Lab 6 1 John the Ripper and Hashcat Password Cracking - JimKnee-Champ/Ethical-Hacking-Journal GitHub Wiki

How to grab password hashes, Can you extend the example to grab only those shadow accounts that have a hash? Some lines don't even have a hash. The format of the shadow file, with emphasis on username, algorithm, salt and hash.
The Password hashes are stored in the /etc/shadow file. cat /etc/shadow will show all of the files in etc shadow. egrep -v '.*:*|:!' /etc/shadow |awk -F: '{print $1}' - lists all users in the /etc/shadows file. print $2 should show the password hash method or the entire method+salt+(password+salt) combination. The format of the users in /etc/shadow is username:$(hashmethod)$(salt)$(hashed salt + pw):?:?:?:?

the use of unshadow you combine the contents of the relevant /etc/passwd and /etc/shadow files using unshadow to a new file. You can copy only specific user's out of each file to limit the targets of the password cracking attempt. Command: sudo unshadow /etc/passwd /etc/shadow > (unshadowed filename). You will run jtr against this new unshadowed file. What unshadow has done is combined the information in both files so that jtr can function on them.

cracking with john john will crack the password using its methods, which involve brute force. This kind of method takes a long time. Command: john (unshadowed file) you can run "john -show (unshadowed file)" to see what passwords it has cracked from the list.

cracking with hashcat command: hashcat -m 1800 -a 0 -o cracked.txt 3usershadow.txt rockyou.txt hashcat -m (method, 1800 is sha512, what was used in this example) -a(puts it into attack mode) -o (output file) (unshadowed file) (wordlist)

Make sure to understand how the algorithm within the shadow file relates with the flags you may need to pass to the program.Find a good reference that relates the code in the shadow file ($6$ or other) to the algorithm. Link to that.

https://hashcat.net/wiki/doku.php?id=example_hashes hashcat requires that it be using the correct hashing method against the accounts in the unshadowed file. You will never get a password encrypted using sha512 if you attempt to crack it using sha256. hashcat has a list of hashing methods with correlating IDs. 0 is MD5.