Cracking Linux Password Hashes

Cracking Linux Password Hashes with Hashcat & John The Ripper

      What You Need for This :

•   Hashcat / John The Ripper
•   Kali Linux ( if above not available )
  
  Creating a Test User:
  

  # useradd Joseph // Joseph is the new user name that we have created

  # passwd Joseph // Setting password for user Joseph

  /*

  ** At the "Enter new UNIX password" enter a password 

  ** At the "Retype new UNIX password" enter a password 

  */
  
  
  
  

  Viewing the Password Hash

  In a Terminal window, execute this command:

  # tail /etc/shadow

  

  
  
  

  Finding Your Salt Value

  Look at the salt following the username "jose". The $6$ value indicates a type 6 password hash (SHA-512, many rounds). The characters after $6$, up to the next $, are the SALT.

  In my example, the SALT is tl9eNQ8.

  Understanding the Hash Algorithm

  The hash algorithm is defined in the file /etc/login.defs. To see the portion of that file discussing the password hash algorithm, execute this grep command to see 18 lines after the line containing the string "ENCRYPT_METHOD":

  # grep -A 18 ENCRYPT_METHOD /etc/login.defs

  As you can see, Kali Linux uses SHA-512 hashes, with the default value of 5000 rounds:

  

  
  
  

  Procedure 1 : Using Hashcat:

  Making a Hash File

  In a Terminal window, execute these commands:

  
  

  # tail -n 1 /etc/shadow > crack1.hash

  # nano crack1.hash

  In the nano text editor, carefully delete the username Joseph and the colon after it, and all the text at the end of the file, including all the colons, leaving only the hash, as shown below:

  

  
  

  Press Ctrl+X, Y, Enter to save the file.

  Downloading a Word list

  We'll use a very small list of 500 common passwords.

  In a Terminal window, execute these commands:

  # wget http://www.scovetta.com/download/500_passwords.txt

  or use your own dictionary. I will be using default dictionary in of the John The Ripper in Kali Linux.

  Cracking the Hash

  In a Terminal window, execute these commands

  # hashcat -m 1800 -a 0 -o found1.txt --remove crack1.hash /usr/share/password.lst

  # cat found1.txt

  Explanation: This uses hashcat with these options:

  • Unix type 6 password hashes (-m 1800)
  • Using a dictionary attack (-a 0)
  • Putting output in the file found1.txt
  • Removing each hash as it is found
  • Getting hashes from crack1.hash
  • Using the dictionary password.lst

  You should see the hash, with the cracked password of "Centaurs" at the end, as shown below:

  

  
  
  

  Procedure 2 : Using John The Ripper

  In a Terminal window, execute these commands:

  # unshadow /etc/passwd /etc/shadow > crack_john.db

  // This will concatenate and store the content of both passwd and shadow file into crack_john.db .

  # john –wordlist=/usr/share/john/password.lst crack_john.db

  Output should be like below: