Logo Light

Network

Web Apps

System

Cloud

Cryptography

IoT

Exercise 36: Cracking Linux Password Hashes Using John the Ripper

by | Jul 2, 2025 | 0 comments

Objective: Use John the Ripper to crack Linux password hashes from the /etc/shadow file, and learn how to secure password storage to prevent such attacks.

Scenario: The /etc/shadow file in Linux stores hashed passwords for user accounts. Attackers who gain access to this file can attempt to crack the hashes to reveal plaintext passwords. Your task is to simulate this process using John the Ripper and implement measures to strengthen password security.

Lab Setup

  1. Environment:
    • A Linux system with access to the /etc/shadow and /etc/passwd files.
  2. Tools Required:
    • John the Ripper.
    • A wordlist for dictionary-based attacks (e.g., rockyou.txt).

Lab Steps

Step 1: Extract Password Hashes

  1. Copy the /etc/shadow file (requires root privileges): sudo cat /etc/shadow > shadow.txt
  2. Extract the corresponding /etc/passwd file: cat /etc/passwd > passwd.txt
  3. Use the unshadow command to combine the files into a format readable by John the Ripper: unshadow passwd.txt shadow.txt > hashes.txt

Step 2: Perform a Dictionary Attack

  1. Run John the Ripper with a wordlist: john --wordlist=/path/to/wordlist.txt hashes.txt
    • Replace /path/to/wordlist.txt with the location of your wordlist.
  2. Monitor the cracking process: john --show hashes.txt
    • Example output: user1:password123

Step 3: Perform a Brute-Force Attack

  1. If the dictionary attack fails, use a brute-force attack: john --incremental hashes.txt
  2. Monitor progress and record any successfully cracked passwords.

Step 4: Test Cracked Passwords

  1. Log in as the user with the cracked password: su - <username>
  2. Verify access and attempt to escalate privileges if applicable: sudo -l

Solution

Explanation:

  • The /etc/shadow file contains hashed passwords, which can be cracked offline if an attacker gains access.
  • Tools like John the Ripper use dictionary and brute-force attacks to recover plaintext passwords.

Prevention:

  1. Use Strong Hashing Algorithms:
    • Configure Linux to use bcrypt or Argon2 instead of SHA-512: authconfig --passalgo=bcrypt --update
  2. Enforce Password Complexity:
    • Use libpam-pwquality to enforce strong password policies: sudo apt install libpam-pwquality
    • Configure /etc/security/pwquality.conf with rules such as: minlen=12 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1
  3. Restrict Access to /etc/shadow:
    • Ensure only root can read the file: chmod 600 /etc/shadow
  4. Audit User Accounts:
    • Regularly review accounts for weak or default passwords.

Testing and Verification

  1. Attempt to crack hashes after applying stronger hashing algorithms to confirm the increased difficulty.
  2. Test password policies by creating user accounts with weak passwords and verifying they are rejected.
  3. Confirm that /etc/shadow is restricted to root access only.

Reflection

This exercise demonstrates how attackers can crack Linux password hashes and highlights the importance of strong password policies and secure storage practices. By applying these techniques, you can protect user credentials and enhance system security.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *