In prep for the OSCP, i'm going over some relatively basic skills so that they're not only fresh in my mind, but so I understand them well enough to take it to the next level with the OSCP. I was researching privilege escalation and came up with a scenario. Let's say that a system administrator has made a boo-boo on the system and any user can see the /etc/shadow file along with the /etc/passwd file. Of course, this would be a, very, very rare occurrence (one would hope!) but it gives us somewhere to start.
So once you've got a hold of the passwd and shadow file, we can see that the passwd file isn't showing the passwords at all, not even hashed! (Great!). However, the shadow file is showing simon's password hash (Fig 1).
Fig 1
Now, I run hash-identifier (Fig 2) to find out what hash we're dealing with here. This isn't too necessary in this case, but it's a fantastic tool which has helped me plenty of times. Windows users can download the python script from Github. Simply type in (or paste in) the hash and the script will attempt to identify what method of encryption is being used.
Fig 2
Now I can see that we're dealing with a DES (Unix) password (Fig 3). Makes sense right, after-all, we're looking at a hashed password on a unix-like system.
Fig 3
So now, it's time to get this hash cracked. We need to use the 'unshadow' feature/function to unshadow the 'passwd' and 'shadow' files. Essentially, by unshadowing, you're combining the files which will let us brute force them shortly with JTR.
In Fig 4 below, you'll see the way this is done - we call the unshadow script from sbin, select our passwd file followed by our shadow file and direct it to a database (file ext not necessary, but it just helps to convey the information).
Fig 4
You may notice that i've already cracked the file before taking this screenshot, so i've had to use the '--show' switch to let you see the password in plain text. All that's needed to crack the password is for you to run 'john <nameOfDatabase>', in my case 'john crack'.
In Fig 5, you can see the plain text password:
simon:password:1003:1003:simon:home/simon:/bin/bash
Of course, the more complex the password, the harder or more time consuming it'd be to crack.
Fig 5
Thanks for reading!