In Linux, user passwords are typically stored in the /etc/shadow file location. This is protected with by file permissions that mean that a standard user is not able to read this file. As such, to be able to get the password hashes of users on a Linux machine, you need to have achieved root privileges.

Within the /etc/shadow file it is possible to see the name of a user, the type of hashing algorithm used, and the hash of their password. Example below:

pam:$y$j9T$9wYalz3n9WWfmBo2jeDp./$xu3DyHj.vDzW.sW5FCwNWtT.MMYLaZzV.smErNQjmz3:19369:0:99999:7:::

ryan:$6$G5ljlxBnflx0WLsl$o56boi3FFdKqCYdwex6P1bW2UgBsZboyNIuJ1WrICZN3aD/ydp3kd8M9eTqiwUYL8QHjPUJAAceGDYvBLncDf0:19369:0:99999:7:::

Identifying the type of hashing algorithm in use is key when cracking passwords. To identify the type of hashing algorithm in use we look at the $id$ (the value between the $ symbols). In this example, it is possible to see that pam’s password has been hashed with the yescrypt algorithm, while ryan has been hashed with SHA-512.

To crack the passwords, we can use the password cracking tool “John the Ripper”. This can be started with the terminal command: john

‍

The format for using john is as follows:

John <hash file>

It is also possible to add additional flags like the below:

John <hashfile> --wordlist=<wordlist> --format=<hashing algoritm>

This will define the wordlist that we are going to use and the type of hashing algorithm to use.

Common hashing algorithms and their id value are:

$1$ - MD5

$2a$ - Blowfish

$5$ - SHA-256

$6$ - SHA-512

$y$ - yescrypt

$7$ - scrypt

$sha1$ - SHA1crypt

‍