 Python programming and video tutorials. In the last couple of videos we've been checking out how we could possibly crack a Unix user account password. So these last few modules in Python we've been checking out have been Unix specific services that's kind of been the theme for these last few videos and we've been looking at SPWD, the shadow password database before that PWD which was the regular password database and those two things were kind of very different. If you recall the PWD database was reading all these things out of a file in the Unix directory and file system that was etc. PassWD for password. So that was world readable like we as any user could check it out. If I cat that file PassWD you'll notice that we can read all the user stuff and Fubar a user that we've been created that we have already created and have been playing with is available there. So in the documentation it shows us these different attributes and things that were all returned to us and normally it would show us the encrypted password. The thing is there was a note here that we were checking out this gives us normally or at least in some cases the modern Unix systems have a so-called shadow password system so the password field is not visible it's replaced with the letter X in most cases where instead the encrypted password is stored in its set for shadow which is not world readable. So you can see right here in our example yeah Fubar is X so that's not what we wanted we wanted it set for shadow so we moved on to the SPW module and this would show us the encrypted password. Now remember this is root or at least you have to be able to use it as root it's not world readable so if I were to run sudo cat etc. shadow now we can read it and we see all the same users and our Fubar user right down here we can see his encrypted password. You may have noticed at least I don't know if you would notice but I'm just gonna tell you right up front that I did some more toying around in between recordings of these videos so I have a different I have a different encrypted password but it is still the same raw password for apples. So all right back to what we were looking at the same note that was telling us about this change with etc. password and etc. shadow the shadow password system and the regular password system it tells us that the password field usually contains a password encrypted with this DES derived algorithm and it links us to this module crypt and that's what we're gonna be toying with in this video. So here check this out crypt is a function that checks Unix passwords the module implements an interface to the crypt routine which is a one-way hash function based upon a modified DES algorithm. You can check out the man page for more details if you're interested but the possible uses kind of let us use Python to test and try and at least follow through with accepted type passwords from the user and attempt to crack Unix passwords with a dictionary. That's pretty cool that sounds like what we want to be doing here. So this module only has one function so I guess you could kind of consider it a function rather than a module but yeah it includes the function crypt and it takes two arguments word and salt. So word will usually be the user's password as typed at the prompt or in a graphical interface so it's kind of like the raw data the simple plain text password and salt is usually a random two-character string which will be placed to perturb the DES algorithm in one of 4096 ways. Now the characters and salt must be in a set from A to Z or zero to nine alphabetical letters and numeric digits so it will return the hash password as a string which will be composed of the characters from the same alphabet and set as the salt. So normally you would be able to see you're all I'll try and show you an example of this we would have a salt or a password encrypted like this and the first two letters like let's say fk I don't really know I don't really know why I chose the two letters f and k but those two letters would be the salt and that's what you would pass in there but I want to bring your attention to a little bit more of the documentation there's a note here at the bottom that says since a few of the crypt extensions allowed different values with different sizes in the salt it's recommended to use the full cryptid password as the salt when checking for password so that's what we're gonna do okay so let's get to it let's build a script that will do this looping through a dictionary and actually trying to break and crack this Unix password that we set up for our foobar user so we need a dictionary now I want to show you just how easy this is I'm gonna go on Google and because you know the internet is our best resource and we'll look for a dictionary file and you look through some of these results here and I want to find someone that's doing the same thing I am and this guy here it sounds like in stack exchange where can I find good dictionaries for dictionary attacks so we'll check that out and it looks like yeah he's he kind of has the same thing that we're doing wants to play with the dictionary attack and hey this first response gives us some links so let's check those out follow those and boom we've got some dictionaries that come with common tools and cracking utilities so well I see John the Ripper there which is a pretty common and well-known tool and utility for this sort of thing so hey there's a compressed file here so I'll open that up with my archive manager I'll extract the file and you can see all of these kind of pretty common you know like passwords I'll shrink it down so I can show you more so we'd be able to loop through this list and hopefully find our password