Alle Zeiten sind in UTC +2 16:35 ``` ┌──(ericleh㉿kali-vm)-[~/DIF/U3] └─$ sha256sum image.img 2d44cd82a23614c06795b8e2af802e9f0cf23249fbfd8c7d0023c088a3c32ce0 image.img ``` 16:39 ``` └─$ fdisk -l image.img Disk image.img: 20 GiB, 21474836480 bytes, 41943040 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: gpt Disk identifier: C9C91594-26B4-4241-A6AC-99ED6689E164 Device Start End Sectors Size Type image.img1 2048 4095 2048 1M BIOS boot image.img2 4096 1054719 1050624 513M EFI System image.img3 1054720 41940991 40886272 19.5G Linux filesystem ``` 16:41 ``` ┌──(ericleh㉿kali-vm)-[~/DIF/U3] └─$ sudo mkdir -p /mnt/image_mount sudo mount -o ro,loop,offset=540016640 image.img /mnt/image_mount ``` 17:07 ```┌──(ericleh㉿kali-vm)-[/mnt/image_mount] └─$ ls /mnt/image_mount/home dif ``` Benutzer: dif ```┌──(ericleh㉿kali-vm)-[/mnt/image_mount] └─$ cat /mnt/image_mount/etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin messagebus:x:103:106::/nonexistent:/usr/sbin/nologin syslog:x:104:111::/home/syslog:/usr/sbin/nologin _apt:x:105:65534::/nonexistent:/usr/sbin/nologin tss:x:106:112:TPM software stack,,,:/var/lib/tpm:/bin/false uuidd:x:107:115::/run/uuidd:/usr/sbin/nologin tcpdump:x:108:116::/nonexistent:/usr/sbin/nologin avahi-autoipd:x:109:118:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin usbmux:x:110:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin rtkit:x:111:119:RealtimeKit,,,:/proc:/usr/sbin/nologin dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin kernoops:x:113:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin avahi:x:114:121:Avahi mDNS daemon,,,:/run/avahi-daemon:/usr/sbin/nologin cups-pk-helper:x:115:122:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin whoopsie:x:116:123::/nonexistent:/bin/false sssd:x:117:124:SSSD system user,,,:/var/lib/sss:/usr/sbin/nologin speech-dispatcher:x:118:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false nm-openvpn:x:119:125:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin saned:x:120:127::/var/lib/saned:/usr/sbin/nologin colord:x:121:128:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin geoclue:x:122:129::/var/lib/geoclue:/usr/sbin/nologin pulse:x:123:130:PulseAudio daemon,,,:/run/pulse:/usr/sbin/nologin gnome-initial-setup:x:124:65534::/run/gnome-initial-setup/:/bin/false hplip:x:125:7:HPLIP system user,,,:/run/hplip:/bin/false gdm:x:126:132:Gnome Display Manager:/var/lib/gdm3:/bin/false dif:x:1000:1000:DIF,,,:/home/dif:/bin/bash systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin ``` 17:10: ```┌──(ericleh㉿kali-vm)-[/mnt/image_mount] └─$ sudo cat /mnt/image_mount/etc/shadow [sudo] password for ericleh: root:!:19105:0:99999:7::: daemon:*:18912:0:99999:7::: bin:*:18912:0:99999:7::: sys:*:18912:0:99999:7::: sync:*:18912:0:99999:7::: games:*:18912:0:99999:7::: man:*:18912:0:99999:7::: lp:*:18912:0:99999:7::: mail:*:18912:0:99999:7::: news:*:18912:0:99999:7::: uucp:*:18912:0:99999:7::: proxy:*:18912:0:99999:7::: www-data:*:18912:0:99999:7::: backup:*:18912:0:99999:7::: list:*:18912:0:99999:7::: irc:*:18912:0:99999:7::: gnats:*:18912:0:99999:7::: nobody:*:18912:0:99999:7::: systemd-network:*:18912:0:99999:7::: systemd-resolve:*:18912:0