Open
15

john the ripperを使ったpassword-cracking

目的

パスワードクラッキングをサンドボックス内で行うことで,ハッキングの方法を実際に学ぶ
もちろん,セキュリティに対する意識を高めることが目的

参考にしているサイト

ここまでの経過

Kali Linux を使ってみる, 私物PCはMacOSなので,Docker上でイメージをビルドして,コンテナの中で実験

Kali tools passwordsのもろもろのパッケージをインストールして,vim使いたいのでこれもインストールしてイメージをビルド

Dockerfile

FROM kalilinux/kali-rolling
RUN mkdir /y-security
RUN apt update -y
RUN apt install -y kali-tools-passwords\
 && apt install -y vim
COPY . /y-security
VOLUME /y-security
CMD echo "This is security inspector running on Kali Linux"

以下の手順を踏んでやってみたんだが,動かない

$ adduser test1
-> パスワード入力が要求されるので password と入力

$ ls /etc/passwd
-> test1が出来上がってる

$ ls /etc/shadow
-> test1が出来上がってる

$ unshadow /etc/passwd /etc/shadow
-> 結合されたアウトプットでてくる

$ unshadow /etc/passwd /etc/shadow > /y-security/crackme
-> ファイルに吐き出し

$ john --wordlist=/usr/share/john/password.lst --rules /y-security/crackme
-> 動かない...「No password hashes loaded」

No password hashes loadedはFAQにあるようなので公式FAQを読んでみるものの,いまいちしっくりくる原因が分からず..

https://www.openwall.com/john/doc/FAQ.shtml

もう一度 shadowファイルを見てみる

$ cat /etc/shadow
...
test1:$y$j9T$/qUkMmMEYOCDUEDTpVzJS1$x4.VJ3.LOIe1saCxWE/VMqTEDfI8.vsBXmFk1uDWbT8:18710:0:99999:7:::

shadowファイルの最初の$マークの間がハッシュアルゴリズムなのだとYoutubeで把握していたが,
$y$ というアルゴリズムがパッと見当たらない... $2y$とか$6$は見つかるんだが

これが原因なのかもしれない

ぐぐるとようやく発見.$y$ はどうやらyescryptというアルゴリズムらしい.

https://unix.stackexchange.com/questions/430141/how-to-find-the-hashing-algorithm-used-to-hash-passwords

Linuxのman crypt(5)でも確認

とりあえずMD5とかSHAとかで試したいので, adduserコマンドでのパスワードのハッシュアルゴリズムを指定できないのか調べてみる..

https://serverfault.com/questions/688357/how-to-set-specify-encryption-hash-when-creating-linux-user

うーん,なんか面倒だけどそういうオプションはないのかもしれない

あれ,mkpasswdコマンドがない. apt-get install mkpasswd してもパッケージがないと出てしまう
調べてみると whoisパッケージをインストールすればよいらしいので実行

https://command-not-found.com/mkpasswd
$ apt-get install whois

$ which mkpasswd
/usr/bin/mkpasswd
-> バイナリ確認

apt installでもインストールできたと思うけどいったんここは書いてある通りに実行した

面倒だけれども

$ adduser test1 --disabled-password
$ mkpasswd --method=SHA-512 --salt=coolsalt password
-> $6$coolsalt$lBwFVYyzAmmx6k3N5shu4OFCnLmzNjuFhrZLwbch8ruVxelHjD7Kl8bArJd.Ncc3nbf.4xvaEGEjolJGMp6Xf/

$ vi /etc/shadow
-> test1のあとの *を上記のパスワードハッシュに置き換え

$ unshadow /etc/passwd /etc/shadow > y-security/crackme
$ john --wordlist=/usr/share/john/password.lst --rules y-security/crackme

Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
password         (test1)
1g 0:00:00:00 DONE (2021-03-24 16:31) 5.882g/s 3011p/s 3011c/s 3011C/s 123456..crawford
Use the "--show" option to display all of the cracked passwords reliably
Session completed

ユーザー2つ追加してみてそれぞれ「password1234」「yuta0324」とかにして,johnを動かすと,,,

パスワード解析されずにDONEになる...

