Introduction
In this lab, you will learn the fundamental process of Linux password security auditing. You will explore how Linux stores user password information, extract this information, and then attempt to crack the passwords using a dictionary attack. This process is essential for penetration testers and system administrators to identify and remediate weak passwords within a system.
You will work with two critical files: /etc/passwd, which stores user account information, and /etc/shadow, which securely stores the hashed passwords. You will use standard Linux command-line tools and specialized software like unshadow (from the John the Ripper suite) and Hashcat to perform the cracking process.
By the end of this lab, you will have hands-on experience with:
- Understanding the format of the
/etc/shadowfile. - Combining user and password data into a crackable format.
- Identifying password hash types.
- Using Hashcat to perform a dictionary attack.
Understand the /etc/shadow File Format
In this step, you will examine the /etc/shadow file. This file stores the actual password hashes for users on a Linux system and is only readable by the root user for security reasons. Understanding its structure is the first step in extracting the hashes.
First, use sudo to gain the necessary privileges to view the contents of the /etc/shadow file.
sudo cat /etc/shadow
You will see output containing several lines, each corresponding to a user account. Let's look at the entry for the testuser we created. It will look similar to this (the salt and hash will be different):
root:*:19327:0:99999:7:::
daemon:*:19327:0:99999:7:::
...
testuser:$6$somerandomsalt$gqE2qSg5aV1A3fH/vjXJ.nLdCn2KkL.D.v5/T6.zT.jC.gB6aB4bY3eZ2aX9cW8dY7eF6gH5iJ4kL3oP2qR1:19422:0:99999:7:::
Each line is a series of colon-separated fields. For this lab, we are interested in the first two:
- Username:
testuser - Hashed Password:
$6$somerandomsalt$gqE2qSg5aV1A3fH/vjXJ.nLdCn2KkL.D.v5/T6.zT.jC.gB6aB4bY3eZ2aX9cW8dY7eF6gH5iJ4kL3oP2qR1
The dollar signs ($) in the hash field are significant. The number between the first two $ characters indicates the hashing algorithm. In this case, $6$ signifies that the password was hashed using the sha512crypt algorithm.
Use the unshadow Tool to Combine passwd and shadow Files
In this step, you will use the unshadow utility to create a single file that is suitable for password cracking tools like Hashcat. Cracking tools need both the username from /etc/passwd and the hash from /etc/shadow in a specific format. The unshadow tool, which is part of the John the Ripper suite, automates this combination process.
You will now run unshadow, providing /etc/passwd and /etc/shadow as input, and redirect the output to a new file named hashes.txt inside your ~/project directory.
Execute the following command in your terminal:
sudo unshadow /etc/passwd /etc/shadow > ~/project/hashes.txt
This command reads both system files and merges the relevant information, saving it to ~/project/hashes.txt.
Now, let's view the contents of the newly created file to see the result.
cat ~/project/hashes.txt
The output will show a list of users and their corresponding hashes in the format that cracking tools expect. The line for testuser will look like this:
testuser:$6$somerandomsalt$gqE2qSg5aV1A3fH/vjXJ.nLdCn2KkL.D.v5/T6.zT.jC.gB6aB4bY3eZ2aX9cW8dY7eF6gH5iJ4kL3oP2qR1:1001:1001::/home/testuser:/bin/bash
This file is now ready to be used with Hashcat.
Identify the Hash Type (e.g. sha512crypt)
In this step, you will confirm the type of hash used for the user passwords. This is a crucial step because you must tell Hashcat exactly which hashing algorithm to use for the cracking attempt. An incorrect algorithm will always fail.
As we observed in Step 1, the format of the hash string itself reveals the algorithm. Let's examine the hashes.txt file again.
cat ~/project/hashes.txt
Focus on the hash string for testuser:
testuser:$6$somerandomsalt$gqE2qSg5aV1A3fH/vjXJ.nLdCn2KkL.D.v5/T6.zT.jC.gB6aB4bY3eZ2aX9cW8dY7eF6gH5iJ4kL3oP2qR1:...
