As we stated before in single crack mode [List.Rules:Single] method of configuration file is used. In this mode login:password are cracked by using default password-list. Single Mode is much faster than Wordlist Mode.
We will crack linux passwords with Single Mode. First we need the create one file by unshadowing /etc/passwd and /etc/shadow like below
$ unshadow /etc/passwd /etc/shadow > unshadowed
After this operation we will get a file named unshadowed like below
root:$6$sRjaayov$u8sCzbiIxzunjyvPgRJurl24RMLfWgCKhuzGU/V0ZOWmH/JeeNMnaPOASdFN898/AEhmdTzNE7I6xDqDxeWbf.:0:0:root:/root:/bin/bash ismail:$6$osz4Q6Ka$txKB/fjtuZhnFThDJEVKrJ8.E1LbojZYcWPuE6GGLxob.AWDoL3UXZtZ0FH98HR86ebZhGO.bZpl/qrJ2nzOP/:1000:1001::/home/ismail:/bin /sh
Now john can help us very easily just giving file to john.
$ john unshadowed Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt" Use the "--format=crypt" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 SSE2 2x]) Press 'q' or Ctrl-C to abort, almost any other key for status 123456 (ismail)
Show All Ready Cracked Password
If we run john again the password of user ismail will not listed. John provides info about this like below
$ john unshadowed Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt" Use the "--format=crypt" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 SSE2 2x]) Remaining 1 password hash
Because john has all ready cracked the password of ismail so it will resume from other password hash. If we want to see cracked password. We can use –show
$ john --show unshadowed ismail:123456:1000:1001::/home/ismail:/bin/sh 1 password hash cracked, 1 left
Skipping Disabled Accounts/Shell
As a linux system there are a lot of service account without shell which means no access. We can filter them from john report wirh –shells options.
$ john --show --shells="/bin/false" unshadowed
- –shells provides disabled shell path here /bin/false is disabled shell for accounts
$ john --show --shells="-false" unshadowed
- -false means a file ends with false like /bin/false it it a shortcut
$ john --show --shells="-false,nouser" unshadowed
- -false,nouser is used for multiple user shells
Check If An Account Cracked
We can check if an account is all ready cracked.
$ john --show --users=0 unshadowed
- –user means we want a user password
- 0 is the user id where it is root
$ john --show --users=root unshadowed
- root we have provieded user with its account name