LabEx
Log InJoin Free

Use John the Ripper to Crack Linux Shadow Passwords

Kali LinuxBeginner
Practice Now

Introduction

In this lab, you will explore the process of extracting, preparing, and cracking Linux password hashes using a powerful tool called John the Ripper. Understanding how password cracking works is crucial for implementing robust security measures. You will learn about the /etc/shadow file, how to combine it with /etc/passwd to create a crackable file, and then use John the Ripper to find weak passwords. Finally, you will gain insights into the structure of the shadow file and best practices for securing user passwords on Linux systems.

Extract /etc/shadow File

In this step, you will learn how to access and extract the contents of the /etc/shadow file. The /etc/shadow file stores encrypted user passwords and other security-related information. Due to its sensitive nature, only the root user has read access to this file. For this lab, we have created dummy passwd_dummy and shadow_dummy files in your ~/project directory to simulate the real files without requiring root privileges for direct access to /etc/shadow.

First, let's view the contents of the dummy passwd_dummy file. This file contains basic user account information, but not the password hashes.

cat ~/project/passwd_dummy

You should see output similar to this:

root:x:0:0:root:/root:/bin/bash
labex:x:1000:1000:LabEx User,,,:/home/labex:/bin/bash
testuser:x:1001:1001:Test User,,,:/home/labex/testuser:/bin/bash

Next, let's view the contents of the dummy shadow_dummy file. This file contains the actual password hashes.

cat ~/project/shadow_dummy

You should see output similar to this, where the second field is the hashed password:

root:$6$rounds=40000$abcdefghijklmnop$abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789./:18000:0:99999:7:::
labex:$6$rounds=40000$fedcba9876543210$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789./:18000:0:99999:7:::
testuser:$6$rounds=5000$testsalt$testpasswordhash:18000:0:99999:7:::

In a real-world scenario, you would typically use sudo cat /etc/shadow to extract the shadow file, but for this lab, we will use the dummy files.

Unshadow the Password File

In this step, you will use the unshadow utility, which is part of the John the Ripper suite, to combine the passwd_dummy and shadow_dummy files into a single file that John the Ripper can process. The unshadow tool merges the user information from the password file with the password hashes from the shadow file, creating a unified format suitable for cracking.

Execute the following command to combine passwd_dummy and shadow_dummy into a new file named unshadowed.txt in your ~/project directory:

unshadow ~/project/passwd_dummy ~/project/shadow_dummy > ~/project/unshadowed.txt

Now, let's view the contents of the newly created unshadowed.txt file to understand its format.

cat ~/project/unshadowed.txt

You should see output where each line starts with a username, followed by the password hash, and then other user information. For example:

root:$6$rounds=40000$abcdefghijklmnop$abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789./:0:0:root:/root:/bin/bash
labex:$6$rounds=40000$fedcba9876543210$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789./:1000:1000:LabEx User,,,:/home/labex:/bin/bash
testuser:$6$rounds=5000$testsalt$testpasswordhash:1001:1001:Test User,,,:/home/labex/testuser:/bin/bash

This unshadowed.txt file is now ready to be used by John the Ripper for password cracking.

Crack Shadow Hashes with John the Ripper

In this step, you will use John the Ripper to crack the password hashes contained in the unshadowed.txt file. John the Ripper can perform various types of attacks, including dictionary attacks, which involve trying words from a predefined list. We have already created a simple wordlist named wordlist.txt in your ~/project directory during the setup.

Execute the following command to start cracking the passwords using the wordlist.txt file:

john --wordlist=~/project/wordlist.txt ~/project/unshadowed.txt

John the Ripper will attempt to crack the hashes. If it finds a match, it will display the cracked password. In our dummy files, the testuser has a weak password that is present in the wordlist.txt.

You should see output similar to this, indicating a cracked password:

Using default input encoding: UTF-8
Loaded 3 password hashes with no different salts to test (sha512crypt, crypt(3) $6$)
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
testpassword     (testuser)
3g 0:00:00:00 DONE (2024-01-01 12:00) 100.0% (ETA: 00:00:00) 3.000g/s 180.0p/s 180.0c/s 180.0C/s testpassword
Session completed.

After cracking, you can view the cracked passwords that John the Ripper has found by using the --show option:

john --show ~/project/unshadowed.txt

This command will display all successfully cracked passwords from the session.

testuser:testpassword

1 password hash cracked, 2 left

This demonstrates how easily weak passwords can be cracked using readily available tools and wordlists.

