Passwd, Shadow, Opasswd

Passwd Format

cryanight : x : 1000 : 1000 : cryanight,,, : /home/cryanight : /bin/bash
Login name Password info UID GUID Full name/comments Home directory Shell

Usually, we find the value x in this field, which means that the passwords are stored in an encrypted form in the /etc/shadow file. However, it can also be that the /etc/passwd file is writeable by mistake. This would allow us to clear this field for the user root so that the password info field is empty. This will cause the system not to send a password prompt when a user tries to log in as root.

Editing /etc/passwd - Before


Editing /etc/passwd - After


Shadow File

cryanight : $6$wBRzy$...SNIP...x9cDWUxW1 : 18937 : 0 : 99999 : 7 : : :
Username Encrypted password Last PW change Min. PW age Max. PW age Warning period Inactivity period Expiration date Unused

Shadow File

[cryanight@parrot]─[~]$ sudo cat /etc/shadow


Ff the encrypted password field is empty. This means that no password is required for the login. Algorithm Types

  • $1$ – MD5
  • $2a$ – Blowfish
  • $2y$ – Eksblowfish
  • $5$ – SHA-256
  • $6$ – SHA-512


The PAM library ( can prevent reusing old passwords. The file where old passwords are stored is the /etc/security/opasswd. Administrator/root permissions are also required to read the file if the permissions for this file have not been changed manually.

Reading /etc/security/opasswd

neutron@kali[/kali]$ sudo cat /etc/security/opasswd


Cracking Linux Credentials

Once we have collected some hashes, we can try to crack them in different ways to get the passwords in cleartext.

neutron@kali[/kali]$ sudo cp /etc/passwd /tmp/passwd.bak 
neutron@kali[/kali]$ sudo cp /etc/shadow /tmp/shadow.bak 
neutron@kali[/kali]$ unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hashes

Hashcat - Cracking Unshadowed Hashes

neutron@kali[/kali]$ hashcat -m 1800 -a 0 /tmp/unshadowed.hashes rockyou.txt -o /tmp/unshadowed.cracked

Hashcat - Cracking MD5 Hashes

neutron@kali[/kali]$ cat md5-hashes.list

neutron@kali[/kali]$ hashcat -m 500 -a 0 md5-hashes.list rockyou.txt