정보보안/공격툴&정보수집 2016.06.08 18:17

공격툴&정보수집 - 27. 패스워드 크랙 (John The Ripper)

 

 

본 내용은 교육 과정에서 필요한 실습 목적으로 구성된 것이며, 혹시라도 개인적인 용도 및 악의적인 목적으로 사용할 경우, 법적 책임은 본인에게 있다는 것을 알려드립니다.

 

 

[실습 시스템] Kali Linux, Firewall, Metasploitable2-Linux

 

 

 - John The Ripper : 패스워드 크랙 툴

 

 

 

Ex1)  root 계정 패스워드 변경 및 신규 계정 추가

 

 - Root 계정 패스워드 변경 및 신규 계정을 추가한다.

 

 

(터미널1)

root@kali:~# passwd root
새 UNIX 암호 입력: root
새 UNIX 암호 재입력: root
passwd: 암호를 성공적으로 업데이트했습니다

 

root@kali:~# useradd user01
root@kali:~# passwd user01
새 UNIX 암호 입력: user01
새 UNIX 암호 재입력: user01
passwd: 암호를 성공적으로 업데이트했습니다

 

root@kali:~# useradd cisco
root@kali:~# passwd cisco
새 UNIX 암호 입력: C!$c01234.
새 UNIX 암호 재입력: C!$c01234.
passwd: 암호를 성공적으로 업데이트했습니다

 


root@kali:~# cat /etc/passwd | egrep '(root|user01|cisco)'
root:x:0:0:root:/root:/bin/bash
user01:x:1000:1001::/home/user01:/bin/sh
cisco:x:1001:1002::/home/cisco:/bin/sh

 

 

root@kali:~# cat /etc/shadow | egrep '(root|user01|hacker)'
root:$6$.Gihrkop$AYhWeCcKDEbgy/v/21ADW8.gbcFtQxkrDCshAAS70frHCaaIRAxbOq9JvvXHyWSIz06t.8PcJMa7nh09xNpA/.:16960:0:99999:7:::
user01:$6$tZ.1Mmei$KqcvTL7O6qi6QoaT0q4BtjtCIYM7JrLKryAyVKR2uHLL6C8z8HW31Ej2RTnkp4XPDk4.zBKAHQ0KBarEHyU.91:16960:0:99999:7:::
cisco:$6$4OralSAX$mbvZaCtZ4UaJliWcP19PZYeOPp6miHqF5aVPLFDW/Q4/aMQammQiob37eRSGzL.TUDwZynXvUyhJ8bn4CNp310:16960:0:99999:7:::

 

 

root@kali:~# cd /root/bin

root@kali:~/bin# unshadow /etc/passwd /etc/shadow | egrep '(^root|^user01)' > passwd1.txt
root@kali:~/bin# unshadow /etc/passwd /etc/shadow | egrep '(^root|^user01|^cisco)' > passwd2.txt

 

 

root@kali:~/bin# cat passwd1.txt
root:$6$.Gihrkop$AYhWeCcKDEbgy/v/21ADW8.gbcFtQxkrDCshAAS70frHCaaIRAxbOq9JvvXHyWSIz06t.8PcJMa7nh09xNpA/.:0:0:root:/root:/bin/bash
user01:$6$tZ.1Mmei$KqcvTL7O6qi6QoaT0q4BtjtCIYM7JrLKryAyVKR2uHLL6C8z8HW31Ej2RTnkp4XPDk4.zBKAHQ0KBarEHyU.91:1000:1001::/home/user01:/bin/sh

 


root@kali:~/bin# cat passwd2.txt
root:$6$.Gihrkop$AYhWeCcKDEbgy/v/21ADW8.gbcFtQxkrDCshAAS70frHCaaIRAxbOq9JvvXHyWSIz06t.8PcJMa7nh09xNpA/.:0:0:root:/root:/bin/bash
user01:$6$tZ.1Mmei$KqcvTL7O6qi6QoaT0q4BtjtCIYM7JrLKryAyVKR2uHLL6C8z8HW31Ej2RTnkp4XPDk4.zBKAHQ0KBarEHyU.91:1000:1001::/home/user01:/bin/sh
cisco:$6$4OralSAX$mbvZaCtZ4UaJliWcP19PZYeOPp6miHqF5aVPLFDW/Q4/aMQammQiob37eRSGzL.TUDwZynXvUyhJ8bn4CNp310:1001:1002::/home/cisco:/bin/sh

 

 

 - 존더리퍼를 이용하여 'passwd1.txt.' 패스워드를 크랙한다.

