Just a quick one today, here is a look at cracking Linux user passwords using John the Ripper.
John was designed in an age of central credential files, now found only on older Unix systems. Because /etc/passwd is required to be world-readable, for system UID to username translation, all encrypted passwords are now stored in the shadow file (/etc/shadow) on modern systems.
You will need to unshadow your user credentials with the aptly-named tool included with John before we can begin cracking:
Unshadow /etc/password /etc/shadow > passwords.txt
Now assuming the password you desire to crack belongs to a human user, it is likely they are no security ninja utilizing an incredibly complex password system. If there is any hope of cracking this password, there is a good chance it can be found somewhere in the RockYou wordlist. Grab yourself a copy from here and unzip it:
If you are running Kali, you will already have a bunch of great wordlists in /usr/share/wordlists/ including RockYou.
Now you have your password hash and your wordlist, it's time to feed John. Point him to your wordlist and your unshadowed passwords, and let him run:
john --wordlist=Downloads/rockyou.txt passwords.txt
If John does not find a password within the first few minutes, give your sysadmins a pat on the back. In my experience, he usually does.
This has been a quick look at John the Ripper for cracking system passwords. Thanks for reading.