:99999:7::: systemd-timesync:*:18912:0:99999:7::: messagebus:*:18912:0:99999:7::: syslog:*:18912:0:99999:7::: _apt:*:18912:0:99999:7::: tss:*:18912:0:99999:7::: uuidd:*:18912:0:99999:7::: tcpdump:*:18912:0:99999:7::: avahi-autoipd:*:18912:0:99999:7::: usbmux:*:18912:0:99999:7::: rtkit:*:18912:0:99999:7::: dnsmasq:*:18912:0:99999:7::: kernoops:*:18912:0:99999:7::: avahi:*:18912:0:99999:7::: cups-pk-helper:*:18912:0:99999:7::: whoopsie:*:18912:0:99999:7::: sssd:*:18912:0:99999:7::: speech-dispatcher:!:18912:0:99999:7::: nm-openvpn:*:18912:0:99999:7::: saned:*:18912:0:99999:7::: colord:*:18912:0:99999:7::: geoclue:*:18912:0:99999:7::: pulse:*:18912:0:99999:7::: gnome-initial-setup:*:18912:0:99999:7::: hplip:*:18912:0:99999:7::: gdm:*:18912:0:99999:7::: dif:$1$Al1JOy/e$nSQ5CgVYrz2WTfoeXQwH11:19105:0:99999:7::: systemd-coredump:!*:19105:::::: ``` 17:24 ``` ┌──(ericleh㉿kali-vm)-[~/DIF/U3] └─$ python passwordgenerator.py ┌──(ericleh㉿kali-vm)-[~/DIF/U3] └─$ wc -l wordlist.txt 135000 wordlist.txt ``` ``` ┌──(ericleh㉿kali-vm)-[~/DIF/U3] └─$ hashcat -m 500 -a 0 ~/DIF/U3/hash.txt ~/DIF/U3/wordlist.txt hashcat (v6.2.6) starting OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, LLVM 17.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project] ============================================================================================================================================ * Device #1: cpu-penryn-12th Gen Intel(R) Core(TM) i5-12450H, 3800/7665 MB (1024 MB allocatable), 8MCU Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Optimizers applied: * Zero-Byte * Single-Hash * Single-Salt ATTENTION! Pure (unoptimized) backend kernels selected. Pure kernels can crack longer passwords, but drastically reduce performance. If you want to switch to optimized kernels, append -O to your commandline. See the above message to find out about the exact limits. Watchdog: Temperature abort trigger set to 90c Host memory required for this attack: 2 MB Dictionary cache built: * Filename..: /home/ericleh/DIF/U3/wordlist.txt * Passwords.: 135000 * Bytes.....: 1080000 * Keyspace..: 135000 * Runtime...: 0 secs [s]tatus [p]ause [b]ypass [c]heckpoint [f]inish [q]uit => s Session..........: hashcat Status...........: Running Hash.Mode........: 500 (md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)) Hash.Target......: $1$Al1JOy/e$nSQ5CgVYrz2WTfoeXQwH11 Time.Started.....: Tue Apr 22 17:29:59 2025 (3 secs) Time.Estimated...: Tue Apr 22 17:30:06 2025 (4 secs) Kernel.Feature...: Pure Kernel Guess.Base.......: File (/home/ericleh/DIF/U3/wordlist.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 18907 H/s (8.32ms) @ Accel:32 Loops:1000 Thr:1 Vec:4 Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new) Progress.........: 57344/135000 (42.48%) Rejected.........: 0/57344 (0.00%) Restore.Point....: 57344/135000 (42.48%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1000 Candidate.Engine.: Device Generator Candidates.#1....: 20ghe34 -> 20gii44 Hardware.Mon.