Cracking the passwords from the shadow and passwd files.

So you’ve managed to get root on a linux virtual machine, congrats! However this isn’t where the fun stops. From here you can access the files containing the usernames and their hashed passwords. These files are known as the passwd and shadow files. They can be combined into one file using the unshadow tool so that you can then use John the Ripper on the combined file to attempt to crack the hashes to reveal the passwords.

Screenshot 2018-05-27 17.53.49

In the shell on the compromised system navigate to /etc/

cd etc

Then list the contents of the directory

ls

In the /etc/ folder will be two files shadow and passwd. Execute the following to display the contents of the files:

cat passwd

Copy and paste the information displayed into a new text file on your kali installation and save it as passwd. I chose to save the file in the Documents folder in another folder called unshadow. To do this in the terminal navigate to the Documents directory:

cd /root/Documents/

Create a new directory called Unshadow:

mkdir Unshadowed

Now do the same with the shadow file

cat shadow

Save the shadow file in the same directory, ‘Unshadowed’ as the passwd file.

To combine the shadow and passwd file you must run the following commands at the terminal prompt.

unshadow /root/Documents/Unshadowed/passwd /root/Documents/Unshadowed/shadow > unshadow.txt

You will then end up with three files in the Unshadowed directory:

Screenshot 2018-05-27 18.32.24

To start cracking the hashes simply enter the the following at the terminal making sure you are still in the unshadowed directory:

john unshadow.txt

And watch it go:

Screenshot 2018-05-27 17.31.15You can then use:

john --show unshadow.txt

to see the cracked passwords.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s