Understand Shadow File Format

In this step, you will delve deeper into the structure and meaning of the fields within the /etc/shadow file. Understanding this format is crucial for comprehending how Linux stores and manages user password information securely.

The /etc/shadow file contains one line per user, with each line consisting of nine colon-separated fields. Let's re-examine a line from our shadow_dummy file:

testuser:$6$rounds=5000$testsalt$testpasswordhash:18000:0:99999:7:::

Here's a breakdown of each field:

  1. Username: testuser - The login name of the user.
  2. Encrypted Password: $6$rounds=5000$testsalt$testpasswordhash - This is the most critical field. It contains the hashed password.
    • $6 indicates the hashing algorithm used (SHA-512 in this case). Other common types include $1 (MD5), $2a (Blowfish), $5 (SHA-256).
    • rounds=5000 specifies the number of hashing rounds, which increases the computational cost of cracking.
    • testsalt is the salt, a random string added to the password before hashing to prevent rainbow table attacks.
    • testpasswordhash is the actual hashed password.
  3. Last Password Change: 18000 - The number of days since January 1, 1970, that the password was last changed.
  4. Minimum Password Age: 0 - The minimum number of days required between password changes. A value of 0 means the user can change their password at any time.
  5. Maximum Password Age: 99999 - The maximum number of days the password is valid. After this period, the user will be forced to change their password. 99999 typically means the password never expires.
  6. Password Warning Period: 7 - The number of days before a password is due to expire that the user will be warned.
  7. Password Inactive Period: (empty) - The number of days after a password expires that the account will be disabled. If empty, the account is never disabled due to password inactivity.
  8. Account Expiration Date: (empty) - The date (in days since January 1, 1970) when the account will be disabled. If empty, the account never expires.
  9. Reserved Field: (empty) - This field is reserved for future use.

Understanding these fields helps in configuring password policies and enhancing system security.

Implement Best Practices for Shadow File Security

In this step, you will learn about and understand best practices for securing the /etc/shadow file and user passwords on Linux systems. Given the sensitive nature of the shadow file, protecting it is paramount to system security.

Here are some key best practices:

  1. Strong Password Policies:

    • Complexity: Enforce strong password complexity requirements (e.g., minimum length, mix of uppercase, lowercase, numbers, and special characters).
    • Uniqueness: Prevent users from reusing old passwords.
    • Regular Changes: Implement policies for regular password changes, though modern security advice sometimes favors long, strong, unique passwords over frequent changes for non-privileged accounts.
    • Passphrases: Encourage the use of long passphrases instead of short, complex passwords, as they are often easier to remember and harder to crack.

  2. File Permissions:

    • The /etc/shadow file should have very strict permissions: 0640 (-rw-r-----). This means only root can read and write to it, and members of the shadow group can read it. No other users should have access.
    • Verify permissions using ls -l /etc/shadow (in a real system, not our dummy file).

  3. Hashing Algorithms:

    • Always use modern, strong hashing algorithms like SHA-512 ($6) or Blowfish ($2a, $2b, $2y). Avoid older, weaker algorithms like MD5 ($1) or DES.
    • Ensure your system's PAM (Pluggable Authentication Modules) configuration is set to use strong hashing algorithms.

  4. Salting:

    • Always use unique salts for each password. This is automatically handled by modern hashing algorithms and prevents rainbow table attacks.

  5. Account Lockout Policies:

    • Implement account lockout policies to prevent brute-force attacks. After a certain number of failed login attempts, the account should be temporarily locked.

  6. Monitor for Suspicious Activity:

    • Regularly monitor system logs for unusual login attempts or modifications to the /etc/shadow file. Tools like AIDE or Tripwire can detect file integrity changes.

  7. Educate Users:

    • Educate users about the importance of strong, unique passwords and the risks of phishing and social engineering.

By implementing these best practices, you can significantly enhance the security of user accounts and protect sensitive password information on your Linux systems.

Summary

In this lab, you have gained practical experience with the process of password cracking on Linux systems using John the Ripper. You learned how to extract and combine the /etc/passwd and /etc/shadow files using unshadow, and then used John the Ripper with a wordlist to crack weak password hashes. Furthermore, you explored the detailed format of the /etc/shadow file, understanding the significance of each field, especially the hashing algorithm and salt. Finally, you reviewed essential best practices for securing user passwords and the shadow file, including strong password policies, proper file permissions, and the use of robust hashing algorithms. This knowledge is crucial for both offensive security (understanding how systems can be compromised) and defensive security (implementing measures to protect against such attacks).

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux