🍘Dumping & Cracking Linux Password Hashes

Linux Password Hashes

  • Linux has multi-user support and as a result, multiple users can access the system simultaneously. This can be seen as both an advantage and disadvantage from a security perspective, in that, multiple accounts offer multiple access vectors for attackers and therefore increase the overall risk of the server.

  • All of the information for all accounts on Linux is stored in the passwd file located in: /etc/passwd

  • We cannot view the passwords for the users in the passwd file because they are encrypted and the passwd file is readable by any user on the system.

  • All the encrypted passwords for the users are stored in the shadow file. it can be found in the following directory: /etc/shadow

  • The shadow file can only be accessed and read by the root account, this is a very important security feature as it prevents other accounts on the system from accessing the hashed passwords.

Linux Password Hashes

  • The shadow file gives us information in regards to the hashing algorithm that is being used and the password hash, this is very helpful as we are able to determine the type of hashing algorithm that is being used and its strength. We can determine this by looking at the number after the username encapsulated by the dollar symbol ($).

Meterpreter Module:

  • /post/linux/gather/hashdump – A Meterpreter post-exploitation module for dumping password hashes from a Linux system.

Cracking Password Hashes with John the Ripper:

To crack password hashes using John the Ripper, you can use the following command:

john --format=sha512crypt <hash_file_path> --wordlist=/usr/share/wordlists/rockyou.txt

This command attempts to crack password hashes stored in the <hash_file_path> using John the Ripper, with the specified hash format (in this case, sha512crypt), and the "rockyou.txt" wordlist.

Cracking Password Hashes with Hashcat:

To crack password hashes using Hashcat, you can use the following command:

hashcat -a3 -m 1800 <hash_file_path> /usr/share/wordlists/rockyou.txt

This command uses Hashcat with attack mode 3 and hash mode 1800 to attempt to crack password hashes stored in the <hash_file_path> file using the "rockyou.txt" wordlist.

Note that the hash format is determined by the value at the beginning of the hash, such as "$6$" in the case of sha512crypt.

Hacker's Mantra:The key to innovation lies in the hands of hackers.

PreviousDumping & Cracking Windows Hashes (NTLM Hashes)NextPivoting Overview

Last updated