Open15
john the ripperを使ったpassword-cracking
yutafujii目的
パスワードクラッキングをサンドボックス内で行うことで,ハッキングの方法を実際に学ぶ
もちろん,セキュリティに対する意識を高めることが目的
参考にしているサイト
- https://www.youtube.com/watch?v=y11dheSwloI
- https://tools.kali.org/password-attacks/john
- https://www.youtube.com/watch?v=8VL0K0rFgxw
ここまでの経過
Kali Linux を使ってみる, 私物PCはMacOSなので,Docker上でイメージをビルドして,コンテナの中で実験
Kali tools passwordsのもろもろのパッケージをインストールして,vim使いたいのでこれもインストールしてイメージをビルド
Dockerfile
FROM kalilinux/kali-rolling
RUN mkdir /y-security
RUN apt update -y
RUN apt install -y kali-tools-passwords\
&& apt install -y vim
COPY . /y-security
VOLUME /y-security
CMD echo "This is security inspector running on Kali Linux"
以下の手順を踏んでやってみたんだが,動かない
$ adduser test1
-> パスワード入力が要求されるので password と入力
$ ls /etc/passwd
-> test1が出来上がってる
$ ls /etc/shadow
-> test1が出来上がってる
$ unshadow /etc/passwd /etc/shadow
-> 結合されたアウトプットでてくる
$ unshadow /etc/passwd /etc/shadow > /y-security/crackme
-> ファイルに吐き出し
$ john --wordlist=/usr/share/john/password.lst --rules /y-security/crackme
-> 動かない...「No password hashes loaded」
No password hashes loadedはFAQにあるようなので公式FAQを読んでみるものの,いまいちしっくりくる原因が分からず..
もう一度 shadowファイルを見てみる
$ cat /etc/shadow
...
test1:$y$j9T$/qUkMmMEYOCDUEDTpVzJS1$x4.VJ3.LOIe1saCxWE/VMqTEDfI8.vsBXmFk1uDWbT8:18710:0:99999:7:::
shadowファイルの最初の$マークの間がハッシュアルゴリズムなのだとYoutubeで把握していたが,
$y$ というアルゴリズムがパッと見当たらない... $2y$とか$6$は見つかるんだが
これが原因なのかもしれない
ぐぐるとようやく発見.$y$ はどうやらyescryptというアルゴリズムらしい.
Linuxのman crypt(5)でも確認
yutafujiiとりあえずMD5とかSHAとかで試したいので, adduserコマンドでのパスワードのハッシュアルゴリズムを指定できないのか調べてみる..
うーん,なんか面倒だけどそういうオプションはないのかもしれない
あれ,mkpasswdコマンドがない. apt-get install mkpasswd してもパッケージがないと出てしまう
調べてみると whoisパッケージをインストールすればよいらしいので実行
$ apt-get install whois
$ which mkpasswd
/usr/bin/mkpasswd
-> バイナリ確認
apt installでもインストールできたと思うけどいったんここは書いてある通りに実行した
面倒だけれども
$ adduser test1 --disabled-password
$ mkpasswd --method=SHA-512 --salt=coolsalt password
-> $6$coolsalt$lBwFVYyzAmmx6k3N5shu4OFCnLmzNjuFhrZLwbch8ruVxelHjD7Kl8bArJd.Ncc3nbf.4xvaEGEjolJGMp6Xf/
$ vi /etc/shadow
-> test1のあとの *を上記のパスワードハッシュに置き換え
$ unshadow /etc/passwd /etc/shadow > y-security/crackme
$ john --wordlist=/usr/share/john/password.lst --rules y-security/crackme
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
password (test1)
1g 0:00:00:00 DONE (2021-03-24 16:31) 5.882g/s 3011p/s 3011c/s 3011C/s 123456..crawford
Use the "--show" option to display all of the cracked passwords reliably
Session completed
できた
yutafujiiユーザー2つ追加してみてそれぞれ「password1234」「yuta0324」とかにして,johnを動かすと,,,
パスワード解析されずにDONEになる...
