Python Cracking Unix User Passwords 03 crypt

Just another WordPress site

Python Cracking Unix User Passwords 03 crypt

Python programming and video tutorials in the last couple of videos we’ve been checking out how we could possibly crack a UNIX user account password so these last few modules in Python we’ve been checking out have been UNIX specific services that’s kind of been the theme for these last few videos and we’ve been looking at s PWD the shadow password database before that PWD which was the regular password database and those two things were kind of very different if you recall the PWD database was reading all these things out of a file in the UNIX directory and file system that was at cetera passwd have for a password so that was a world readable like we as any user could check it out if I cat that file passwd you’ll notice that we can read all the users stuff and fubar a user that we’ve been created that we have already created and have been playing with is available there so in the documentation it shows us these different attributes and things that were all returned to us and normally it would show us the encrypted password the thing is there was a note here that we were checking out this gives us normally at least in some cases the modern UNIX systems have a so-called shadow password system so the password field is not visible it’s replaced with the letter X in most cases were instead the encrypted password is stored in etcetera shadow which is not world readable so you can see right here in our example yeah fubar is a is X so that’s not what we wanted we wanted it cetra shadow so we moved on to the spw module and this would show us the encrypted password now remember this is route at least you have to be able to use it as a route it’s not world readable so if I were to run sudo cat etc shadow now we can read it and we see all the same users and our fubar user right down here we can see his encrypted password ah you may have noticed at least I don’t know if you would notice but I’m just gonna tell you right up front that I did some more towing around in between recordings of these videos so I have a different I have a different encrypted password but it’s still the same raw password for Apple so all right back to what we were looking at the same note that was telling us about this change with its entry password and it’s a true shadow the shadow passing system in the regular password system it tells us that the password field usually contains a password encrypted with this DES derive algorithm and it links us to this module crypt and that’s what we’re gonna be towing with in this video so here check this out crypt is a function that checks UNIX passwords the module implements an interface to the crypt routine which is a one-way hash function based upon a modified DES algorithm you can check out the man page for more details if you’re interested but the possible uses kind of let us use Python to test and try and at least follow through with accepted type passwords from the user an attempt to crack UNIX passwords with the dictionary that’s pretty cool that sounds like what we want to be doing here so this this function I’m sorry this module only has one function so I guess you could kind of consider it a function rather than a module but yeah it includes the function crypt and it takes two arguments word and salt so word will usually be the user’s password as typed at the prompt or in a graphical interface so it’s kind of like the raw data the simple plain text password and salt is usually a random two character string which will be placed to perturb the des algorithm in one of 4096 ways now the characters in salt must be in a set from A to Z or 0 to 9 alphabetical letters and numeric digits so it will return the hash password as a string which will be composed of eight characters from the same alphabet and set as the salt so normally you would be able to see your old I’ll try and show you an example of this we would have a salt or a password encrypted like this and the first two letters like let’s say FK I don’t really know I don’t really know why I chose the two letters F and K but those two letters would be the salt and that’s what you would pass in there but I want to bring your attention to a little bit more of the documentation there’s a note here at the bottom that says since a few of the Crypt extensions allowed different values with different sizes in the salt it’s recommended to use the full cryptid password as a salt while checking for a password so that’s what we’re gonna do okay so let’s get to it let’s build a script that will do this looping through a dictionary and actually trying to break and crack this UNIX password that we set up for our fubar user so we need a dictionary now I want to show you just how easy this is I’m gonna go on Google and because you know the Internet is our

