Cracking Linux Password Hashes

A Comprehensive Guide to John the Ripper, Hashcat, and Other Tools

Knowledge of password storage methods alongside hashing techniques remains essential for achieving system security as well as testing system resistance levels in the cybersecurity field. Current Linux systems store password information within the /etc/shadow file using cryptography methods such as yescrypt and sha512crypt along with alternative algorithms. This blog outlines the methods to analyze password hashes with John the Ripper and Hashcat as well as alternative specialized tools for decryption.

Understanding Linux Password Hashes

The Linux system places user password information within the /etc/shadow file, which is accessible only to privileged users such as root. The file contains one account entry per line where each entry contains password hash data and related account details. Let’s break down an example:

kali:$y$j9T$ufXTBpN1QpgwlgqRFmb/B0$/.y0ybAF4iNQXniErsDWf9QSl2HZH7LnBeRHB4ZiQa9:20057:0:99999:7:::

Components of the Hash Entry

1. Username: kali
2. Password Hash: $y$j9T$ufXTBpN1QpgwlgqRFmb/B0$/.y0ybAF4iNQXniErsDWf9QSl2HZH7LnBeRHB4ZiQa9

• This is the actual password hash.
• It uses the yescrypt algorithm, as indicated by the $y$ prefix.
• Structure:
• $y$: Indicates the yescrypt algorithm.
• j9T: Parameters for hashing (cost factors, memory usage).
• ufXTBpN1QpgwlgqRFmb/B0: Salt used during hashing.
• /.y0ybAF4iNQXniErsDWf9QSl2HZH7LnBeRHB4ZiQa9: The hashed password.

Metadata Fields:

• 20057: Last password change date (in days since January 1, 1970).
• 0: Minimum password age (days before the password can be changed again; 0 means no restriction).
• 99999: Maximum password age (days after which the password must be changed; 99999 effectively means no expiration).
• 7: Password warning period (days before expiration when the user is warned).
• :::: Additional unused fields.

Common Hash Types in Linux

Linux supports various hashing algorithms, depending on the system configuration. Below are some common hash types you may encounter:

MD5=$1$Older hashing algorithm. Rarely used in modern systems.

SHA-256=$5$Secure hashing algorithm, but slower thansha512crypt.

SHA-512=$6$Default hashing algorithm for many Linux distributions.

yescrypt=$y$Modern, computationally expensive algorithm designed to resist brute force.

Tools for Cracking Password Hashes

The security of password hashes can be checked through specialized tools including John the Ripper, and Hashcat as well as other tools available on the market. The following section explains the operation of each tool while offering specific information to break various hash types.

John the Ripper: John the Ripper is a versatile password-cracking tool that supports a wide range of hash formats. Here’s how to use it:

1. Extract the hash portion from /etc/shadow and save it in a file (e.g., passwords.txt.txt):
2. kali:$y$j9T$ufXTBpN1QpgwlgqRFmb/B0$/.y0ybAF4iNQXniErsDWf9QSl2HZH7LnBeRHB4ZiQa9
3. Run John with the appropriate format:

• For yescrypt:
  john — format=crypt — wordlist=/usr/share/wordlists/rockyou.txt passwords.txt
• For sha512crypt ($6$):
  john — format=sha512crypt — wordlist=/usr/share/wordlists/rockyou.txt passwords.txt

View the cracked password: john — show hash.txt

Tips:

• John automatically detects the hash type when using --format=crypt.
• It supports dictionary attacks (--wordlist) and brute-force attacks (--incremental).

Hashcat: Hashcat is a GPU-accelerated password-cracking tool that excels at high-speed cracking. It supports a wide range of hash modes and is highly configurable. Steps to Crack a Hash:

1. Identify the hash mode:

• yescrypt: Mode -m 28800
• sha512crypt: Mode -m 1800

1. Run Hashcat with the appropriate mode:

• For yescrypt:
  hashcat -m 28800 -a 0 passwords.txt /usr/share/wordlists/rockyou.txt
• For sha512crypt:
  hashcat -m 1800 -a 0 passwords.txt /usr/share/wordlists/rockyou.txt

Tips:

• Hashcat leverages GPU power for faster cracking.
• Use the -a flag to specify the attack mode:
• 0: Dictionary attack.
• 3: Brute-force attack.
• 6: Hybrid attack (dictionary + rules).

Hydra: Hydra is primarily used for online brute-forcing (e.g., SSH, FTP) but can also be used to test password strength against services.
Example: hydra -l kali -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.10

CrackStation: For simple hashes (e.g., MD5, SHA-1), you can use online tools like CrackStation to check if the hash has been precomputed.

Techniques for Hash Cracking

1. Rule-Based Attacks: Both John and Hashcat support rule-based attacks, which transform words from dictionaries through operations like number insertion and letter capitalization.
Example: john — rules — wordlist=/usr/share/wordlists/rockyou.txt hash.txt

2. Mask Attacks: Using Hashcat enables the implementation of mask attacks which allow users to define specific patterns as password constraints (such as ?u?l?l?l?d?d for a combination of uppercase and lowercase and digits).
Example: hashcat -m 1800 -a 3 passwords.txt ?u?l?l?l?d?d

3. Rainbow Tables: The precalculation of hashes with common passwords constitutes Rainbow tables. Salted hashes reduce the effectiveness but dictionaries remain effective against unsalted hash types.

Conclusion

Ethical hackers and system administrators need to master Linux password hash cracking because this ability proves essential for their work. John the Ripper and Hashcat together with other tools allow users to measure system security by uncovering weak passwords. The yescrypt algorithm delivers strong protection but attackers with sufficient resources can still overcome its defenses.