Using default input encoding: UTF-8
Loaded 3 password hashes with no different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Remaining 2 password hashes with no different salts
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:16 52.33% (ETA: 17:12:56) 0g/s 4903p/s 4903c/s 9806C/s tokiohoteL..dharmA
0g 0:00:00:18 57.57% (ETA: 17:12:57) 0g/s 4868p/s 4868c/s 9736C/s Darkangel2..Cirrus2
0g 0:00:00:32 DONE (2021-03-24 17:12) 0g/s 4767p/s 4767c/s 9534C/s Xxxing..Sssing
Session completed
hardwereリソースが足りなかったんだと思われる..
辞書リストに正解のパスワードを入れて再実行したら数秒以内に的中させることができた
yutafujiiopenCLとCUDAはどちらもGPGPUのフレームワーク
GPUでJohn the Ripper動かすにはこれを参考にしよう
yutafujii
AWSでGPU付きEC2使おうと思うと,料金はざっとGPUなしの3〜5倍くらいありそうだな
1番安い g4dnでも1時間50円
yutafujiilspci | grep -i nvidia
sudo apt install nvidia-utils-460-server
https://www.nvidia.com/Download/driverResults.aspx/169408/en-us
sudo apt-get update
sudo apt install nvidia-driver-440
sudo apt install nvidia-cuda-toolkit
sudo apt-get install build-essential libssl-dev
wget https://www.openwall.com/john/k/john-1.9.0-jumbo-1.tar.gz
tar xfz john-1.9.0-jumbo-1.tar.gz
cd john-1.9.0-jumbo-1/src
./configure
make -s -j 4
sudo ./john --list=opencl-devices
sudo ./john --list=formats --format=opencl
to run john,
unshadow /etc/passwd /etc/shadow > crackme.txt
sudo ./john --format=sha512crypt-opencl crackme.txt
sudo ./john --format=md5crypt crackme.txt
sudo ./john --format=sha512crypt crackme.txt
Troubleshooting
[Inspect]
$ lspci | grep -i nvidia
$ dpkg -l | grep nvidia
ii libnvidia-compute-460-server:amd64 460.32.03-0ubuntu0.20.04.1 amd64 NVIDIA libcompute package
ii libnvidia-ml-dev 10.1.243-3 amd64 NVIDIA Management Library (NVML) development files
ii nvidia-cuda-dev 10.1.243-3 amd64 NVIDIA CUDA development files
ii nvidia-cuda-doc 10.1.243-3 all NVIDIA CUDA and OpenCL documentation
ii nvidia-cuda-gdb 10.1.243-3 amd64 NVIDIA CUDA Debugger (GDB)
ii nvidia-cuda-toolkit 10.1.243-3 amd64 NVIDIA CUDA development toolkit
ii nvidia-opencl-dev:amd64 10.1.243-3 amd64 NVIDIA OpenCL development files
ii nvidia-profiler 10.1.243-3 amd64 NVIDIA Profiler for CUDA and OpenCL
ii nvidia-settings 460.39-0ubuntu0.20.04.1 amd64 Tool for configuring the NVIDIA graphics driver
ii nvidia-utils-460-server 460.32.03-0ubuntu0.20.04.1 amd64 NVIDIA Server Driver support binaries
ii nvidia-visual-profiler 10.1.243-3 amd64 NVIDIA Visual Profiler for CUDA and OpenCL
ii screen-resolution-extra 0.18build1 all Extension for the nvidia-settings control panel
[Problem]
No disk space left on /tmp
-> /dev/root is full
[Solution]
$ apt-get clean
Then compile it again
$ make -j 1
might be safer
[Reference]
https://sleeplessbeastie.eu/2015/11/02/how-to-crack-password-using-nvidia-gpu/
$ nvidia-smi
Sun Mar 28 05:28:56 2021
+-----------------------------------------------------------------------------+
| NVIDIA-SMI 450.102.04 Driver Version: 450.102.04 CUDA Version: 11.0 |
|-------------------------------+----------------------+----------------------+
| GPU Name Persistence-M| Bus-Id Disp.A | Volatile Uncorr. ECC |
| Fan Temp Perf Pwr:Usage/Cap| Memory-Usage | GPU-Util Compute M. |
