🐧Linux Password Cracking

/etc/shadow & /etc/passwd

Table of Contents

1. Introduction

2. Understanding Linux Password Hash Formats

3. The unshadow Command

4. Cracking Passwords with John the Ripper

5. Example

6. Conclusion

---

Introduction

In this lesson, we will explore the process of cracking Linux passwords locally. This practical skill is essential for understanding the security of Linux systems. We will use the unshadow command to prepare password files for password cracking and the John the Ripper tool for the actual password cracking. Additionally, we will explain various Linux password hash formats that you may encounter.

Understanding Linux Password Hash Formats

Linux uses various password hash formats to store user passwords securely. These formats are identified by a prefix character in the password hash. Here are some common Linux password hash formats:

• $1: MD5 hashing algorithm.

• $2: Blowfish Algorithm.

• $2a: Extended Blowfish Algorithm.

• $5: SHA-256 Algorithm.

• $6: SHA-512 Algorithm.

• $y: Yescrypt Algorithm.

Each format is associated with a specific cryptographic algorithm and provides varying levels of security. It's crucial to understand these formats when working with password cracking tools.

The unshadow Command

The unshadow command is used to merge password and shadow files, making it easier to analyze and crack user passwords. The /etc/passwd file contains user information, while the /etc/shadow file contains password hashes and related information.

To use unshadow, simply run the following command:

unshadow /etc/passwd /etc/shadow > unshadowed-file

This command creates a unshadowed-file that contains user information from /etc/passwd and password hashes from /etc/shadow. This merged file is used as input for password cracking tools like John the Ripper. You can also use Hashcat.

Cracking Passwords with John the Ripper

John the Ripper is a powerful password cracking tool that supports a variety of password hash formats. To crack passwords using John the Ripper, follow these steps:

1. Create the merged file using the unshadow command as described in the previous section.

2. Run John the Ripper with the merged file:

john unshadowed-file

John the Ripper will attempt to crack the passwords using various techniques, including dictionary attacks, brute-force attacks, and more.

Once the process is complete, John the Ripper will display the cracked passwords if successful.

Example

Let's consider an example to understand Linux password hash formats and the cracking process.

• /etc/shadow content:

username:$6$YTJ7JKnfsB4esnbS$5XvmYk2.GXVWhDo2TYGN2hCitD/wU9Kov.uZD8xsnleuf1r0ARX3qodIKiDsdoQA444b8IMPMOnUWDmVJVkeg1:19446:0:99999:7:::

• /etc/passwd content:

username:x:1001:1002:Sai Kumar,555,123456789,999123457:/home/sai:/bin/bash

• username is the User ID.

• $6 is the SHA-512 hash format.

• $YTJ7JKnfsB4esnbS is the salt.

• $5XvmYk2.GXVWhDo2TYGN2hCitD/wU9Kov.uZD8xsnleuf1r0ARX3qodIKiDsdoQA444b8IMPMOnUWDmVJVkeg1 is the encrypted hash of the password for the user username.

Conclusion

Understanding how Linux passwords are hashed and the tools and techniques used for password cracking is crucial for cybersecurity professionals. It helps assess the security of systems and implement better security practices. By mastering these skills, you can protect your systems against password-based attacks and identify vulnerabilities.

Now that you have a basic understanding of password cracking on Linux, you can explore further by practicing with real-world scenarios and experimenting with different password hash formats and cracking methods.