In this article we showed how John the Ripper can be used to crack the hashed password of a user that can be found in the /etc/shadow file. If you would like to print all the passwords John managed to crack you may run john -show unshadowed.txt and you will get something like:
Where as we see John managed to crack the password of the user root as it was included in the wordlist used. The result would be similar to the following picture
John -wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt An example attack using a wordlist would be launched like below It is up to you which cracking method you will chose, though a bruteforcing using a wordlist is usually enough for CTFs. Next and final step is to actually start the cracking with John. Root:$6$riekpK4m$uBdaAyK0j9WfMzvcSKYVfyEHGtBfnfpiVbYbzbVmfbneEbo0wSijW1GQussvJSk8X1M56kzgGj8f7DFN1h4dy1:0:0:root:/root:/bin/bash Which will store in the unshadowed.txt file the following In order to unshadow to the two files we need to execute unshadow passwd.txt shadow.txt > unshadowed.txt In order to unshadow the shadow file we need to also have the equivalent line from the passwd for the user of our interest. Unshadow is a tool that handles this task and it is part of the John package. Unshadowing is a process where we combine the /etc/passwd file along with the /etc/shadow in order for John to be able to understand what we are feeding to it. The process involves two basic steps, the first is called unshadowing while the second is the cracking itself. It is common in CTF like events to somehow get access to the shadow file or part of it and having to crack it so you can get the password of a user.
External mode: Optional mode in which John may use program code to generate words.In this article we are going to show how we can crack /etc/shadow file using John the Ripper. John the Ripper can automatically detect password hash types and can be used to crack multiple encrypted password formats that include several crypt hash types most frequently found on different Unix versions (based on Blowfish, MD5, or DES), Windows NT/2000/XP/2003 LM, and Kerberos AFS hash. Incremental mode (aka Brute-Force attack): Tries all possible character combination 4. Wordlist mode: Tries all words in the wordlist 3. Single crack mode: Tries mangling usernames obtained from the GECOS field, and tries them as possible passwords 2. John supports 4 modes of password cracking: 1. If that would have been unsuccessful too John would have proceeded to Incremental mode, also known as Brute-Force attack in which all possible character combinations are tried. Preceding that, we see in the line starting with ‘ Proceeding with single’ that John initially started in Single cracking mode and then proceeded to Wordlist mode after unsuccessfully crack.
In the screenshot above, we see in the line starting with ‘ Proceeding with wordlist’ that John successfully cracked the password in Wordlist mode using John’s default wordlist file password.lst. John found that the hash value stored in the file belonged to the password ‘secret’.