For the sake of this post, we will use the /etc/passwd and /etc/shadow files on my local Backtrack VM. To use it, we simply need to specify the passwd file, and the shadow file. John the Ripper's tool suite provides a nifty tool to merge these two files into one called "unshadow". The following diagram will hopefully help illustrate the format used in the passwd (and essentially the shadow) files:Īn important thing to note is that these two files have some overlapping content. This file is only readable by the superuser (root), so there is far less of a security risk associated with this file. Now, instead of a password hash, this file contains an "x" to indicate that the password details are located in a different place: the /etc/shadow file. However, this caused security issues since the file was readable by all users on the system. Traditionally (according to Wikipedia, before 1988) password hashes for account were stored in the /etc/passwd file. Now, to better maintain access, and to facilitate further intrusion, we will attempt to extract and crack the password hashes on the host.īefore we can crack the password hashes, we first need to know where they are stored. Our scenario is the following: We have just compromised and gained root access to a Unix machine on our target's network.
![john the ripper unshadow john the ripper unshadow](https://www.blackmoreops.com/wp-content/uploads/2015/11/Cracking-password-using-John-the-Ripper-in-Kali-Linux-blackMORE-Ops-2.jpg)
I am also working on a follow-up post that will provide a far more comprehensive look at password cracking techniques as well as the different tools employed (as well as their pros/cons).
#JOHN THE RIPPER UNSHADOW HOW TO#
This post will serve as an introduction to password cracking, and show how to use the popular tool John-the-Ripper (JTR) to crack standard Unix password hashes.