Dumping Linux Password Hashes

Linux password hashes are stored in the /etc/shadow file and can only be accessed by the root user or a user with root privileges.

If a wildcard appears after the user's name, it means that the user has no password set.

The first value after the username corresponds to the used hashing algorithm. Number 6 (SHA-512) referencing the strongest possible hashing algorithm.

Dumping hashes by reading the /etc/shadow file:

cat /etc/shadow

This file can only be read by the root user.

Allowed hash types: - $1: MD5 - $2: Blowfish - $5: SHA-256 - $6: SHA-512

Dumping Hashes With Metasploit

Once initial access is established:

post/linux/gather/hashdump

use post/linux/gather/hashdump
set SESSION SESSION_ID
run

# List files where gathered data is stored
loot

Crack Hashes

# John the Ripper
john --format=sha512crypt HASH_PATH --wordlist=WORDLIST_PATH

# Hashcat
hashcat -a 3 -m 1800 HASH_PATH WORDLIST_PATH

# Using Metasploit's module auxiliary/analyze/crack_linux
use auxiliary/analyze/crack_linux
set CUSTOM_WORDLIST WORDLIST_PATH
# Set the correct hashing algorithm