I recently needed to recover passwords from a Linux system where I had the drive which I could connect to a Windows PC but this presented several issues starting with finding the right file then what tools to use and most importantly how to mate it correctly in OpenCL mode to get the benefit of graphics card processing power!
Firstly the drive was formatted as EXT3 which Windows doesn’t natively support. After a bit of research I found a free program called Ext Volume Manager and gave it a go. It worked perfectly and after giving a list of available drives you can double click and mount the drive as a drive letter in Windows then just browse to it like any other drive. It was simple and worked really well.
Now that problem out the way we needed to find the password file. In Linux passwords were historically stored in a hashed form in root/etc/ in a file named passwd so this is the first place to look. Open it in notepad or similar and it is highly likely you will see a series of lines line this:
The X is where the hash would have been found historically but when the security was updated this method was changed and so the X just shows that there is a password configured but it’s stored elsewhere.
That elsewhere is a file in the same location called ‘shadow’. The structure of this file is very similar to ‘passwd’ but in Linux has different permissions. Luckily in windows this doesn’t make much difference so we can just open it.
The data should look more like this (I have cropped out some of the line to avoid it filling the screen. The $6$ in this case identifies the password hash as being sha512crypt format but yours may differ, the options are:
- $1 = MD5 hashing algorithm.
- $2 =Blowfish Algorithm is in use.
- $2a=eksblowfish Algorithm
- $5 =SHA-256 Algorithm
- $6 =SHA-512 Algorithm
The next bit ‘ THMmaDC5 ‘ is the ‘salt’ value which is random data used to encode the password as the hash making it more difficult to guess.
The remainder up to the colon is the hashed password which is what needs to be guessed so now we have the right file.
Next go ahead and download Cygwin ( https://www.cygwin.com/ ) this is basically a miniature Linux platform on Windows which lets you compile Linux programs to run under Windows if they are compiled for it.
When installing Cygwin generally you can just use defaults and whatever local mirror you fancy however when the list of tools is shown search for OpenCL and add this to the installation.
Add the highlighted component to the install and continue and you should find you will soon have a Linux installation in a folder on your PC (default location is C:\cygwin64\ ).
Next download the zip of latest version of John the Ripper ( https://www.openwall.com/john/ ) – this is a widely recognised tool for this purpose and seems to work best. I also tried a program called HashCat but this didn’t seem to be able to find the hashes in the file. The version I used was 1.9.0-jumbo-1-64 Bit.
Hopefully the zip will look like this. Copy the all the folders and paste them into the Cygwin folder – there will already be a folders with those names so merge them. This operation adds the descriptors to allow Cygwin to recognise your OpenCL device however on my PC (and from what I’ve been reading online several others the path was incorrect so we’ll fix that.
Browse to the following path C:\cygwin64\etc\OpenCL\vendors\ and open the amd.icd file in notepad.
Next go the the system32 folder as shown and search for ‘amdocl64.dll’ . In my case this wasn’t present in the system32 folder directly but I found a match in System32\DriverStore\FileRepository\ . If that is what you find just copy the file and paste it into system32 itself and this should correct the mismatch.
Next copy your ‘shadow’ file into ‘C:\cygwin64\run’ – technically this isn’t required but it makes life easier. In my case I edited it to have a .txt extension to make testing easier. Now to test it!
Open a command prompt Window and browse to ‘C:\cygwin64\run’ then enter the following command:
john shadow.txt –format=sha512crypt-opencl
Interchanging the format for whatever is relevant to your hash type. If you run john without specifying a hash format it will recognise it correctly but will default to CPU only mode rather than the OpenCL version which comes with a performance hit for most people.
All going well you should see something like this :
That tells us its working fine and has successfully found the graphics card as a processing device. Now take a break and leave it to churn through its options for as long as it takes. It won’t be fast!