In this article we are going to show how we can crack /etc/shadow file using John the Ripper. It is common in CTF like events to somehow get access to the shadow file or part of it and having to crack it so you can get the password of a user.
The process involves two basic steps, the first is called unshadowing while the second is the cracking itself. Unshadowing is a process where we combine the /etc/passwd
file along with the /etc/shadow
in order for John to be able to understand what we are feeding to it. Unshadow is a tool that handles this task and it is part of the John package. In order to unshadow the shadow file we need to also have the equivalent line from the passwd for the user of our interest. An example is the following:
In order to unshadow to the two files we need to execute
Which will store in the unshadowed.txt file the following
Cracking raw MD5 hashes with John the Ripper. And of course I have extended version of John the Ripper that support raw-md5 format. Installation (9) linux (60. Cracking Password menggunakan John the Ripper pada Linux – Halo semuanya, kali ini Admin S akan membahas perihal cracking password menggunakan john the ripper. John the Ripper adalah perangkat lunak peretas kata sandi/password gratis. Awalnya dikembangkan untuk sistem operasi Unix, sekarang berjalan di lima belas platform yang berbeda. John the Ripper – John the Ripper is an extremely fast password cracker that can crack passwords through a dictionary attack or through the use of brute force. SSH – The SSH protocol uses the Transmission Control Protocol (TCP) and port 22. Credentials and files that are transferred using SSH are encrypted. Most Linux systems.
Next and final step is to actually start the cracking with John. It is up to you which cracking method you will chose, though a bruteforcing using a wordlist is usually enough for CTFs. An example attack using a wordlist would be launched like below
The result would be similar to the following picture
Where as we see John managed to crack the password of the user root as it was included in the wordlist used.
If you would like to print all the passwords John managed to crack you may run john --show unshadowed.txt
and you will get something like:
Conclusion
In this article we showed how John the Ripper can be used to crack the hashed password of a user that can be found in the /etc/shadow file. The process is pretty simple and straightforward yet if you find yourself stuck somewhere please feel free to reach out to me.
John is different from tools like HDRA. Hydra makes a blind brute force attack by trying the user name / password combination on the FTP server or telnet server’s service backend. However, John needs hashing first. So, the bigger challenge for hackers is to get the hash that needs to be cracked first. Today, it’s easier to crack hashes with the free rainbow table available online. Just go to one of the sites and submit the hash; if the hash consists of a common word, the site will display that word almost immediately. Rainbow table basically stores common words and corresponding hashes in a huge database. The larger the database, the more words it contains.
But if you want to crack passwords locally on your system, John is one of the great tools worth trying. John is one of the top 10 security tools in Kali Linux. On Ubuntu, it can be installed through the Synaptic Package Manager.
In this article, I will show you how to use the unshadow command together with John to crack a user’s password on a Linux system. On Linux, the user name / key details are stored in the following two files.
The code is as follows:
/etc/shadow
The actual password hash is stored in / etc / shadow; you can access the file as long as you have root access to the machine. So try to access the file from your own Linux system. Or create a new user with a simple password first. I’ll create a new user on my Linux system called happy with the password chess.
The code is as follows:
Adding user `happy’ …
Adding new group `happy’ (1001) …
Adding new user `happy’ (1000) with group `happy’ …
Creating home directory `/home/happy’ …
Copying files from `/etc/skel’ …
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for happy
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] y
[email protected]:~#
For the sake of demonstration, it’s better to use a simple password, so you don’t have to wait too long. Since our new user has been created, we can now crack their password.
The unshadow command will basically combine the data of / etc / passwd and / etc / shadow to create a file with user name and password details. The usage is quite simple.
The code is as follows:
Usage: unshadow PASSWORD-FILE SHADOW-FILE
[email protected]:~# unshadow /etc/passwd /etc/shadow > ~/file_to_crack
We redirect the output of the unshadow command to a file named file_ To_ New file for crack.
step
Now let’s take a look at the specific steps. After cracking the password successfully, the jhon.pot Password only:
1. Enter the / root / john-1.7.8/run directory and read / etc / shadow with the tool unshadow provided by Jhon
The code is as follows:
Eg: for root users, you can cat / etc / shadow > / root / john-1.7.8/run/ passwd.txt
The first step is to use single crack mode to crack
The code is as follows:
Specifically for people who use accounts as passwords, they will try a variant of the user name john.conf Medium[ List.Rules Rules defined in: single]
The code is as follows:
If the crack is successful, you can view it jhon.pot Or use:
The code is as follows:
3. The second step is to use wordlist mode to crack
Wordlist mode is a relatively simple mode, as long as you determine where the dictionary file is jhon.conf There is a default dictionary file ‘wordlist = $John’ in the configuration file/ password.lst ’In the run directory password.lst File, wordlist Mode rule in jhon.conf Medium[ List.Rules : wordlist] module definition in[ List.Rules There’s another one under wordlist[ List.Rules The: NT] module is a variant rule that defines rules.
The code is as follows:
Or
The code is as follows:
The fourth step is to use incremental mode to crack
Incremental is the most powerful mode. It will enumerate all combinations and crack them as passwords. It is very time-consuming. There are [in] in the configuration file cremental:All ],[In cremental:Alpha ],[In cremental:Digits ],[In cremental:Alnum ],[In cremental:LanMan ]And so on. Each module name has a corresponding date file under run.
The code is as follows:
Crack Htpasswd John The Ripper Linux Iso
Crack Password Hash John The Ripper
5. The fifth step is to use external mode to crack
External allows users to write their own cracking mode of C language jhon.conf We already have some crack mode programs.
Parameter interpretation
–Stdout outputs the results to the screen
–Restore continues to execute from the place where the last decryption was interrupted. If the execution is interrupted by Ctrl + C, the current status will be stored in a document named restore. Use — restore to read the location of the last interrupt from restore, and then continue to crack
–Session sets the name of the current log file
–Make charset character frequency table, which can be used in incremental mode
–Show shows that the password has been cracked because john.POT No account information is stored. When using show, you should input the relevant passwd file
–Test to test the cracking speed of various types of passwords executed by the machine
–Users can only crack the password of an account, which can be the user name or uid number. Adding ‘-‘ before it means not cracking the password of the relevant user
–Groups only crack the password of users in a group. Adding ‘-‘ before it means not cracking the password of users in a group
–For users who use a certain type of shell, the prefix ‘-‘ means no cracking
–Salt can only crack the password whose salt is greater than count. Salt is the basic unit used by UNIX as password coding
–Predefined password cracking types DES / bsdi / MD5 / BF / AFS / LM/