Uvod

Namen vaje: najti geslo na računalniku, ki smo ga dobili pri osumljencu.

Če jih še nimate, prenesite zapakirani sliki diskov s prejšnjih vaj. Priklopite eno od trupel kot disk na svojo Linux virtualko in jo zaženite. Če imate dovolj prostora, naredite kopijo diska (zamenjajte/dev/sdb z dejansko napravo), ustvarite napravo loop in priklopite razdelke (angl. partitions) v njej:

sudo su
cat /dev/sdb > ~/windows_disk.img
kpartx -a /root/windows_disk.img
mount /dev/md/loop0p1 /mnt

Če nimate prostora, lahko uničite dokaze in razdelek priklopite direktno z diska:

mount /dev/sdb1 /mnt

Lomljenje gesel

V Windows 7 in starejših se gesla skrivajo v C:\windows\system32\config\SAM. Več si lahko preberete tule:

Kako pridete do gesel? Preprosto! Uporabite program za iskanje gesel s pomočjo mavričnih tabel (angl. rainbow tables):

apt install ophcrack ophcrack-cli unzip

Nato pridobite še tabele. Kopiji tabel xp_free_small in xp_free_fast lahko dobite tudi na polz.si.

Razpakirajte datoteki s tabelami:

unzip tables_xp_free_fast.zip
unzip tables_xp_free_small.zip

Nato poženite ophcrack. Kliknite na ikono Tables in gumb Install. Izberite imenik z razpakiranimi tabelami.

Nato kliknite ikono Load in izberite Encrypted SAM. Odklikajte v /mnt/windows\system32\config in kliknite Crack. Počakajte nekaj sekund. Morali bi dobiti geslo. Vaše delo je opravljeno. Počistite za sabo. Pozaprite vse programe in terminale, v katerih bi lahko imeli odprt imenik /mnt ali kak njegov podimenik. Odklopite disk:

umount /mnt

Če ste uporabili kpartx, odklopite še sliko diska:

kpartx -d /root/windows_disk.img

Prijava v Windows

Če vam je dolgčas, lahko še uničite dokazno gradivo. Zaženite računalnik z diska truplo1.vdi in uporabite sedaj znani gesli.

Če gesla ne morete uganiti, bi pa radi prišli v sistem z Okni, na katerem ste pozabili geslo, lahko uporabite orodje chntpw, da ponastavite geslo.

apt install chntpw
cd /mnt/WINDOWS/system32/config
chntpw -i SAM System Security

Izberete uporabnika in mu spremenite geslo.

Dodatna vaja: lomljenje gesel v Unix

Če ste zaradi preveč izčrpnih navodil nalogo rešili prehitro, lahko poskusite poiskati še gesla uporabnikov, zapisana v datoteki /etc/shadow z naslednjo vsebino:

student:$6$B18NDQmp$0c21HLddW7CxXh0W1S24TN4L.wfVkhqaXtf489ai/mT6n0Ov7osEb5.aKVxKyQ6j.38OMrKXv7AQ9jiUcVimA.:17948:0:99999:7:::
test:$6$VdV5y2gl$YxpYuwcVZHSXiv0N4yzmF8PspBeIK8QLdGJZzYFuKRjkfc82DhaS5fQeuOt0q9APDPLeSMTzt8BtxI2Bwo/hH.:17948:0:99999:7:::
john:$6$7CxX6vB2$BS5J1Ch4zwiIG2w/DJ48vwNm7V8iv/PGHBhfZoX9dYX8FqkX2WcbIuGy7W0AXhDme46jpOrM5QI/hFdby3ji40:17982:0:99999:7:::
sam:$6$kawol/fc$b9zvgpBGB46Ju9YZlvYKbfsOBSzT/4xH.hZUbDRQTnHSn4BBqg1XNDlHmNyfYUPLqlGNF7uceviGc7hOznRCF0:17982:0:99999:7:::
mike:$6$k51atM5t$drdibMMoXmGGQZuqoC/iXQFHdg6L8oNfGXwsXkVj0.r7RHBgTt0GZBvrQyfvlMqZOBrsUC43v8usx1tRiyfoF.:17982:0:99999:7:::
bob:$6$ttp5oC25$mVVqVDAxa5ef0yqOcm1Gzp/1VNADPAgLSKhHsATHZI76j.kV/uXxBvxOjxmU3VRcvdPgAwkHY.aAfAJaweKKD/:17982:0:99999:7:::

Pri tem si lahko pomagate s častitljivim John the Ripperjem.

