Dumping hashes

Linux

On Linux systems, the user hashes are located in the /etc/shadow file. They used to be in the /etc/passwd file, but this changed since the latter needed to be world-readable by many tools and commands.

The format of the /etc/shadow file is ;

[username]:$[password type]$[salt]$[hash]:[lastpassword change]:[min_days]:[max_days]:[days_to_disabling]

If we wanted to crack the root password, we'd need to grab the section of the password that encompasses the password type, salt, and hash. The rest is not relevant. We can then put it in a text file, and crack it offline, using softwares like johntheripper, hashcat, and others (see https://docs.fullskid.fr/security-notes/password-cracking)

PreviousBruteforcing passwords NextHash cracking

Last updated 4 years ago

Was this helpful?