How to Crack User Passwords in a Linux System

How to Crack User Passwords in a Linux System

In this article, we'll look at how to grab the password hashes from a Linux system and 
crack the hashes using probably the most widely used password cracking tool out there,  
John the Ripper.

Let's boot up BackTrack and get hacking!

Where Linux Passwords Are Stored

Linux passwords are stored in the /etc/passwd file in cleartext in older systems and in 

/etc/shadow file in hash form on newer systems. We should expect that the passwords on

 anything other than old legacy systems to be stored in /etc/shadow.

Step 1: Create Some User Accounts

Since our BackTrack system probably doesn't have many users on it other than our root

 account, let's go ahead and create a couple more accounts.
Let's create user1 with password "flower" and user2 with a password of "hacker".

 

I've purposely chosen dictionary words as the complexity of the password is inversely related

 to the time necessary to crack it. One of the nice features of John the Ripper is that it will try to

 use a dictionary attack first. If that fails, it will try a hybrid attack. And only if that fails will it 

attempt a brute-force attack, which is the most time consuming.

Step 2: Open John the Ripper

Now that we have a couple of regular users in our system with simple passwords, we now need

 to open John the Ripper. John the Ripper is a simple, but powerful password cracker without a 

GUI (this helps to make it faster as GUIs consume resources).

We can access it from BackTrack by going to the BackTrack button on the bottom left, then 

Backtrack, Privilege Escalation, Password Attacks, Offline Attacks, and finally select   

John the Ripper from the multiple password cracking tools available.

 

If you selected the correct menu item, it will open a terminal that looks like this.

 

By the way, feel free to close our previous terminal as we're finished with it.

Step 3: Test John the Ripper

At the prompt, type:

• bt > john -test

This command will send John the Ripper through a variety of benchmark tests to estimate how 

long it will take to break the passwords on your system. Your terminal will look something like this.

 

Now that John has estimated how long each of the encryption schemes will take to crack, let's

 put him to work on cracking our passwords.

Step 4: Copy the Password Files to Our Current Directory

Linux stores its passwords in /etc/shadow, so what we want to do is copy this file to our 

current directory along with the /etc/passwd file, then "unshadow" them and store them in

 file we'll call passwords. So, let's type both:

• bt > cp /etc/shadow ./

• bt > cp /etc/passwd ./

 

In Linux, the cp command means copy and the ./ represents our current directory. So this 

command says, copy the contents of /etc/shadow to my current directory. We do the same for

 the /etc/ passwd file.

Step 5: Unshadow

Next we need to combine the information in the /etc/shadow and the /etc/passwd files, so that 

John can do its magic.

• bt > ./unshadow passwd shadow > passwords

Step 6: Crack!

Now that we have unshadowed the critical files, we can simply let John run on our password file.

• bt > john passwords

John the Ripper will proceed to attempt to crack your passwords. As you can see, it cracked

 all three of ours in a matter of seconds! Of course, more complex passwords will take significantly
 more time, but all we need is just one user with a simple password and we have access to the
 account in seconds.

It's also important to note that any password cracker is only as good as its word list. For more c

omplex or hybrid passwords, you probably want to use a password list containing far more
 passwords, including hybrid passwords such "p@$$w0rd" that combine special characters into
 words.



We'll be doing more password cracking among numerous other hacks, so keep coming back!
And if you have any questions, feel free to comment below

Socialize This Post

SOCIALIZE IT →

Tweet

FOLLOW →

SHARE IT →