Posted inSecurity

Linux Password Auditing: Using John the Ripper and Hashcat to Hunt Down User Vulnerabilities

Security tutorial - IT technology blog
Security tutorial - IT technology blog

Vulnerabilities Born from Complacency

Many system administrators pour all their energy into changing SSH ports, setting up firewalls, or configuring Fail2Ban extensively. Yet in practice, the most dangerous vulnerabilities rarely come from software — they come from users’ password habits. After auditing over 10 production servers, I noticed strings like “P@ssword123” or “Company@2024” appearing surprisingly often. Despite looking complex, they’re among the first targets swept by hacker wordlists.

Even a single compromised account — even one without sudo privileges — can serve as a foothold for privilege escalation. That’s why proactive, periodic password strength auditing is a non-negotiable task. To do this effectively, we need the combined power of two tools: John the Ripper and Hashcat.

How Linux Stores Passwords

Linux never stores passwords in plain text. Instead, the system hashes them and stores the hash strings in /etc/shadow, a file accessible only by root. A standard hash entry looks like this:

username:$6$rounds=40960$saltstring$hashedpassword:19000:0:99999:7:::

Pay attention to the character between the first two dollar signs to identify the hashing algorithm:

  • $1$: MD5 (Legacy, easy to crack)
  • $2a$: Blowfish (Common on OpenBSD)
  • $5$: SHA-256
  • $6$: SHA-512 (Current standard on Ubuntu and CentOS)

Our goal is to take these hash strings and use computational power to reverse-engineer the original passwords.

Step 1: Preparing the Audit Data

John the Ripper (JtR) requires a specific file format that combines information from /etc/passwd and /etc/shadow. We’ll use the unshadow tool to prepare this data.

# Install John the Ripper
sudo apt update && sudo apt install john -y

# Merge passwd and shadow files into one
sudo unshadow /etc/passwd /etc/shadow > myhashes.txt
sudo chmod 600 myhashes.txt

Important note: The myhashes.txt file contains all system password hashes. Delete it immediately after the audit is complete to avoid security risks.

Using John the Ripper: Simple and Smart

John the Ripper is the top choice for quick audits, thanks to its automatic hash type detection and highly effective “Single Crack” mode.

1. Single Crack Mode

This mode focuses on testing variations based on the username itself. Surprisingly, many users still set passwords that match or closely resemble their login name.

john --single myhashes.txt

2. Wordlist Attack

This method yields the highest success rate. You can use the well-known rockyou.txt wordlist, which contains over 14.3 million real-world leaked passwords.

john --wordlist=/usr/share/wordlists/rockyou.txt myhashes.txt

To view the list of successfully cracked passwords, run:

john --show myhashes.txt

Hashcat: Leveraging GPU Hardware Power

While John the Ripper excels with CPUs, Hashcat is king when it comes to leveraging GPU power. A single RTX 3080 can test billions of hashes per second — hundreds of times faster than a CPU when handling complex algorithms.

For large-scale system audits involving thousands of users, I always reach for Hashcat to save time. First, you need to identify the mode corresponding to your hash type:

  • SHA-512 (Unix): -m 1800
  • MD5: -m 500
  • SHA-256 (Unix): -m 7400

Running Hashcat with a SHA-512 hash file:

# Extract only the hash portion needed for Hashcat
cut -d: -f2 myhashes.txt > justhashes.txt

# Start cracking with a wordlist (mode -a 0)
hashcat -m 1800 -a 0 justhashes.txt /path/to/rockyou.txt

Supporting Tools and Creating Strong Passwords

Sometimes I need to quickly check what a string looks like when hashed to SHA-256 for log comparison, without typing a command. In those moments, I usually turn to the Hash Generator on ToolCraft. This tool runs entirely in the browser (client-side), so your data is never sent to any server — completely safe.

After identifying weak accounts, don’t just issue a verbal warning. Guide users to use a Password Generator to create random strings. A password over 12 characters long that includes uppercase letters, numbers, and special characters will make wordlist attacks completely futile.

Preventing Weak Passwords Through System Configuration

Auditing is only the assessment step. To address the root cause, you need to enforce a strict password policy from the start. On Ubuntu/Debian, the libpam-pwquality module is the best tool for this.

# Install the module
sudo apt install libpam-pwquality -y

# Configure in /etc/pam.d/common-password
# Edit the pam_pwquality.so line as follows:
password requisite pam_pwquality.so retry=3 minlen=12 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 enforce_for_root

This configuration enforces a minimum password length of 12 characters and requires all four character classes: lowercase, uppercase, digits, and special characters. Notably, the enforce_for_root parameter ensures that even the admin account must comply with these rules.

Closing Thoughts

Security isn’t a fixed state — it’s a continuous process of review. Playing the role of a “hacker” and attacking your own system reveals gaps that automated tools often miss. Start auditing today — don’t wait for a real attack to happen.

If you need more lightweight dev and security support tools, check out ToolCraft. It’s a collection of over 200 free tools that help me streamline my daily sysadmin work.

Share:
Tags: