Ethical Hacking Series: 5.Cracking Linux Passwords

Share At:

Three Ethical Hacking Myths - IEEE Innovation at Work


Linux systems store user passwords in cryptographic hash format. Modern Linux distributions store the hashes in /etc/shadow. It is computationally intractable to reverse a cryptographic hash to obtain the original password. However, it is possible to generate a hash from a sequence of characters and if the generated hash matches the password hash the sequence of characters is the original password. This is how password crack attacks work. In general, an attacker needs to at least as many sequences of characters are there are possible hash values. For 256-bit hashes, this brute force attack would need to generate 2256 hash values to crack the password in the worst case. It simply requires too much time and computational power to be of any practical value.

But attackers can focus on a limited subset of all possible passwords to have a computationally practical cracking algorithm. Because these algorithms are not exhaustive, there is no guarantee they can crack a password. For example, if attackers limit their search to words in a language they can easily try to generate hashes for all possible words. This is the basis of a dictionary attack. Attackers can also mangle words with numbers and special characters to expand the search space but still remain computationally tractable.

This Lab uses a cracking tool named John the Ripper (john) that is installed by default in Kali Linux. You will see first-hand how easy it can be to crack weak passwords.

  1. At the prompt enter the following to view the system’s password shadow file:
less /etc/shadow

Each line in the file corresponds to a user in the system. The file contains several fields and each field is separated by colons (:). The first field is the username and the second is the password hash. If the password hash field is an asterisk (*) the user does not have a password configured. Only root has a password configured. The hash of root‘s password begins with $6$afDfM.q. Note that this does not resemble root’s password (toor). You can view the man page for the file (man shadow) to learn about all the fields.

  1. Press q to quit viewing the file.
  1. Enter the following command to unshadow the password:
unshadow /etc/passwd /etc/shadow > mypasswd

The command combines the /etc/passwd and /etc/shadow files into a single file that has the format of traditional Unix passwd files that included the hash. John the Ripper requires this format. The command also creates a .john directory which is used for storing results of cracking operations.

Note: You need root permissions to view the contents of the shadow file. Regular users on Linux systems do not have access and therefore cannot crack passwords as demonstrated in this Lab.
  1. Use John the Ripper to crack the passwords in the mypasswd file:
john mypasswd

In a matter of seconds, the cracked password for the root user is displayed (toor). The first strategy for cracking the password is called single. This strategy uses passwords based on the user’s login information. In this case, the password is the username in reverse so the single strategy succeeds. If the single strategy does not succeed, the Wordlist strategy is used. A default word list is included but you can configure your own word list that you can find online. Lastly, john will try incremental mode which can exhaustively try passwords up to length 13. Based on these default strategies, you are encouraged to choose passwords for your accounts that are not based on the account information, not similar to words in the dictionary, and longer than 13 characters.


In this Lab Step, you used John the Ripper on Kali Linux to crack Linux system passwords. Because root permission is required to access the password hashes it may seem unnecessary to crack other account passwords since root users can access all files on the system anyways. However, users may use the same password on other systems or services. An attacker may also have retrieved the shadow file using another kind of attack, for example by exploiting a vulnerable network file share installation. Avoid using the same password in multiple places to improve your defences in the case of an attack.

You may try to crack the passwords of users you create using John the Ripper. Start with short passwords (less than 7 characters) and passwords based on dictionary words and see how long it takes to crack them. Then try something more complex. It is likely that John the Ripper will not be able to crack more complicated in the remaining time but it might eventually succeed if there was no time limit.

  1. To create a user name testuser and set its password to you can enter the following commands:
useradd testuser
passwd testuser

and enter the desired password at the prompts.

  1. You can also print status messages by pressing space while john is running.
  1. Once you have added a user and set their password you can enter:
unshadow /etc/passwd /etc/shadow > mypasswd
john mypasswd
  1. Pressing space while the Wordlist strategy is executing reveals some of the mangling patterns included in the default wordlist such as adding numbers after and before words, mixing upper and lower case letters, and adding symbols:
  1. The default word list is in the /usr/share/john/password.lst file. For passwords not appearing in the list, the incremental mode is used. As an example, when using the password mypass incremental mode is required. The entire cracking process takes around five minutes in this case:

Happy Learning !!

Share At:
0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments
Back To Top

Contact Us