right let's try it out I'm actually gonna save this as a new file I'll call my pass words dot text and I might already have a yeah I already have an example of this just replace that close out of this and now we'll get to our script editor or text editor and actually start to write the script so I've got some blind text open I'm gonna create a new one I'll call mine passwords crack dot pie and here we go I'm gonna use colorama actually to display things out in color in the terminal so it looks a little bit more professional you can do this if you'd like it's entirely up to you so this video might turn into a longer video since we're gonna be writing this code as well as the demonstration and experimenting and playing with so I hope you don't mind me but here we go from colorama I want to import everything import for as colors and actually since we need to be the root user to be able to read through the it's that we're shadow file right we're actually gonna be importing the OS module as well so we can test actually what our user identification number is so I'm actually gonna include that straight away from OS import get you ID that's the function that'll get the user ID of this process and then of course we need the crypt function from our crypt module so let's define a simple main function go through with the normal Python boiler plate code and here we go let's test first of all if get user ID is equal to zero now most of you may know that the root user has a user ID value of zero anyone else does not so if I in the shell echo out my user ID variable you can see that right now it's a thousand if I try and run pseudo echo user ID variable so I run this is root oh I might need to be in bash actually for that see a bash now if I echo my user ID I am zero and you can see I'm logged in as root here so okay just a small demonstration for that and we'll get back to it if the user ID is zero actually we'll print out if it says not zero what we can do is we can print out colors yellow you must be root to run this utility some real simple and then we'll exit out with a one so we know that it's an error code message rather than zero for success let's see this in our code if we can get it to work she mod I run password track dot pie oh I do need my shebang line how could I forget now I run this you've been my name is passwords crack rather than password track so that was an old file that I was using to kind of review this lesson and review this tutorial so I just removed that and now we should be able to run passwords crack okay cool and I must be root to run this utility so if I'm not then we can just say print I'll do colors dot blue or something and then we'll actually allow them to sure we take an argument that would be kind of cool yeah let's take arguments so from sys import argv that's all that's all we really need if length of argv is less than or equal to one we'll ask raw input we'll use yellow as a prompt here as well I mean that's what I'm gonna do it's entirely up to you you're the one writing this script not me I'll actually print it out and I do after since that's gonna be a long line as colors is not reset the thing let's try it we'll say username is equal to what they enter let's see how it works must be root okay I'll run it with pseudo what user should we try and crack the password for let's say foobar okay cool reset does work cracking Unix password for user foobar awesome I'll change just to yellow so that's really simple and that'll work just fine for us and if it is else let's say username can equal argv one since argv 0 would be the name of the program so now we can of course run pseudo passwords crack without any arguments foobar will work for us and we can run it with the username foobar and then it'll okay trying to crack the password for Unix user foobar sweet so now we've got some kind of pre-established stuff going on let's say that the dictionary file dick file can equal open passwords text and we want to look through this and also test for what the what everything is we also need of course the password for our user so I actually forgot to include that let's say from SPWD import get SPNAM I think that's it yeah so let's say encrypted password can equal get SPNAM for the username which would in this case be foobar and I just want to print that out and password used to be looks to be the encrypted password so let's check this out oh can't concatenate those let's say we want that actually to be one because remember in our idle process or when I when I showed you this example in idle what we had was import SPWD SPWD dot get SPNAM remember this to return a struct object for us okay now that I'm logged in as a Python terminal in route now we can try this so if I ran foobar on him we'd get this struct and the second data sec the second index in there was the password that we wanted so when we subtract one from that because of our computer offset we start counting from zero we get one so that's what we're using there so encrypted password looks to be now we can run this all that okay cool so now we'll actually start to look through it and crack it for password in dict file dot read lines we'll actually test for new password and we'll say that can equal crypt dot or crypt password because remember this would be the word the plain text where they were looking at and then at the encrypted password as our salt we want the full thing to work through there so if we'll print out some nice sorry you guys don't mind me doing random formatting for how I want the the script to look so we'll just want have a small little output for what color we're or what password we're looking at at the moment and we'll test if so if this password is the