The hash begins with $6$. This is a standard identifier for a specific type of hash. Here is a quick reference for common Linux hash identifiers:
$1$=md5crypt(MD5)$2a$or$2y$=bcrypt(Blowfish)$5$=sha256crypt(SHA-256)$6$=sha512crypt(SHA-512)
Based on the $6$ prefix, we can confidently identify the hash type as sha512crypt. This is the information we will need for the next step.
Select the Corresponding Hashcat Mode
In this step, you will find the correct mode number that Hashcat uses to identify the sha512crypt algorithm. Hashcat supports hundreds of different hash types, and each is assigned a unique mode number.
To find the mode for sha512crypt, you can search through Hashcat's help information using grep. This is an efficient way to find the specific mode you need without reading the entire help menu.
Run the following command to search for sha512crypt:
hashcat --help | grep -i sha512crypt
The -i flag in grep makes the search case-insensitive, which is good practice. The output will show you the matching line from the help menu:
...
1800 | sha512crypt, SHA512(Unix) | Operating System
...
From this output, you can see that the mode number for sha512crypt is 1800. You will use this mode number in the final step to tell Hashcat how to interpret the hashes in your hashes.txt file.
Launch a Dictionary Attack on the Linux Hashes
In this final step, you will launch a dictionary attack against the captured hashes using Hashcat. A dictionary attack works by taking a list of potential passwords (a "dictionary" or "wordlist"), hashing each one using the same algorithm as the target hash, and comparing the results. If a match is found, the password has been cracked.
You will use the rockyou.txt wordlist that was downloaded into your ~/project directory during the lab setup. This is a very common wordlist used for password auditing.
Now, construct the full Hashcat command with all the information you've gathered:
- Mode (
-m):1800forsha512crypt. - Hash File:
~/project/hashes.txt. - Wordlist:
~/project/rockyou.txt. - Option (
--force): This is added to prevent potential errors when running Hashcat in a virtualized environment or with certain drivers.
Execute the command to start the attack:
hashcat -m 1800 --force ~/project/hashes.txt ~/project/rockyou.txt
Hashcat will initialize and begin the cracking session. Since the password password123 is in the rockyou.txt list, the process should be very fast.
...
Session..........: hashcat
Status...........: Running
Hash.Name........: sha512crypt, SHA512(Unix)
Hash.Target......: testuser:$6$somerandomsalt$gqE2qSg5aV1A3fH/vjXJ.nLdCn...
...
Approaching final keyspace - workload adjusted.
Session..........: hashcat
Status...........: Cracked
...
Once Hashcat shows the status as Cracked or Exhausted, the attack is complete. To view the cracked password, you can use the --show option with the same command.
hashcat -m 1800 --force ~/project/hashes.txt --show
The output will clearly display the cracked hash along with its corresponding plaintext password.
testuser:$6$somerandomsalt$gqE2qSg5aV1A3fH/vjXJ.nLdCn2KkL.D.v5/T6.zT.jC.gB6aB4bY3eZ2aX9cW8dY7eF6gH5iJ4kL3oP2qR1:password123
You have successfully cracked the password for testuser!
Summary
Congratulations on completing this lab! You have successfully performed a classic password auditing workflow on a Linux system.
In this lab, you learned how to:
- Read and understand the structure of the
/etc/shadowfile, which stores user password hashes. - Use the
unshadowtool to combine user and hash data from/etc/passwdand/etc/shadowinto a single file. - Identify the password hashing algorithm (
sha512crypt) by inspecting the hash format. - Find the corresponding mode (
1800) in Hashcat for the identified hash type. - Launch a dictionary attack using Hashcat, a powerful wordlist, and the extracted hashes.
- View the successfully cracked password.
This exercise demonstrates the importance of using strong, complex, and unique passwords that are not found in common wordlists. System administrators can use these same techniques to proactively find and fix weak passwords in their environments.
