Summary
This video demonstrates the technical process of cracking a password hash once a system vulnerability has been exploited. Specifically, it explores how a hacker might use Local File Inclusion (LFI) to extract sensitive files like /etc/shadow from a Linux system. The tutorial focuses on using the tool John the Ripper to perform a brute-force attack against an MD5 hash. By identifying the correct hash format, the tool successfully recovers the plaintext password, illustrating how attackers gain administrative access to compromised systems.
Key Insights
Exploiting Local File Inclusion (LFI) allows attackers to retrieve sensitive system credential files.
The narrator explains that hackers often start by finding a web application vulnerability like Local File Inclusion. This specific vulnerability allows an attacker to trick the web server into reading and displaying internal files. In a Linux environment, the attacker might target the /etc/shadow file, which stores encrypted password hashes for all users on the system. Obtaining these hashes is the first step in credential theft.
John the Ripper facilitates password recovery through dictionary-based brute-forcing and format specification.
The video demonstrates that password cracking tools like John the Ripper do not simply 'guess' randomly; they use wordlists of common passwords to perform brute-force attacks. The effectiveness of the tool depends on specifying the correct hash format, such as raw MD5. When the tool finds a match between a wordlist entry's hash and the target hash, it reveals the plaintext password, allowing the attacker to bypass authentication.
Sections
Credential Acquisition via Vulnerability
Hackers find vulnerabilities such as Local File Inclusion to access and dump hashed credentials from Linux systems.
The process begins with the identification of a security flaw in a target system, such as a web application. The demonstration highlights Local File Inclusion (LFI) as a method to access the /etc/shadow file on a Linux server. This file is a prime target because it contains user account information and hashed versions of passwords that are not stored in plain text.
Captured hashes are saved into local text files to facilitate offline cracking attempts with specialized software tools.
Once an attacker identifies a hash within a system file, they copy and paste it into a local file, such as 'hash.txt'. By saving the hash locally, the hacker can perform cracking attempts offline, which avoids detection by the target system's security monitoring and allows for the use of high-performance local hardware.
The Cracking Process with John the Ripper
John the Ripper uses brute-forcing techniques and existing wordlists to compare potential passwords against the target hash.
John the Ripper is a popular password-cracking tool that uses brute-force and dictionary attacks. It takes a list of possible passwords (a wordlist) and runs them through a hashing algorithm. The software then compares these generated hashes to the hash found on the compromised system to find a match.
Identifying the correct hash format is essential for the cracking tool to successfully interpret and process the data.
In the demonstration, the hash is identified as a basic MD5 hash. To use John the Ripper effectively, the user must provide a command-line argument that specifies the format, such as '--format=raw-md5'. This instruction tells the program exactly how to process the input file, ensuring that the brute-force engine uses the correct mathematical operations.
Successful cracking reveals the plaintext password, providing the attacker with valid credentials to log into administrative accounts.
After running the command 'john hash.txt --format=raw-md5', the tool identifies the plaintext string that matches the hash. The video shows the final result where the password is displayed on the screen. With this plaintext password, the attacker can then log into the target system's admin account, completing the breach.
Ask a Question
*Uses 1 Wisdom coin from your coin balance