 

root@kali:~/bin# john passwd1.txt
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
root             (root)
user01           (user01)
2g 0:00:00:00 DONE 1/3 (2016-06-08 18:22) 50.00g/s 375.0p/s 400.0c/s 400.0C/s user01..User01User01
Use the "--show" option to display all of the cracked passwords reliably
Session completed

 

 

 

 - 존더리퍼를 이용하여 'passwd2.txt.' 패스워드를 크랙한다.


root@kali:~/bin# john passwd2.txt
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 3 password hashes with 3 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Remaining 1 password hash
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status

 

 

 - 'cisco' 계정 패스워드는 존더리퍼로 크랙되지 않거나, 시간이 오래걸린다.

 

(터미널2)

root@kali:~# cd /root/bin/
root@kali:~/bin# john --show passwd2.txt
root:root:0:0:root:/root:/bin/bash
user01:user01:1000:1001::/home/user01:/bin/sh

2 password hashes cracked, 1 left

 


root@kali:~/bin# john --show=LEFT passwd2.txt
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
cisco:$6$4OralSAX$mbvZaCtZ4UaJliWcP19PZYeOPp6miHqF5aVPLFDW/Q4/aMQammQiob37eRSGzL.TUDwZynXvUyhJ8bn4CNp310

2 password hashes cracked, 1 left

 

 

 

 - 'passwd2.txt' 패스워드 크랙을 중지한다.

 

(터미널1)

Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:01:05 72.57% 2/3 (ETA: 18:23:46) 0g/s 1727p/s 1727c/s 1727C/s Sexymama8..Barbie.
0g 0:00:02:26  3/3 0g/s 1690p/s 1690c/s 1690C/s 154147..mayats
0g 0:00:02:31  3/3 0g/s 1688p/s 1688c/s 1688C/s br0507..amink11
0g 0:00:52:16  3/3 0g/s 1644p/s 1644c/s 1644C/s cobulk..crchug
0g 0:00:52:19  3/3 0g/s 1644p/s 1644c/s 1644C/s ceth07..clreto
0g 0:00:52:21  3/3 0g/s 1644p/s 1644c/s 1644C/s cioryl..cc48mj

 

(ctrl+c)

 

Session aborted
root@kali:~/bin#

root@kali:~# cd 

 

 

 

Ex2) 'Johnny' 툴

 

 - 'Johnny' 툴은 존더리퍼 GUI 툴이다.

 

root@kali:~/bin# johnny &

[1] 6800

 

'passwd1.txt' 파일 Open -> Start Attack -> Output 확인

 

 

 

 

'passwd2.txt' 파일 Open -> Start Attack -> Output 확인


 

 

 

 - root 계정 패스워드를 기존 패스워드로 복구하도록 한다.

 

root@kali:~# passwd root
새 UNIX 암호 입력: toor
새 UNIX 암호 재입력: toor
passwd: 암호를 성공적으로 업데이트했습니다

 

 

 

 

[참고] 'Shadow' 패스워드

 

root@kali:~# cat /etc/shadow | grep root
root:$6$.Gihrkop$AYhWeCcKDEbgy/v/21ADW8.gbcFtQxkrDCshAAS70frHCaaIRAxbOq9JvvXHyWSIz06t.8PcJMa7nh09xNpA/.:16960:0:99999:7:::

 

 

 

유형

내용

암호화 알고리즘

$6$

Salt Key

$.Gihrkop$

암호화된 패스워드

$AYhWeCcKDEbgy/v/21ADW8.gbcFtQxkrDCshAAS7..... 생략

 

 

 

root@kali:~# man shadow

~ 중간 생략 ~

 

       encrypted password
           Refer to crypt(3) for details on how this string is interpreted.

 

~ 중간 생략 ~

 

 

root@kali:~# man 3 crypt

~ 중간 생략 ~

 

              ID  | Method
              ──────────────────────────────
              1   | MD5
              2a  | Blowfish (not in mainline glibc; added in some
                   | Linux distributions)
              5   | SHA-256 (since glibc 2.7)
              6   | SHA-512 (since glibc 2.7)

~ 중간 생략 ~

 


[유튜브] 동영상 강의 링크 (구독! 좋아요!!!)


공격툴&정보수집 - 제27장 패스워드 크랙 (John The Ripper)   https://youtu.be/fJIz_dtDweI

Posted by 김정우 강사(카카오톡 : kim10322)


Q