| | | MIG M. |
|===============================+======================+======================|
| 0 Tesla T4 Off | 00000000:00:1E.0 Off | 0 |
| N/A 38C P0 27W / 70W | 4MiB / 15109MiB | 0% Default |
| | | N/A |
+-------------------------------+----------------------+----------------------+
+-----------------------------------------------------------------------------+
| Processes: |
| GPU GI CI PID Type Process name GPU Memory |
| ID ID Usage |
|=============================================================================|
| 0 N/A N/A 780 G /usr/lib/xorg/Xorg 4MiB |
+-----------------------------------------------------------------------------+
$ sudo ./john --list=opencl-devices
Platform #0 name: NVIDIA CUDA, version: OpenCL 1.2 CUDA 11.0.228
Device #0 (1) name: Tesla T4
Device vendor: NVIDIA Corporation
Device type: GPU (LE)
Device version: OpenCL 1.2 CUDA
Driver version: 450.102.04 [recommended]
Native vector widths: char 1, short 1, int 1, long 1
Preferred vector width: char 1, short 1, int 1, long 1
Global Memory: 15109 MB (ECC)
Global Memory Cache: 1280 KB
Local Memory: 48 KB (Local)
Constant Buffer size: 64 KB
Max memory alloc. size: 3777 MB
Max clock (MHz): 1590
Profiling timer res.: 1000 ns
Max Work Group Size: 1024
Parallel compute cores: 40
CUDA cores: 2560 (40 x 64)
Speed index: 4070400
Warp size: 32
Max. GPRs/work-group: 65536
Compute capability: 7.5 (sm_75)
Kernel exec. timeout: yes
PCI device topology: 00:03.6
利用時
$ nvidia-smi
Sun Mar 28 06:08:12 2021
+-----------------------------------------------------------------------------+
| NVIDIA-SMI 450.102.04 Driver Version: 450.102.04 CUDA Version: 11.0 |
|-------------------------------+----------------------+----------------------+
| GPU Name Persistence-M| Bus-Id Disp.A | Volatile Uncorr. ECC |
| Fan Temp Perf Pwr:Usage/Cap| Memory-Usage | GPU-Util Compute M. |
| | | MIG M. |
|===============================+======================+======================|
| 0 Tesla T4 Off | 00000000:00:1E.0 Off | 0 |
| N/A 52C P0 69W / 70W | 118MiB / 15109MiB | 98% Default |
| | | N/A |
+-------------------------------+----------------------+----------------------+
+-----------------------------------------------------------------------------+
| Processes: |
| GPU GI CI PID Type Process name GPU Memory |
| ID ID Usage |
|=============================================================================|
| 0 N/A N/A 780 G /usr/lib/xorg/Xorg 4MiB |
| 0 N/A N/A 7675 C ./john 111MiB |
+-----------------------------------------------------------------------------+
$ sudo ./john --format=md5crypt-opencl crackme.txt
Device 1: Tesla T4
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt-opencl, crypt(3) $1$ [MD5 OpenCL])
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Warning: Only 825 candidates buffered for the current salt, minimum 327680 needed for performance.
yuta (yuta)
1g 0:00:00:00 DONE 1/3 (2021-03-28 06:44) 50.00g/s 41250p/s 41250c/s 41250C/s yuta..yuta1900
Use the "--show" option to display all of the cracked passwords reliably
Session completed
一瞬