Linux Password Cracking
/etc/shadow & /etc/passwd
Last updated
/etc/shadow & /etc/passwd
Last updated
In this lesson, we will explore the process of cracking Linux passwords locally. This practical skill is essential for understanding the security of Linux systems. We will use the unshadow
command to prepare password files for password cracking and the John the Ripper
tool for the actual password cracking. Additionally, we will explain various Linux password hash formats that you may encounter.
Linux uses various password hash formats to store user passwords securely. These formats are identified by a prefix character in the password hash. Here are some common Linux password hash formats:
$1
: MD5 hashing algorithm.
$2
: Blowfish Algorithm.
$2a
: Extended Blowfish Algorithm.
$5
: SHA-256 Algorithm.
$6
: SHA-512 Algorithm.
$y
: Yescrypt Algorithm.
Each format is associated with a specific cryptographic algorithm and provides varying levels of security. It's crucial to understand these formats when working with password cracking tools.
unshadow
CommandThe unshadow
command is used to merge password and shadow files, making it easier to analyze and crack user passwords. The /etc/passwd
file contains user information, while the /etc/shadow
file contains password hashes and related information.
To use unshadow
, simply run the following command:
This command creates a unshadowed-file
that contains user information from /etc/passwd
and password hashes from /etc/shadow
. This merged file is used as input for password cracking tools like John the Ripper
. You can also use Hashcat
.
John the Ripper
John the Ripper
is a powerful password cracking tool that supports a variety of password hash formats. To crack passwords using John the Ripper
, follow these steps:
Create the merged file using the unshadow
command as described in the previous section.
Run John the Ripper
with the merged file:
John the Ripper
will attempt to crack the passwords using various techniques, including dictionary attacks, brute-force attacks, and more.
Once the process is complete, John the Ripper
will display the cracked passwords if successful.
Let's consider an example to understand Linux password hash formats and the cracking process.
/etc/shadow
content:
/etc/passwd
content:
username
is the User ID.
$6
is the SHA-512 hash format.
$YTJ7JKnfsB4esnbS
is the salt.
$5XvmYk2.GXVWhDo2TYGN2hCitD/wU9Kov.uZD8xsnleuf1r0ARX3qodIKiDsdoQA444b8IMPMOnUWDmVJVkeg1
is the encrypted hash of the password for the user username
.
Understanding how Linux passwords are hashed and the tools and techniques used for password cracking is crucial for cybersecurity professionals. It helps assess the security of systems and implement better security practices. By mastering these skills, you can protect your systems against password-based attacks and identify vulnerabilities.
Now that you have a basic understanding of password cracking on Linux, you can explore further by practicing with real-world scenarios and experimenting with different password hash formats and cracking methods.