As with Windows, there are a number of ways to crack passwords in Linux. The concepts are the same, but the location and format of the files are different. Originally, passwords in Linux were stored in cleartext along with their user accounts in /etc/passwd. For security, they are now stored as hash values in /etc/shadow.
Here are some common attack methods and sample tools.
Brute force the login passwords of services such as SSH, telnet, FTP, HTTP, Samba, VNC, etc.
John the Ripper
Metasploit modules such as:
Copy the /etc/passwd and /etc/shadow files, unshadow (combine) the copies, and send them to a password cracker.
John the Ripper, etc. (see previously listed tools)
Dump the hashes from a compromised machine and send them to a password cracker.
Metasploit module post/linux/gather/hashdump
John the Ripper, etc.
Dump cleartext passwords currently stored in memory.
Pass the hash if the passwords take too long to crack. Works particularly well against Samba with LM or NTLM authentication.
Metasploit module auxiliary/scanner/smb/smb_login
Install a physical or software-based keylogger to capture login credentials.
Hardware-based USB keyloggers
Use social engineering to obtain user passwords.
Mobile device across-the-room camera recording
Kali Social Engineering Toolkit (SET)
Boot target into single user mode.
Reboot the computer and interrupt the boot process.
Edit GRUB to go into single user mode, where you are automatically logged in as root with no password.
Change the password.
Requires physical access. Works for Red Hat and other distros. Does not work for Debian-based distros, including Kali.
Note: Metasploit has many modules that will attempt to brute force or bypass the login of specific services, particularly those that are HTTP-based. To find more examples, conduct a Google search. Alternatively, at the msfconsole, enter search auxiliary/scanner, search login platform:linux or search login platform:linux -S http.
Linux /etc/shadow Hashing Algorithms
The hashing algorithm used in /etc/shadow depends on the distribution. It can be MD5, Blowfish, (or more recently) SHA-256 or SHA-512. To find the hashing algorithm in use, at a terminal window, enter the command sudo cat /etc/shadow. Look for hashes that begin with a $ and compare them to this list:
$1 = MD5
$2a = Blowfish
$5 = SHA-256
$6 = SHA-512
Note: For more information about Linux /etc/passwd, at a terminal window, enter man 3 crypt.