best resource and we’ll look for a dictionary file and you look through some of these results here and I want to find someone that’s doing the same thing I am and this guy here that sounds like an Stack Exchange where can I find good dictionaries for dictionary attacks so we’ll check that out and it looks like yeah he kind of has the same thing that we’re doing wants to play with the dictionary attack and hey this first response gives us some links so let’s check those out follow those and boom we’ve got some dictionaries that come with common tools and cracking utilities so well I see John the Ripper there which is a pretty common and well-known tool and utility for this sort of thing so hinges compress file here so I’ll open it up with my archive manager I’ll extract the file and you can see all of these kind of pretty common you know like passwords it’ll shrink it down so I can show you more so we’d be able to loop through this list and hopefully find our password right let’s try it out I’m actually gonna save this as a new file I’ll call my passwords txt and I might already have a yeah I already have an example of this just replace that close out of this and now we’ll get to our script editor or text editor and actually start to write the script so I’ve got sublime text open I’m gonna create a new one I’ll call mine words crack pie and here we go I’m gonna use Colorama actually to display things out in color and the terminal so it looks a little bit more professional you can do this if you’d like it’s entirely up to you so this video might turn into a longer video since we’re gonna be writing this code as well as the demonstration and experimenting and in playing with so I hope you don’t mind me but say here we go from Colorama I want to import everything import for as colors and actually since we need to be the root user to be able to read through the etcetera shadow file right we’re actually be importing the OS module as well so we can test actually what our user identification number is so I’m actually going to include that straight away from OS import get UID that’s the function that’ll get the user ID of this process and then of course we need the function from our crypto module so let’s define a simple main function go through with the normal Python boilerplate code and here we go let’s test first of all if get user ID is equal to zero now most of you may know that the root user has a user ID value of zero anyone else does not so if I in the shell echo out in my user ID variable you can see that right now it’s a thousand if I try and run sudo echo user ID variable so I run this as root Oh might need to be in bash actually for that now if I echo my user ID I am zero and you can see I’m logged in as root here so okay just a small demonstration for that and we’ll get back to it if the user ID is zero actually will print out if it’s is not zero what we can do is we can print out colors yellow you must be root to run this utility some real simple and then we’ll exit out with the one so we know that’s an error code message rather than the zero for success let’s see this in our code if we can get it to work she mod password frac hi if I run password cracked up hi oh I do need my shebang line how could I forget now I run this you been aisle name is passwords crack rather than password direct so that was an old file that I was using to and I review this lesson and review this tutorial so I just removed that and now we should be able to run passwords crack okay cool and I must be route to run this utility so if I’m not then we can just say print I’ll do colors dot blue or something

and then will actually allow them to she will should we take an argument that would be kidding cool yeah let’s take arguments so from sis import RV that’s all that’s all we really need if length of Arc V is less than or equal to one and we’ll ask raw inputs we’ll use yellow as a prompter as well I mean that’s what I’m gonna do it’s entirely up to you you’re the one writing this script not me and I’ll actually print it out and then do well input after since that’s gonna be a long line as coloreds is out reset a thing let’s try it we’ll say username is equal to what they enter let’s see how it works must be route okay I’ll run it with pseudo what user should we try and crack the password for let’s say fubar okay cool reset does work cracking UNIX password for user fubar awesome I’ll change this to yellow so that’s really simple and that’ll work just fine for us and if it is else let’s say username can equal v1 since RGB 0 would be the name of the program so now we can of course run sudo passwords crack without any arguments fubar will work for us and we can run it with the username fubar and then it’ll ok trying to crack the password for UNIX user fubar sweet so now we’ve got some kind of pre-established stuff going on let’s say that the dictionary file dick file can equal open passwords dot txt and we want to look through this and also test for what the what everything is we also need of course the password for our user so I actually forgot to include that let’s say from SP WD import get SP name I think that’s it yeah so let’s say encrypted password can equal get SPM for the username which would in this case be fubar and I just want to print that out I’ve been password used to be looks to be the encrypted password so let’s check this out Oh can’t-can’t rotten ate those let’s say we want that actually to be one because remember in our idle process or when I when I showed you this example in idle what we had it was import SP w d SP w d dot get SP am remember this to return a struct object for us okay now that I’m logged in as a Python terminal and root now we can try this so if I ran fubar on him we’d get this struct and the second data like the second index in there was the password that we wanted so when we subtract one from that because of our computer offset we can start counting from zero we get one so that’s what we’re using there so encrypted password looks to be now we can run this all that okay cool so now we’ll actually start to look

