterprise-attack.json"]

And change:

"data": ["https://raw.githubusercontent.com/mitre/cti/ATT%26CK-v14.1/mobile-attack/mobile-attack.json"]

to:

"data": ["assets/mobile-attack.json"]

And finally change:

"data": ["https://raw.githubusercontent.com/mitre/cti/ATT%26CK-v14.1/ics-attack/ics-attack.json"]

to:

"data": ["assets/ics-attack.json"]

The next step is to go back to the ~/atttack-navigator folder, and create the new docker container:

cd ~/attack-navigator
sudo docker build -t attack_navigator .

Finally, we start the container locally:

sudo docker run -p 4200:4200 attack_navigator

Wait for a minute, or two, and then open your browser and go to http://127.0.0.1:4200

 

Visit my publons profile