Disclaimer: This article is intended solely for educational and cyber security purposes, intended to help cyber security professionals and learners understand how passwords can be exposed and how to prevent such vulnerabilities. Unauthorized access to computer systems is illegal and unethical. Always obtain proper authorization before conducting penetration testing on any network or system.

In penetration testing, understanding potential vulnerabilities within Linux-based systems is essential for both offensive and defensive strategies. Linux systems store user account information in two files: the /etc/passwd file and the /etc/shadow file. Together, these files contain details that can help penetration testers uncover weak password policies and determine how secure a system’s authentication process is.

One of the most efficient tools for breaking down password hashes and recovering plaintext passwords is John the Ripper (JtR), a powerful open-source password-cracking tool. This article guides you on how to use John the Ripper with the shadow and password files to retrieve plaintext passwords for penetration testing purposes.

Understanding the /etc/passwd and /etc/shadow Files

In a Linux environment, account information is primarily stored in two files:

1. /etc/passwd: Contains basic information about each user, including the username, UID, GID, home directory, and shell type. In modern Linux systems, this file no longer stores password hashes for security reasons.
2. /etc/shadow: Contains encrypted password hashes and related security parameters for user accounts. Only root or authorized users have access to this file, as it houses sensitive information.

To effectively perform a penetration test with John the Ripper, both files are needed, as each provides critical information required to match usernames with their password hashes.

Setting Up the Environment

Step 1: Access the files

For penetration testing on a target Linux system, you will need access to both the /etc/passwd and /etc/shadow files:

• Use the command cat /etc/passwd and cat /etc/shadow to view these files.
• Export their contents by redirecting the output to files:

  sudo cp /etc/passwd /tmp/passwd_copy
  sudo cp /etc/shadow /tmp/shadow_copy

Step 2: Combine the files

John the Ripper requires a single file with both usernames and their respective password hashes. This can be done by combining the contents of the /etc/passwd and /etc/shadow files into a single format using the unshadow utility that comes with John the Ripper:

unshadow /tmp/passwd_copy /tmp/shadow_copy > combined.txt

This combined.txt file now contains all the necessary information for John the Ripper to process.

Running John the Ripper to Crack Passwords

With the combined.txt file ready, John the Ripper can now analyze the password hashes. Follow these steps:

1. Start John the Ripper: Begin with basic settings for common password attacks:

   john combined.txt

John will use its default wordlist and rule sets, attempting to find matches for each password hash.

2. Check progress: To monitor progress, you can use the command:

   john --status

3. Retrieve results: Once completed, view the cracked passwords with:

   john --show combined.txt

This output will display usernames and corresponding plaintext passwords, revealing users with weak passwords.

Additional Tactics and Tips

1. Wordlists: To improve password-cracking success rates, provide John the Ripper with a custom wordlist, especially if common or context-specific words are likely to be used in the passwords:

   john --wordlist=/path/to/wordlist.txt combined.txt

2. Using rules: John the Ripper includes advanced rule sets for transforming base words, trying different character combinations, and simulating common password patterns. Adding rules can greatly increase the chances of cracking more complex passwords:

   john --rules=all --wordlist=/path/to/wordlist.txt combined.txt

Key Takeaways for Cyber Security

• Evaluate security policies: Testing with John the Ripper reveals the effectiveness of a system’s password policy. Short or common passwords are easier to crack, which can be a red flag.
• Password complexity: Recommend strong password policies to prevent easy cracking.
• Implement password hashing best practices: Always use salted hashes and, where possible, upgrade to advanced hashing algorithms to increase security against brute-force attacks.

Conclusion

Using tools like John the Ripper with the /etc/passwd and /etc/shadow files in Linux provides cyber security professionals a powerful means to evaluate password strength. However, remember that such tests must only be conducted with proper authorization and within legal boundaries. By staying informed and practicing responsible penetration testing, you can help improve security and resilience in Linux environments.