Cracking hashed passwords with John the Ripper
So you’ve aquired a shadow file
So… you have finally rooted the server and aquired the coveted /etc/shadow file. You want to reassure your access later on. What do you do now? If installing a rootkit is out of the question, or you would like to grab some passwords to pivot to other machines in the network, or whatever your usecase: crack the passwords. This is much faster than brute forcing from the outside of a network, as you have the hashes local to just run the algorithm against.
We use hashes because they work one way, only mathematically. So you can have a list of hashes on a server, but the passwords are not in plain text. This makes it more difficult to pivot to other accounts within a system, or across a database, because say, your password is
hello123, the SHA256 hash is
27cc6994fc1c01ce6659c6bddca9b69c4c6a9418065e612c69d110b3f7b11f8a for example, but there isn’t a way to reverse that hash back to
hello123 without having the password in a list or simply running through all the combinations of characters until you encounter the matching hash.
Here is where John the Ripper comes in.
Note: If your password hash and or file format is not supported, you can try Jumbo Ripper branch (availble on GitHub).
Lets show the help page:
Note: that all the “=” signs are important and must be used for correct syntax.
Please note that you need both the /etc/shadow and the /etc/passwd files for this to work, and the passwd must be specified first for unshadow.
You’ll need a good wordlist to crack passwords in any reasonable ammount of time. I host some here.
Now that you have unshadowed the hash you can run:
I used zcat here to on-the-fly gunzip the password list (large, so gzip is used for compression here), I also specified the format as crypt because
$y$ isn’t always detected reliably as a hash. I also specified stdin as my input because it’s coming piped in from zcat, and that the only username I would like to crack is “marshall”, my test hash.
You should now see some output similar to:
If you somehow miss the password the first time the crack finishes, you can always call it back from the database by running:
There are a plethora of “rule” sets you can also use to imporve your crack reliability (if it’s not in the list already), but note that this will incrase crack time considerably.
Hope you’ve enjoyed my John the Ripper cracking tutorial, and happy hashing!
Bitcoin Donation Address: