Post

Leveraging unshadow in Password Auditing

Using unshadow to combine passwd and shadow files for password cracking

Posted
By drewbyte
1 min read
Leveraging unshadow in Password Auditing

Combining /etc/passwd and /etc/shadow for password cracking

When performing password auditing or post-exploitation, you may encounter access to both /etc/passwd and /etc/shadow.
These two files can be combined using unshadow to prepare them for cracking tools like John the Ripper.

Understanding the Files

  • /etc/passwd
    • Contains user account information
    • Does not store password hashes (modern systems)
  • /etc/shadow
    • Stores encrypted password hashes
    • Restricted to privileged users

Using unshadow

1

unshadow /etc/passwd /etc/shadow > passwd
  • Merges both files into a single format
  • Aligns usernames with their password hashes
  • Outputs a file (passwd) that can be used for cracking

Example Output Format:

1
2

root:$6$randomhashvalue:19000:0:99999:7:::
user:$6$anotherhash:19000:0:99999:7:::

Cracking

  • After combining the file: 
    1

    john passwd --wordlist=/usr/share/wordlists/rockyou.txt

Mitigation

  • Restrict access to /etc/shadow
  • Use strong, complex passwords
  • Implement account lockout policies
  • Monitor unauthorized file access
linux, password-auditing
hashes john unshadow passwd shadow
This post is licensed under CC BY 4.0 by the author.