Using default input encoding: UTF-8
Loaded 3 password hashes with no different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Remaining 2 password hashes with no different salts
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:16 52.33% (ETA: 17:12:56) 0g/s 4903p/s 4903c/s 9806C/s tokiohoteL..dharmA
0g 0:00:00:18 57.57% (ETA: 17:12:57) 0g/s 4868p/s 4868c/s 9736C/s Darkangel2..Cirrus2
0g 0:00:00:32 DONE (2021-03-24 17:12) 0g/s 4767p/s 4767c/s 9534C/s Xxxing..Sssing
Session completed

hardwereリソースが足りなかったんだと思われる..

辞書リストに正解のパスワードを入れて再実行したら数秒以内に的中させることができた

lspci | grep -i nvidia
sudo apt install nvidia-utils-460-server
https://www.nvidia.com/Download/driverResults.aspx/169408/en-us

sudo apt-get update
sudo apt install nvidia-driver-440
sudo apt install nvidia-cuda-toolkit
sudo apt-get install build-essential libssl-dev
wget https://www.openwall.com/john/k/john-1.9.0-jumbo-1.tar.gz
tar xfz john-1.9.0-jumbo-1.tar.gz
cd john-1.9.0-jumbo-1/src
./configure
make -s -j 4
sudo ./john --list=opencl-devices
sudo ./john --list=formats --format=opencl

to run john,

unshadow /etc/passwd /etc/shadow > crackme.txt

sudo ./john --format=sha512crypt-opencl crackme.txt
sudo ./john --format=md5crypt crackme.txt
sudo ./john --format=sha512crypt crackme.txt

Troubleshooting

[Inspect]
$ lspci | grep -i nvidia
$ dpkg -l | grep nvidia
ii  libnvidia-compute-460-server:amd64   460.32.03-0ubuntu0.20.04.1        amd64        NVIDIA libcompute package
ii  libnvidia-ml-dev                     10.1.243-3                        amd64        NVIDIA Management Library (NVML) development files
ii  nvidia-cuda-dev                      10.1.243-3                        amd64        NVIDIA CUDA development files
ii  nvidia-cuda-doc                      10.1.243-3                        all          NVIDIA CUDA and OpenCL documentation
ii  nvidia-cuda-gdb                      10.1.243-3                        amd64        NVIDIA CUDA Debugger (GDB)
ii  nvidia-cuda-toolkit                  10.1.243-3                        amd64        NVIDIA CUDA development toolkit
ii  nvidia-opencl-dev:amd64              10.1.243-3                        amd64        NVIDIA OpenCL development files
ii  nvidia-profiler                      10.1.243-3                        amd64        NVIDIA Profiler for CUDA and OpenCL
ii  nvidia-settings                      460.39-0ubuntu0.20.04.1           amd64        Tool for configuring the NVIDIA graphics driver
ii  nvidia-utils-460-server              460.32.03-0ubuntu0.20.04.1        amd64        NVIDIA Server Driver support binaries
ii  nvidia-visual-profiler               10.1.243-3                        amd64        NVIDIA Visual Profiler for CUDA and OpenCL
ii  screen-resolution-extra              0.18build1                        all          Extension for the nvidia-settings control panel

[Problem]
No disk space left on /tmp
-> /dev/root is full

[Solution]
$ apt-get clean

Then compile it again
$ make -j 1
might be safer

[Reference]
https://sleeplessbeastie.eu/2015/11/02/how-to-crack-password-using-nvidia-gpu/

