> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-11/offline-cracking/trick-0007.md).

# Crack Shadow File Password Hash

***

John the Ripper is an offline password cracking tool, notable for supporting a diversity of password formats. It is a widely used tool that can handle various hash types, including those used in Linux systems. John cracks passwords by attempting to replicate the password-handling functionality of a target storage mechanism so that numerous password values can be attempted without relying on password validation.

Before using John the Ripper, you may need to install it. On Debian-based Linux systems, you can install it using:

```bash
apt update
apt install -y john
```

Once the installation is complete, verify that John the Ripper is installed by checking its version:

```bash
john --version
```

You should see output similar to this, confirming the tool is ready:

```
John the Ripper 1.9.0-jumbo-1
```

Linux systems typically store cryptographically hashed user passwords in crypt format in the `/etc/shadow` file. Linux password hashes in `/etc/shadow` typically use algorithms like SHA-512, indicated by `$6$` in the hash string.

Once content from the `/etc/shadow` file is obtained, you may need to combine it with `/etc/passwd` for John to process it correctly. The `unshadow` command, often distributed with John the Ripper, can be used for this purpose:

```bash
unshadow /etc/passwd /etc/shadow > hashes_for_john.txt
```

Then, extract the specific user's hash line or use the whole `hashes_for_john.txt` file. If you are targeting a specific user and have their hash line, save this line to a file:

```bash
echo "root:\$6\$07nYFaYf\$F4VMaegmz7dKjsTukBLh6cP01iMmL7CiQDt1ycIm6a.bsOIBp0DwXVb9XI2EtULXJzBtaMZMNd2tV4uob5RVM0:18120:0:99999:7:::" > root_hash.txt
```

For practice, you can also create a sample file containing dummy Linux password hashes. These hashes simulate the format found in the `/etc/shadow` file:

```bash
echo -e "user1:\$6\$randomsalt\$hashedpasswordstring:18234:0:99999:7:::\nuser2:\$6\$anothersalt\$anotherhashedpasswordstring:18234:0:99999:7:::" > /root/sample_hashes.txt
```

To confirm the file was created correctly, display its contents:

```bash
cat /root/sample_hashes.txt
```

You should see output like this:

```
user1:$6$randomsalt$hashedpasswordstring:18234:0:99999:7:::
user2:$6$anothersalt$anotherhashedpasswordstring:18234:0:99999:7:::
```

Use an offline password cracker like John the Ripper against the file containing the hash(es). If you provide no other options than the hash file, John the Ripper will attempt to determine the hash format and will try its built-in cracking modes sequentially: single crack mode (using information like the username to guess passwords), wordlist mode (using its default `password.lst`), and then incremental mode (which tries all possible character combinations).

```bash
john /root/sample_hashes.txt
```

During execution, you might see output like this:

```
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Proceeding with single mode
Trying common passwords...
```

For more targeted cracking, use a wordlist against the file containing the hash:

```bash
john --wordlist=/path/to/wordlist.txt root_hash.txt
```

Replace `/path/to/wordlist.txt` with your chosen dictionary (e.g., `/usr/share/wordlists/rockyou.txt`). John will attempt to crack the hash using the wordlist.

You can also create a small custom wordlist for testing. Run the following command to create this file:

```bash
echo -e "password123\nadmin123\nsimplepass\ntest1234\nqwerty" > /root/custom_wordlist.txt
```

Then, use this custom wordlist with John the Ripper:

```bash
john --wordlist=/root/custom_wordlist.txt /root/sample_hashes.txt
```

While not necessary in every case, it's helpful to know the format passwords are stored in. You can specify the format to John. For example, for standard crypt hashes common in older Linux shadow files:

```bash
john --format=crypt hashes_for_john.txt
```

For potentially faster cracking on multi-core systems and to apply transformations to wordlist entries, you can use the `--rules` and `--fork` options. The `--rules` option enables John’s built-in permutation rules (e.g. capitalizing the first and last letters of words, adding random numbers to the end of words, etc.). The `--fork` option allows you to specify the number of CPU cores to use.

```bash
john --wordlist=/path/to/wordlist.txt --rules --fork=3 hashes_for_john.txt
```

After the cracking process completes, or even while it's running in another terminal, check if any passwords were cracked by running this command:

```bash
john --show /root/sample_hashes.txt
```

The output will display any cracked passwords, potentially looking like this if successful:

```
user1:password123
user2:simplepass

2 password hashes cracked, 0 left
```

The format is typically `username:password`.
