passCrackHelper Automate Password Strength Checks for Compliance and Host Build reviews

passCrackHelper - Automate Password Strength Checks for Compliance and Host Build reviews

I had the need the other day to test the servers users password strengths for a host  build review.
We can normally achieve a similar result by checking the password policy in unix with the command 

sudo chage -l SomeUserName

However, the command above does not completely exclude that I user used a weak password. With the method below, I dont exclude neither, but at least I make sure the users did not use a dictionary-based passphrase, such as Password@!

Necessary inputs:
  • hostsList: list of ip addresses of hostnames undergoing the assessment. One per line
  • clientProvidedPw: password to authenticate into hosts for build review
  • clientProvidedUn: username to authenticate into hosts for build review
  • companyCommPw: any generic password dictionary or a list of common password you know that have been compromised in the  past and wish were no longer used

#!/bin/bash
#passCrackHelper - a script to facilitate password dump and crack for unix systems

#Version: 0.0.1 - so bad that I wouldnt even call it beta
#./expect_script
#let etc='a'
#ETC="$(cat /etc/passwd)"
#echo "${ETC}"
echo "
passCrackHelper - a script to facilitate password dump and crack for unix systems
Author: h
ttps://uk.linkedin.com/pub/simon-cecchini/28/bb3/a83
Version: 0.0.1 - so bad that I wouldnt even call it beta"
let random=$RANDOM
for i in $(cat hostsList); do
echo working on $i

#Retrieving passwd File
#echo "sudo cat /etc/passwd"| sshpass -p "clientProvidedPw" ssh -o StrictHostKeyChecking=no clientProvidedUn@$i | grep ":" > testPasswdGargage
sshpass -p "clientProvidedPw" ssh -t -o StrictHostKeyChecking=no clientProvidedUn@$i cat /etc/passwd | grep ":" > testPasswdGargage

#Retrieving shadow File
#echo "sudo cat /etc/shadow"| sshpass -p "clientProvidedPw" ssh -o StrictHostKeyChecking=no clientProvidedUn@$i | grep ":" > testShadowGargage

sshpass -p "clientProvidedPw" ssh -t -o StrictHostKeyChecking=no clientProvidedUn@$i sudo cat /etc/shadow | grep ":" > testShadowGargage

#Unshadowing the passwords
unshadow testPasswdGargage testShadowGargage > hashes_$i_$(date +"%y-%m-%d")_$random

#Saving host IP in final report
echo $i >>crackedPw_$(date +"%y-%m-%d")_$random

#need this loop because John gave me so many false negative problems otherwise
for j in $(cat hashes_$i_$(date +"%y-%m-%d")_$random); do
echo $j > currentHashBeingCracked
#john --wordlist=companyCommPw hashes_$i_$(date +"%y-%m-%d")_$random
john --wordlist=companyCommPw currentHashBeingCracked
#john --show hashes_$i_$(date +"%y-%m-%d")_$random >> crackedPw_$(date +"%y-%m-%d")_$random
john --show currentHashBeingCracked | grep ":" >> crackedPw_$(date +"%y-%m-%d")_$random

echo "file saved in hashes_$i_$(date +"%y-%m-%d")_$random"
done
done
echo "cracked passwords are in crackedPw_$(date +"%y-%m-%d")_$random"
You might want to include the clientProvidedPw in the list of passphrases to bruteforce to check if the script actually works as expected. After that the final output will have be sanitized with something similar to the following command:

grep -v clientProvidedUn crackedPw_$(date +"%y-%m-%d")_$random > finalOutput.txt
Readme file below:

*****************************
passCrackHelper - a script to facilitate password dump and crack for unix systems
Author: https://uk.linkedin.com/pub/simon-cecchini/28/bb3/a83
Version: 0.0.1 - so bad that I wouldnt even call it beta
*****************************

Necessary inputs:

- hostsList: list of ip addresses of hostnames undergoing the assessment. One per line

- clientProvidedPw: password to authenticate into hosts for build review

- clientProvidedUn: username to authenticate into hosts for build review

- companyCommPw: any generic password dictionary or a list of common password you know that have been compromised in the past and wish were no longer used


Although no particular damage is foreseen, run this script at your own risk and make sure you understand what it does before launching against your targets


Replace the username, hostlist file name and companyCommPw file name either manually or using sed command line

sed -i -- 's/clientProvidedUn/pentestroot/g' passCrackHelper.sh

Password should be changed manually in the script and removed afterwards
You need to install sshpass before running the script


While the script runs you will see some errors returned by john the ripper. They are expected because not all the users in the system have a password hash


"testPasswdGargage" and "testShadowGargage" are two temporary files where the script copies locally the shadow and password files for then unshadowing them. The unshadowed hashes are in the hash_date_random file. This is another temporary file that can be removed after tool finishes to run.


"currentHashBeingCracked" is the single hash john is processing at time. I had to use to temporary workaround (still researching..) because john was skipping many hashes when the whole unshadowed file was given in input.


While the script is running, you can see in real time what passwords have been cracked so far by accessing the file crackedPw_date_random


remember to remove all temporary files after finishing to run the tool (located in the same folder where the tool is)