In this article, we’ll see how to get password hashes from a Linux system and crack the hashes probably using the most widely used password decryption tool, John the Ripper.
- Kali Linux – Attacker
- Linux machine – Where are the users.
In this tutorial we will use hacking techniques, for the sole purpose of learning. We do not promote its use for profit or incorrect purposes. We are not responsible for any damage or impairment that may be generated in the systems used. The responsibility is absolute of the user of this tutorial.
- Linux – Low
- Programming – Low
- Kali Linux – Medium
- Networks – Does not apply
Where Linux passwords are stored
Linux passwords are stored in the / etc / passwd file in plain text on older systems and in the / etc / shadow file in hash form on newer systems. We should expect passwords on anything other than old systems to be stored in / etc / shadow.
Create some user accounts
Since our BackTrack system probably doesn’t have many users on it other than our root account, we’re going to go ahead and create a couple more accounts.
We are going to create user1 with the password « flower » and user2 with the password « hacker ».
I have purposely chosen dictionary words, since the complexity of the password is inversely related to the time necessary to decrypt it. One of the good features of John the Ripper is that he will try to use a dictionary attack first. If that fails, it will attempt a hybrid attack. And only if that fails will he attempt a brute force attack, which is the most time consuming.
Open John the Ripper
Now that we have a couple of regular users on our system with simple passwords, we need to open John the Ripper. John the Ripper is a simple, but powerful password decryptor without a GUI ( this helps make it faster since GUIs consume resources ).
We can access it from BackTrack by going to the BackTrack button at the bottom left, then Backtrack, Privilege Escalation, Password Attacks, Offline Attacks, and finally select John the Ripper from the multiple password cracking tools available.
If you have selected the correct menu option, a terminal will open with the following aspect.
By the way, feel free to close our previous terminal as we are done with it.
Test John the Ripper
At the prompt, type:
bt > john -test
This command will send John the Ripper through a variety of reference tests to estimate how long it will take to break your system passwords. Your terminal will look like this.
Now that John has calculated the time it will take to decrypt each of the encryption schemes, let’s get him to work to crack our passwords.
Copy password files to our current directory
Linux stores its passwords in / etc / shadow, so what we want to do is copy this file to our current directory along with the / etc / passwd file, then « unshadow » and store them in a file that we will call passwords. So, let’s write both:
bt > cp /etc/shadow ./ bt > cp /etc/passwd ./
In Linux, the cp command means copy and the ./ represents our current directory. So this command says, copy the content from / etc / shadow to my current directory. We do the same with the / etc / passwd file.
Next we need to combine the information from the / etc / shadow and / etc / passwd files, so John can do his magic.
bt > ./unshadow passwd shadow > passwords
Now that we have released the critical files, we can simply let John run in our password file.
bt > john passwords
John the Ripper will proceed to try to decipher his passwords. As you can see, he deciphered all three of us in seconds! Of course, more complex passwords will take a lot longer, but all we need is a single user with a simple password and we have access to the account in seconds.
It is also important to note that any password decryptor is as good as your word list. For more complex or hybrid passwords, you probably want to use a password list that contains many more passwords, including hybrid passwords like « p @ $ $ w0rd » that combine special characters into words.
I hope you liked this technique and that it helps you.