new password is the same as the new password that means that okay we found we got the crack so we'll display out there password found all that stuff print reset the new pass the cracked passwords we can say the crack password is password and I'll add a little color there colors dot or something it's up to you guys you're the programmer here and else we can say we did not find it so in that case we would say password failed we'll just keep going along just like that we would break out and then at that point we're done so we can just exit with a or before we break out we can say no password crack was found try another dictionary file it'll exit with a one so it's an error message not an error message but you know a failure flag and okay so it looks like we kind of got our loop going on in our simple our simple detection set up but I kind of actually want to know how many we go through until we find the password because it would be kind of cool so let's set up a count variable to keep track of all this stuff so if we didn't find the password then count will increase so I set it up initializing right above our loop and then if we don't get it then we're gonna increment to it and we'll say remember to concatenate that to a string since it is an integer right now okay so now it just simply displays how many color how many passwords we tried to go through so let's try and play with us now hopefully we get something cool if I run it without being roots remember it tells us you need to be root to run this utility so we run it as us pseudo and we want to crack the password for foobar so now it's gonna loop through all of these and try to actually find our password you can see it's going crazy right now trying to look for it and hopefully it gets it if it doesn't I mean hey I might go through all the stuff and not get it but you know what's interesting actually here is see how the ellipsis right here is on a different line than the password oh you know what I'm thinking you know what you should be thinking take a look at our actually our passwords thing here passwords variable this is likely including what is included in the text file of course if I fire up passwords.txt there is of course a new line character from one password to the next so we are after when what we will have to include here is the rstrip function for our password we can say password is going to equal the same password that it was with the very end of it and the new line characters stripped away so password rstrip now we run this hey we're gonna get some good stuff let's say we want it for foobar and hey password found it took 354 different attempts to find it the crack password is apples sweet looks like our color coding got a little a little funky there that's okay fix it real hard away but dude look at that we got we got the password we're able to find it with a dictionary attack doing the same method of encrypting what we would think the password to be with the dictionary attack and using the encrypted password as the salt or as kind of what we're comparing it to and what we're using to encrypt so that's kind of cool right like we just we just cracked the really insecure of course kind of a unsanitary or not that not that secure password but we got apples we got we got it if I try it for my own account it'll go through all this stuff and there's no way it's gonna find anything because I would never use a dictionary word as my password but since our script is kind of nice it'll tell us like we weren't able to get it we yeah you should try another dictionary attack but even then it's the hope that the user is using a common password any in a common dictionary word or I don't know not all these are dictionary words so I guess it's kind of a different thing but common passwords and mine is nowhere near a common password but yeah like like I said our script will tell us very nicely that well we couldn't find it and tried another dictionary file if you are really trying but one of the cool things it might be able to do if you want to work with this little bit more is you see how it's always inputting a new line every single time that probably takes a lot of screen space it's outputting a ton of stuff we could just have it display on the same line and just kind of flush the output and we put it on the same line over and over and over again kind of like apt does or if you're trying to install something I don't know there's a lot of opportunities for it but this is a simple script that will kind of make sure that you're root so you'll have the ability to look at the user's password which I know isn't exactly cracking or hacking because you have that caveat but for this educational and learning experience so you know how to do it that's okay and of course you need the OS module to test your user ID to make sure you are root we played with our lot command line arguments we didn't really have to but I think it was kind of nice to add to our script and color ROM of course adds a nice output to us for us even though it was probably really annoying when I'm just trying to add those colors here in there and of course SPW our pass SPWD our password database to actually get what the encrypted password is so cool I think I'm done I think that's all that I wanted to do at this show for you guys I hope you guys are able to walk through this tutorial and program with me I know it's been kind of long but hopefully it's well worth it and really a cool learning experience for these last few videos so thanks again for watching guys hope you enjoyed it if you did maybe like the video maybe leave me a comment to construct a criticism and if you're feeling up for it subscribe you know I'd love that see you soon