$ nvidia-smi
Sun Mar 28 05:28:56 2021
+-----------------------------------------------------------------------------+
| NVIDIA-SMI 450.102.04   Driver Version: 450.102.04   CUDA Version: 11.0     |
|-------------------------------+----------------------+----------------------+
| GPU  Name        Persistence-M| Bus-Id        Disp.A | Volatile Uncorr. ECC |
| Fan  Temp  Perf  Pwr:Usage/Cap|         Memory-Usage | GPU-Util  Compute M. |
|                               |                      |               MIG M. |
|===============================+======================+======================|
|   0  Tesla T4            Off  | 00000000:00:1E.0 Off |                    0 |
| N/A   38C    P0    27W /  70W |      4MiB / 15109MiB |      0%      Default |
|                               |                      |                  N/A |
+-------------------------------+----------------------+----------------------+

+-----------------------------------------------------------------------------+
| Processes:                                                                  |
|  GPU   GI   CI        PID   Type   Process name                  GPU Memory |
|        ID   ID                                                   Usage      |
|=============================================================================|
|    0   N/A  N/A       780      G   /usr/lib/xorg/Xorg                  4MiB |
+-----------------------------------------------------------------------------+

$ sudo ./john --list=opencl-devices
Platform #0 name: NVIDIA CUDA, version: OpenCL 1.2 CUDA 11.0.228
    Device #0 (1) name:     Tesla T4
    Device vendor:          NVIDIA Corporation
    Device type:            GPU (LE)
    Device version:         OpenCL 1.2 CUDA
    Driver version:         450.102.04 [recommended]
    Native vector widths:   char 1, short 1, int 1, long 1
    Preferred vector width: char 1, short 1, int 1, long 1
    Global Memory:          15109 MB (ECC)
    Global Memory Cache:    1280 KB
    Local Memory:           48 KB (Local)
    Constant Buffer size:   64 KB
    Max memory alloc. size: 3777 MB
    Max clock (MHz):        1590
    Profiling timer res.:   1000 ns
    Max Work Group Size:    1024
    Parallel compute cores: 40
    CUDA cores:             2560  (40 x 64)
    Speed index:            4070400
    Warp size:              32
    Max. GPRs/work-group:   65536
    Compute capability:     7.5 (sm_75)
    Kernel exec. timeout:   yes
    PCI device topology:    00:03.6

利用時

$ nvidia-smi
Sun Mar 28 06:08:12 2021
+-----------------------------------------------------------------------------+
| NVIDIA-SMI 450.102.04   Driver Version: 450.102.04   CUDA Version: 11.0     |
|-------------------------------+----------------------+----------------------+
| GPU  Name        Persistence-M| Bus-Id        Disp.A | Volatile Uncorr. ECC |
| Fan  Temp  Perf  Pwr:Usage/Cap|         Memory-Usage | GPU-Util  Compute M. |
|                               |                      |               MIG M. |
|===============================+======================+======================|
|   0  Tesla T4            Off  | 00000000:00:1E.0 Off |                    0 |
| N/A   52C    P0    69W /  70W |    118MiB / 15109MiB |     98%      Default |
|                               |                      |                  N/A |
+-------------------------------+----------------------+----------------------+

+-----------------------------------------------------------------------------+
| Processes:                                                                  |
|  GPU   GI   CI        PID   Type   Process name                  GPU Memory |
|        ID   ID                                                   Usage      |
|=============================================================================|
|    0   N/A  N/A       780      G   /usr/lib/xorg/Xorg                  4MiB |
|    0   N/A  N/A      7675      C   ./john                            111MiB |
+-----------------------------------------------------------------------------+

$ sudo ./john --format=md5crypt-opencl crackme.txt
Device 1: Tesla T4
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt-opencl, crypt(3) $1$ [MD5 OpenCL])
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Warning: Only 825 candidates buffered for the current salt, minimum 327680 needed for performance.
yuta             (yuta)
1g 0:00:00:00 DONE 1/3 (2021-03-28 06:44) 50.00g/s 41250p/s 41250c/s 41250C/s yuta..yuta1900
Use the "--show" option to display all of the cracked passwords reliably
Session completed

一瞬

ログインするとコメントできます