#1..: Util: 58% $1$Al1JOy/e$nSQ5CgVYrz2WTfoeXQwH11:22dif04 Session..........: hashcat Status...........: Cracked Hash.Mode........: 500 (md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)) Hash.Target......: $1$Al1JOy/e$nSQ5CgVYrz2WTfoeXQwH11 Time.Started.....: Tue Apr 22 17:29:59 2025 (3 secs) Time.Estimated...: Tue Apr 22 17:30:02 2025 (0 secs) Kernel.Feature...: Pure Kernel Guess.Base.......: File (/home/ericleh/DIF/U3/wordlist.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 19006 H/s (8.37ms) @ Accel:32 Loops:1000 Thr:1 Vec:4 Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new) Progress.........: 65792/135000 (48.73%) Rejected.........: 0/65792 (0.00%) Restore.Point....: 65536/135000 (48.55%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1000 Candidate.Engine.: Device Generator Candidates.#1....: 22dhi21 -> 22edg31 Hardware.Mon.#1..: Util: 41% Started: Tue Apr 22 17:29:56 2025 Stopped: Tue Apr 22 17:30:04 2025 ┌──(ericleh㉿kali-vm)-[~/DIF/U3] └─$ hashcat --show -m 500 ~/DIF/U3/hash.txt $1$Al1JOy/e$nSQ5CgVYrz2WTfoeXQwH11:22dif04 ``` Passwort: 22dif04 17:40 ```┌──(ericleh㉿kali-vm)-[/mnt/image_mount/home/dif/Pictures] └─$ find /mnt/image_mount/home/dif -type f -user ericleh ! -path "/mnt/image_mount/home/dif/snap/firefox/*" /mnt/image_mount/home/dif/.bash_history /mnt/image_mount/home/dif/.profile /mnt/image_mount/home/dif/.config/pulse/5234dc9dd5494db4a3710dc83b5ff2c2-default-source /mnt/image_mount/home/dif/.config/pulse/5234dc9dd5494db4a3710dc83b5ff2c2-stream-volumes.tdb /mnt/image_mount/home/dif/.config/pulse/5234dc9dd5494db4a3710dc83b5ff2c2-default-sink /mnt/image_mount/home/dif/.config/pulse/cookie /mnt/image_mount/home/dif/.config/pulse/5234dc9dd5494db4a3710dc83b5ff2c2-device-volumes.tdb /mnt/image_mount/home/dif/.config/pulse/5234dc9dd5494db4a3710dc83b5ff2c2-card-database.tdb /mnt/image_mount/home/dif/.config/dconf/user /mnt/image_mount/home/dif/.config/gnome-initial-setup-done /mnt/image_mount/home/dif/.config/evolution/sources/system-proxy.source /mnt/image_mount/home/dif/.config/gtk-3.0/bookmarks /mnt/image_mount/home/dif/.config/user-dirs.locale /mnt/image_mount/home/dif/.config/ibus/bus/5234dc9dd5494db4a3710dc83b5ff2c2-unix-wayland-0 /mnt/image_mount/home/dif/.config/ibus/bus/5234dc9dd5494db4a3710dc83b5ff2c2-unix-1 /mnt/image_mount/home/dif/.config/ibus/bus/5234dc9dd5494db4a3710dc83b5ff2c2-unix-0 /mnt/image_mount/home/dif/.config/user-dirs.dirs /mnt/image_mount/home/dif/Pictures/schuhschnabel.png /mnt/image_mount/home/dif/Pictures/schuhschnabel.webp /mnt/image_mount/home/dif/.cache/update-manager-core/meta-release /mnt/image_mount/home/dif/.cache/thumbnails/large/f80e0d12ab84915a28fb5aaa29832109.png /mnt/image_mount/home/dif/.cache/thumbnails/fail/gnome-thumbnail-factory/7ad2315dee392038413a28992f0f1450.png /mnt/image_mount/home/dif/.cache/thumbnails/normal/9df09d24c588502c96b8b24092d3e31d.png /mnt/image_mount/home/dif/.cache/event-sound-cache.tdb.5234dc9dd5494db4a3710dc83b5ff2c2.x86_64-pc-linux-gnu /mnt/image_mount/home/dif/.cache/ubuntu-report/ubuntu.21.10 /mnt/image_mount/home/dif/.cache/gstreamer-1.0/registry.x86_64.bin /mnt/image_mount/home/dif/.cache/tracker3/files/http%3A%2F%2Ftracker.api.gnome.org%2Fontology%2Fv3%2Ftracker%23Documents.db /mnt/image_mount/home/dif/.cache/tracker3/files/last-crawl.txt /mnt/image_mount/home/dif/.cache/tracker3/files/http%3A%2F%2Ftracker.api.gnome.org%2Fontology%2Fv3%2Ftracker%23Audio.db /mnt/image_mount/home/dif/.cache/tracker3/files/http%3A%2F%2Ftracker.api.gnome.org%2Fontology%2Fv3%2Ftracker%23Software.db /mnt/image_mount/home/dif/.cache/tracker3/files/ontologies.gvdb /mnt/image_mount/home/dif/.cache/tracker3/files/http%3A%2F%2Ftracker.api.gnome.org%2Fontology%2Fv3%2Ftracker%23Video.db /mnt/image_mount/home/dif/.cache/tracker3/files/meta.db /mnt/image_mount/home/dif/.cache/tracker3/files/no-need-mtime-check.txt /mnt/image_mount/home/dif/.cache/tracker3/files/http%3A%2F%2Ftracker.api.gnome.org%2Fontology%2Fv3%2Ftracker%23Pictures.db /mnt/image_mount/home/dif/.cache/tracker3/files/locale-for-miner-apps.txt /mnt/image_mount/home/dif/.cache/tracker3/files/first-index.txt /mnt/image_mount/home/dif/.cache/tracker3/files/http%3A%2F%2Ftracker.api.gnome.org%2Fontology%2Fv3%2Ftracker%23FileSystem.db /mnt/image_mount/home/dif/.cache/fontconfig/3917636d-c019-46a8-a24c-da108bcaf7e4-le64.cache-7 /mnt/image_mount/home/dif/.cache/fontconfig/CACHEDIR.TAG /mnt/image_mount/home/dif/.cache/ibus/bus/registry /mnt/image_mount/home/dif/.bashrc /mnt/image_mount/home/dif/.bash_logout /mnt/image_mount/home/dif/.sudo_as_admin_successful /mnt/image_mount/home/dif/.gnupg/pubring.kbx /mnt/image_mount/home/dif/.gnupg/trustdb.gpg /mnt/image_mount/home/dif/.local/share/gnome-shell/gnome-overrides-migrated /mnt/image_mount/home/dif/.local/share/gnome-shell/application_state /mnt/image_mount/home/dif/.local/share/session_migration-ubuntu /mnt/image_mount/home/dif/.local/share/gnome-settings-daemon/input-sources-converted /mnt/image_mount/home/dif/.local/share/gvfs-metadata/root /mnt/image_mount/home/dif/.local/share/gvfs-metadata/home-398431f8.log /mnt/image_mount/home/dif/.local/share/gvfs-metadata/home /mnt/image_mount/home/dif/.local/share/gvfs-metadata/root-6bbccab3.log /mnt/image_mount/home/dif/.local/share/evolution/tasks/system/tasks.ics /mnt/image_mount/home/dif/.local/share/evolution/addressbook/system/contacts.db /mnt/image_mount/home/dif/.local/share/evolution/calendar/system/calendar.ics /mnt/image_mount/home/dif/.local/share/keyrings/login.keyring /mnt/image_mount/home/dif/.local/share/keyrings/user.keystore /mnt/image_mount/home/dif/.local/share/Trash/files/schuhschnabel (copy).png /mnt/image_mount/home/dif/.local/share/Trash/info/schuhschnabel (copy).png.trashinfo /mnt/image_mount/home/dif/.local/share/nautilus/tags/ontologies.gvdb /mnt/image_mount/home/dif/.local/share/nautilus/tags/meta.db /mnt/image_mount/home/dif/.local/share/nautilus/tracker2-migration-complete /mnt/image_mount/home/dif/.local/share/recently-used.xbel /mnt/image_mount/home/dif/Downloads/firefox.tmp/tmpaddon ┌──(ericleh㉿kali-vm)-[/mnt/image_mount] └─$ cd home/dif/Pictures ┌──(ericleh㉿kali-vm)-[/mnt/image_mount/home/dif/Pictures] └─$ ls schuhschnabel.png schuhschnabel.webp ┌──(ericleh㉿kali-vm)-[/mnt/image_mount/home/dif/Pictures] └─$ open schuhschnabel.png ``` 17:48 ```──(ericleh㉿kali-vm)-[/mnt/image_mount/home/dif/Pictures] └─$ sudo umount -l /mnt/image_mount ``` 17:50 ``` ┌──(ericleh㉿kali-vm)-[~/DIF/U3] └─$ sha256sum image.img 2d44cd82a23614c06795b8e2af802e9f0cf23249fbfd8c7d0023c088a3c32ce0 image.img ``` ---ENDE---