Hack Like a Pro: How to Crack User Passwords in a Linux System

How to Crack User Passwords in a Linux System

Welcome back, my eager hackers!

In recent blogs, I've demonstrated how to grab password hashes remotely using Metasploit's meterpreter and pwdump. Once we have the Windows passwords from the SAM file, we can then crack these hashes using tools such as Cain and Abel.

In this article, we'll look at how to grab the password hashes from a Linux system and crack the hashes using probably the most widely used password cracking tool out there, John the Ripper.

Let's boot up BackTrack and get hacking!

Where Linux Passwords Are Stored

Linux passwords are stored in the /etc/passwd file in cleartext in older systems and in /etc/shadow file in hash form on newer systems. We should expect that the passwords on anything other than old legacy systems to be stored in /etc/shadow.

Step 1: Create Some User Accounts

Since our BackTrack system probably doesn't have many users on it other than our root account, let's go ahead and create a couple more accounts.

Let's create user1 with password "flower" and user2 with a password of "hacker".

I've purposely chosen dictionary words as the complexity of the password is inversely related to the time necessary to crack it. One of the nice features of John the Ripper is that it will try to use a dictionary attack first. If that fails, it will try a hybrid attack. And only if that fails will it attempt a brute-force attack, which is the most time consuming.

Step 2: Open John the Ripper

Now that we have a couple of regular users in our system with simple passwords, we now need to open John the Ripper. John the Ripper is a simple, but powerful password cracker without a GUI (this helps to make it faster as GUIs consume resources).

We can access it from BackTrack by going to the BackTrack button on the bottom left, then Backtrack, Privilege Escalation, Password Attacks, Offline Attacks, and finally select John the Ripper from the multiple password cracking tools available.

If you selected the correct menu item, it will open a terminal that looks like this.

By the way, feel free to close our previous terminal as we're finished with it.

Step 3: Test John the Ripper

At the prompt, type:

  • bt > john -test

This command will send John the Ripper through a variety of benchmark tests to estimate how long it will take to break the passwords on your system. Your terminal will look something like this.

Now that John has estimated how long each of the encryption schemes will take to crack, let's put him to work on cracking our passwords.

Step 4: Copy the Password Files to Our Current Directory

Linux stores its passwords in /etc/shadow, so what we want to do is copy this file to our current directory along with the /etc/passwd file, then "unshadow" them and store them in file we'll call passwords. So, let's type both:

  • bt > cp /etc/shadow ./
  • bt > cp /etc/passwd ./

In Linux, the cp command means copy and the ./ represents our current directory. So this command says, copy the contents of /etc/shadow to my current directory. We do the same for the /etc/passwd file.

Step 5: Unshadow

Next we need to combine the information in the /etc/shadow and the /etc/passwd files, so that John can do its magic.

  • bt > ./unshadow passwd shadow > passwords

Step 6: Crack!

Now that we have unshadowed the critical files, we can simply let John run on our password file.

  • bt > john passwords

John the Ripper will proceed to attempt to crack your passwords. As you can see, it cracked all three of ours in a matter of seconds! Of course, more complex passwords will take significantly more time, but all we need is just one user with a simple password and we have access to the account in seconds.

It's also important to note that any password cracker is only as good as its word list. For more complex or hybrid passwords, you probably want to use a password list containing far more passwords, including hybrid passwords such "p@$$w0rd" that combine special characters into words.

We'll be doing more password cracking among numerous other hacks, so keep coming back! And if you have any questions, feel free to comment below or head to the Null Byte forum for help.

Cut lock photo by Fristle, Lock cutters photo by MortenMyksvoll

27 Comments

Thanks very Good Article :) Could you please elaborate more About the Word list. Does Backtrack have a build-in word list or do we have to download it from somewhere else & if you could provide me a link to a good Word List i will be thankful to you

Criss:

John the Ripper does come with a word list built-in, but if you are trying to crack more obscure passwords or passwords in a different language, you will need a different word list. Simply googling "password list" or similar key words will provide you with many word lists, some with millions of entries.

OTW

Thanks for the Reply. But you are my teacher you could provide me with the best. Again Please Please if you can provide a link to a best word list

I really appreciate this tutorial. It has just enough detail while still being nice and quick to read through.

is it even possible to steal Passwords from someone's PC? and if yes, how to do that?

hiii sir, am somehow confuse, my problem is that i have some hashes in txt file format, i have some wordlist file also in txt format, i have gone through some john tutorial but i still dont understand how to input the hash file and the wordlist into john, am using kali os.

N.B: its this three words that confuse me with john, shadow,passwrd,unshadow but oi know the location of all this but just dont understand the process.

kindly please elaborate

Horls:

First, did you open the john application?

OTW

yes i did sir, i did the test, that was succesfull also

dont know where/how to input my hash file

OK. Now were you able to copy the shadow and passwd file to your current directory in Step 4?

yes, my current directory is root, i was able to copy both shadow and passwd to root but when i run the final command, here is what i get:

/unshadow passwd shadow passwords
bash: ./unshadow: No such file or directory

./unshadow passwd shadow > passwords
bash: ./unshadow: No such file or directory

In KALI you should type:
unshadow passwd shadow > newfilename
no / or ./ in the beginning

Horls:

Are you running BackTrack?

OTW

Horls:

/etc/shadow is where the password hashes reside. /etc/passwd has all the users details but not the hashes. We need both to crack the hashes. unshadow gives us access to the hashes and combines the info from those two files to make the hashes available to john.

Hope this helps.

OTW

okay, thank you sir, now i understand, its good to read the topic well, we are cracking the user accounts password on a linux system... okay! i now understand.

thank you sir

Actually the way you described can't be done.

First, if you log in as a non-root user, you don't have the permission to read /etc/shadow file, which means John the Ripper can't figure out what's in that file. What's next can't be done.

Second, if you're a previleged user, why would you do that? 'su - user1' is the simpliest way to achieve this and most importantly no password is needed at all.

Anyway, thank you for your share.

Frost:

Thanks for you comments.

This article is meant to demonstrate the principles of password cracking in Linux. Rather than going into the many ways that a non-privileged users can get root access, this article focuses on what to do when you get it. When one does get root access and the /etc/shadow file, you still have to crack the hashes with John or other cracking tool.

OTW

sir ... can u tell me how to crack passwd or how to login in linux without knowing passwd ???? itried in linux by switching in single user mode but in my linux kernel single user mode is also passwd protectd ...

What linux are you using?

can i crack rar file password?

I am getting a problem when running john -test
saying " Sorry, SSE2 is required for this build "
I'm running Kali linux 2.0 32-bit

Share Your Thoughts

  • Hot
  • Latest