Welcome back for another posting at Technolution. Please remember the final password for today’s game will be stripped on this page and replaced with Y’s. If you want to do the level, go do it. Now, onto the games! Today we’re going to be starting a new wargame on the SmashTheStack Network, Blowfish! You can find information about the Blowfish wargame on it’s main page, here. Reading up, this game already seems a little different in the way level 1 works. Instead of ssh’ing in right away, we’re supposed to telnet to port 6666 of blowfish.smashthestack.org. Upon connecting, an encrypted password will be sent to us for level 2. However, as it is encrypted, we will have to decrypt it before we can use it to ssh into blowfish as level2.
Today I’m working from Windows, so we’ll be using PuTTy to get the password. Open Putty, choose telnet (since there is a protocol difference) and specify port 6666 on blowfish.smashthestack.org. Before connecting, choose to never close window on exit. We do this since the server closes the connection after sending the string and we need the window to stay open long enough for us to read the string ourselves. Once you’re setup, go a head and connect. Upon connecting we should get the following text:
$1$4JKI4bjj$EucGdPgVb6uc4oTUQ.mJV0
———————————-Crack this passwd with john the ripper
and use the password to login with
ssh level2@blowfish.smashthestack.org -p 2222– http://iamyas.blogspot.com/2008/01/format-of-etcshadow-file.html
– http://www.openwall.com/john/
Ok, that’s straight forward. If you haven’t used john the ripper before, go download it from the above link. John is a password cracking utility. In this case we’re going to be cracking a md5 password hash from /etc/shadow. John cracks password files and thus the password hashes have to be in the correct format. Simply make a password.txt file (name doesn’t matter) in the john\run directory (with the john.exe file). Lines in the password.txt file should be for the format:
username:password:last_password_change:min_days:max_days:warning:inactive:expired_date
That’s a long list, but for what we are doing the only important fields are the username:password fields. To make use, let’s put the following in our password.txt file.
level2:$1$4JKI4bjj$EucGdPgVb6uc4oTUQ.mJV0:::::::
Next, load a command prompt and change your current directory to wherever your john.exe file is. From here we will use the dictionary list supplied by john, password.lst, to attempt to guess the password used for level2. (The password that when encrypted by md5, gives the md5 hash we received above.) To do this we use the follow command, and get the following results!
c:\…\john179\run> john –wordlist=password.lst passwd.txt
Loaded 1 password hash (FreeBSD MD5 [32/32])
YYYYYYY (level2)
guesses: 1 time: 0:00:00:00 100% c/s: 9533 trying: YYYYYYY
Tada! Here we are. John found the password that when encrypted with MD5, gives the same password hash as we had for username level2. Now we can take that password and -following the instructions we received at the beginning of the level- ssh to port 2222 on blowfish.smashthestack.org and log in as level2/YYYYYYY.
In today’s example we used a wordlist. That means that if the original password (in this case “YYYYYYY”) wasn’t in password.lst, then we would never have gotten the password. This can be maneuvered around by using a brute force attack, and hopefully we’ll see something like that in a later level. Brute force attacks end up trying all possible character combinations (given a specific character set) and thus don’t require lists. However, for long enough passwords, brute forcing can take prohibitively long to get a password in the worst, or even average, case scenario. (If you’re interested in brute force cracking and how long things are taking in 2011, I’d recommend watching the Economics of Password Cracking in the GPU Era talk from Defcon19, by Robert “Hackajar” Imhoff-Dousharm of SanDisk Corporation.)
Anyway, we’ll stop there for today. Please check back later for the next level of Blowfish, as well as other wargames and postings!