2013-06-21

Olde-school DES Cracking

I like old computers. I like playing with different operating systems, including old ones. A year and a half ago, give or take, I received an SGI Indy from someone who was cleaning out the shed. This was a low-end machine from SGI, but a relatively high-end workstation by most standards of the era, meant for people doing 3D design and CAD work. This one was made in 1996, about a year before the product line was discontinued.


I've never used IRIX (Silicon Graphics' implementation of UNIX) before, but when the machine booted, I was presented with a graphical account chooser, not too different from what you might see on a modern computer (except lacking 20 years of graphical finesse). Of course, the first account I try to get into is root, because I would like to actually get this machine on the network. I cannot.  I try a few other accounts until I come across one without a password. Then, I checked out /etc/passwd and found that the hashes weren't even shadowed. You can see several accounts don't have passwords at all.
When you encounter password hashes like this, they're traditional salted DES passwords. I haven't actually cracked DES passwords since 1996 or so. By the time I got my first job in information security (early 2000), password shadowing was common practice, and better hashing algorithms were in place.

I had a Kali Linux VM running on my laptop already, so I scribbled the password hash on a piece of paper, then re-constructed a fake password file from this one line and set John The Ripper loose on it.

In the mean time,  I tried some tricks from the console to get the machine to boot up in single user mode, but I was faced with quite a bit of adversity. Official single user mode required the root password, and attempts to bypass the root password (like calling a shell for init) didn't work.

Trying to load a shell as a kernel, obviously, wouldn't work, but it didn't stop me from trying, thus causing a panic and crash.

A short while later, I heard a noise on my laptop, and saw this:
That password worked just fine, and I was on my merry way.

Humorously, a few folks also tried cracking the same password on their equipment. One ended up finding it in under 2 minutes with 4 threads on an i5-2400 desktop, Fritz smashed it in a mere 13 seconds on a 32-core VM. I should probably see how fast JTR would get it on the laptop natively, with 4 threads outside a VM, but I'm not going to bother with that.

Now I just need to get Fusion installed on this IRIX box so I can reproduce the cheesy scene from Jurassic Park.

blog comments powered by Disqus