Introduction

Goal: find the password for the suspect’s computer.

If you do not have them, download the packed disk images from the previous session. Attach one of the images as a disk to your Linux virtual machine and run it. If you have enough space and time, copy the disk (replace /dev/sdb with the actual device), attach the loop device and mount the first partition:

sudo su
cat /dev/sdb > ~/windows_disk.img
kpartx -a /root/windows_disk.img
mount -o loop /dev/md/loop0p1 /mnt

If you do not have enough space or time, you can destroy evidence by directly mounting the partition:

mount /dev/sdb1 /mnt

Cracking passwords

Passwords on Windows 7 and earlier are stored in the file C:\windows\system32\config\SAM. You can read more here:

How to find the passwords? Easy! Use the program for cracking passwords using rainbow tables:

apt install ophcrack ophcrack-cli unzip

You also need to download the tables. You can also get the required tables xp_free_small in xp_free_fast from the local server polz.si.

Unzip the files:

unzip tables_xp_free_fast.zip
unzip tables_xp_free_small.zip

Run ophcrack. Click the Tables icon and then Install. Select the directory with unpacked tables.

Click the Load icon and choose Encrypted SAM. Select /mnt/windows\system32\config and click Crack. Wait for a few seconds. You should get the password. Your task is now done. Clean up after yourself. Close all programs and terminal where the /mnt directory or one of its subdirectories is open. Unmount the disk:

umount /mnt

If you have used kpartx, also detach the disk image:

kpartx -d /root/windows_disk.img

Logging in to Windows

If you are bored, you can destroy the evidence. Boot a virtual machine from the disk truplo1.vdi and use the passwords you have discovered.

If you cannot find the password, but you want to log in to a Windows machine, you can use the tool chntpw to reset the password.

apt install chntpw
cd /mnt/WINDOWS/system32/config
chntpw -i SAM System Security

Choose the user and set the new password.

Encore: cracking Unix passwords

If you managed to solve the task too quickly due to overly detailed instructions, you can attempt to find the user passwords in the file /etc/shadow with the following contents:

student:$6$B18NDQmp$0c21HLddW7CxXh0W1S24TN4L.wfVkhqaXtf489ai/mT6n0Ov7osEb5.aKVxKyQ6j.38OMrKXv7AQ9jiUcVimA.:17948:0:99999:7:::
test:$6$VdV5y2gl$YxpYuwcVZHSXiv0N4yzmF8PspBeIK8QLdGJZzYFuKRjkfc82DhaS5fQeuOt0q9APDPLeSMTzt8BtxI2Bwo/hH.:17948:0:99999:7:::
john:$6$7CxX6vB2$BS5J1Ch4zwiIG2w/DJ48vwNm7V8iv/PGHBhfZoX9dYX8FqkX2WcbIuGy7W0AXhDme46jpOrM5QI/hFdby3ji40:17982:0:99999:7:::
sam:$6$kawol/fc$b9zvgpBGB46Ju9YZlvYKbfsOBSzT/4xH.hZUbDRQTnHSn4BBqg1XNDlHmNyfYUPLqlGNF7uceviGc7hOznRCF0:17982:0:99999:7:::
mike:$6$k51atM5t$drdibMMoXmGGQZuqoC/iXQFHdg6L8oNfGXwsXkVj0.r7RHBgTt0GZBvrQyfvlMqZOBrsUC43v8usx1tRiyfoF.:17982:0:99999:7:::
bob:$6$ttp5oC25$mVVqVDAxa5ef0yqOcm1Gzp/1VNADPAgLSKhHsATHZI76j.kV/uXxBvxOjxmU3VRcvdPgAwkHY.aAfAJaweKKD/:17982:0:99999:7:::

You can use the venerable John the Ripper password cracker.

Zadnja sprememba: petek, 10. maj 2019, 11.08