through it and crack it for password in dick file dot read lines will actually test for new password and we’ll say that’s can equal crypt dot or crypt password because remember this would be the word the plaintext word that we’re looking at and then the encrypted password as our salt we want the full thing to work through there so if will print out get some nice through this at the very end sorry if you guys don’t mind me doing random 4matic before I want the the script to look so we’ll just we’ll have a small little output for what color were or what password we’re we’re looking at at the moment and we’ll test if so if this password is the new password is the same as the new password that means that okay we found we got the crack so we’ll display out their password found kill all that stuff print we set the new pass the tracks passwords we can say the crack password is password and I’ll add a little color there colors dot it’s up to you guys you’re the programmer here and else we can say we did not find it so in that case we would say password failed we’ll just keep going along just like that we’re gonna break out and then at that point we’re done so we can just exit with day or before we break out we can say no password crack was found try another dictionary file it’ll exit with a 1 so it’s an error message not an error message but you know a a failure flag and ok so it looks like we kind of got our loop going on in our simple our simple detection setup but I kind of actually want to know how many we go through until we find that password because it would be kind of cool so let’s set up a count variable to keep track of all this stuff so if we didn’t find the password then count a little increase so I set it up initializing right above our loop and then if we don’t get it then we’re gonna increment to it and we’ll say it took count remember to concatenate that to a string since it is an integer right now okay so now it just simply displays how many color how many passwords we’ve tried to go through so let’s try and play with this now hopefully we get something cool if I run it without being

routes remember it tells us you need to be route to run this utility so we run it as us sudo and we want to crack the password for fubar so now it’s gonna loop through all of these and try to actually find our password you can see it’s going crazy right now trying to look for it and hopefully it gets it if it doesn’t I mean hey it might go through all this stuff and not get it but you know what’s interesting actually here is see how the ellipsis right here is on a different line than the password oh you know what I’m thinking you know what you should be thinking take a look at our actually our passwords thing here passwords variable this is likely including what is included in the text file of course if I fire up passwords text there is of course a newline character from one password to the next so we’ll have to look what we will have to include here is the our strip function for our password we can say password is gonna equal the same password that it was with the very end of it and a newline characters stripped away so password our strip now when we run this hey we’re gonna get some good stuff let’s say we want it for fubar and hey password found it took 354 different attempts to find it the crack password is apples sweet looks like our color coding got a little a little funky there that’s okay let’s fix it real hard away but dude look at that we got we got the password we’re able to find it with a dictionary attack doing the same method of encrypting what we would think the password to be with the dictionary attack and using the encrypted password as the salt or as kind of what we’re comparing it to and what we’re using to encrypt so that’s kind of cool right like we just we just cracked a really insecure of course kind of a unsanitary or not that not that secure password but we got apples we got we got it if I try it for my own account it’ll go through all this stuff and there’s no way it’s gonna find anything because I would never use a dictionary Ward is my password but since our script is kind of nice it’ll tell us like we weren’t able to get it we you should try another dictionary attack but even then it’s the hope that the user is using a common password in a in a common dictionary word or I don’t know not all these are dictionary words so I guess it’s kind of a different thing but common passwords and mine is nowhere near a common password but yeah like like I said our script will tell us very nicely that well we couldn’t find it and tried dunder dictionary file if you are really trying but one of the cool things that might be able to do if you want to and work with this a little bit more is you see how it’s always inputting a new line every single time that probably takes a lot of screen space it’s outputting a ton of stuff we could just have it display on the same line and just kind of flush the output Andry put it on the same line over and over and over again kind of like apt does or if you’re trying to install something right I don’t know there’s a lot of opportunities for it but this is a simple script that will kind of make sure that your route so you’ll have the ability to look at the user’s password which I know isn’t exactly cracking your hacking because you have that caveat but for this educational and learning experience so you know how to do it that’s okay and of course you need the OS module to test your user ID to make sure you are root we played with our command-line arguments we didn’t really have to but I think it was kind of nice to add to our spirit and Colorama of course added some nice output to us for us even though hit it’s probably really annoying when I’m just trying to add those colors here and there and of course spw are our paths s PWD our password database to actually get what the encrypted password is so cool I think I’m done I think that’s all that I wanted to this show for you guys I hope you guys are able to walk through this tutorial and program with me I know it’s been kind of long but hopefully it’s well worth it and really a cool learning experience if there’s last few videos so thanks again for watching guys hope you enjoyed it if you did maybe like the video maybe leave me a comment scums for constructive criticism and if you’re feeling up for it subscribe you know I’d love that see you soon