As with Windows, there are a number of ways to crack passwords in Linux. The concepts are the same, but the location and format of the files are different. Originally, passwords in Linux were stored in cleartext along with their user accounts in /etc/passwd. For security, they are now stored as hash values in /etc/shadow.

Here are some common attack methods and sample tools.

Attack Method


Brute force the login passwords of services such as SSH, telnet, FTP, HTTP, Samba, VNC, etc.

  • John the Ripper
  • Medusa
  • Hydra
  • Ncrack
  • Crowbar
  • Metasploit modules such as:
  • auxiliary/scanner/ssh/ssh_login
  • auxiliary/scanner/ftp/anonymous
  • auxiliary/scanner/ftp/ftp_login
  • auxiliary/scanner/vnc/vnc_login
  • auxiliary/scanner/smb/smb_login

Copy the /etc/passwd and /etc/shadow files, unshadow (combine) the copies, and send them to a password cracker.

John the Ripper, etc. (see previously listed tools)

Dump the hashes from a compromised machine and send them to a password cracker.

  • Metasploit module post/linux/gather/hashdump
  • John the Ripper, etc.
  • RainbowCrack
  • Hashcat

Dump cleartext passwords currently stored in memory.


Pass the hash if the passwords take too long to crack. Works particularly well against Samba with LM or NTLM authentication.

Metasploit module auxiliary/scanner/smb/smb_login

Install a physical or software-based keylogger to capture login credentials.

  • Meterpreter keyscan_start and keyscan_dump
  • Hardware-based USB keyloggers

Use social engineering to obtain user passwords.

  • Shoulder surfing
  • Mobile device across-the-room camera recording
  • Kali Social Engineering Toolkit (SET)
  • WiFi-Pumpkin

Boot target into single user mode.

  1. Reboot the computer and interrupt the boot process.
  2. Edit GRUB to go into single user mode, where you are automatically logged in as root with no password.
  3. Change the password.
Requires physical access. Works for Red Hat and other distros. Does not work for Debian-based distros, including Kali.

Note: Metasploit has many modules that will attempt to brute force or bypass the login of specific services, particularly those that are HTTP-based. To find more examples, conduct a Google search. Alternatively, at the msfconsole, enter search auxiliary/scanner, search login platform:linux or search login platform:linux -S http.

Linux /etc/shadow Hashing Algorithms

The hashing algorithm used in /etc/shadow depends on the distribution. It can be MD5, Blowfish, (or more recently) SHA-256 or SHA-512. To find the hashing algorithm in use, at a terminal window, enter the command sudo cat /etc/shadow. Look for hashes that begin with a $ and compare them to this list:

  • $1 = MD5
  • $2a = Blowfish
  • $5 = SHA-256
  • $6 = SHA-512
SHA-512 - Password SHA512 Hash Cipher - Decoder, Encoder
Tool to decrypt/encrypt SHA-512. The SHA-512 hash is the unreduced version of the SHA-256 hash algorithme with a 128-character fingerprint.
CrackStation - Online Password Hash Cracking - MD5, SHA1, Linux, Rainbow Tables, etc.
Crackstation is the most effective hash cracking service. We crack: MD5, SHA1, SHA2, WPA, and much more...

Note: For more information about Linux /etc/passwd, at a terminal window, enter man 3 crypt.