You are here: Home » shadow_crack

shadow_crack

shadow_crack.py is a simple script to crack passwords from /etc/shadow.

why?

Some time ago some popular Linux distributions (Ubuntu, notably) added the option to encrypt home directories (using ecryptfs, as in Ubuntu, or encfs). Since then, if an user forgets his/her login password, the sysop cannot simply use 'sudo passwd user', since that will change the password in /etc/shadow but this will not unlock the encrypted home directory.

Purposes

This script was kept as simple as possible (but not more) to show that it really does what it says (and is not secretly emailing your passwords to an evil empire, or the NSA). It is loosely based on the code in devconsole. The generative model is somewhat similar to what is described in iusmentis. This is a very simple program, if you need something that really cracks generic passwords, start from this good review in ArsTechnica.

Code

You may download the code from here.

Case study

Suppose that Mr. Abs Entmi Nded has changed his Ubuntu login password in his home PC, called delta; then he went away for a short vacation; when he came back, he could not recall the new password. This is very troublesome, since Abs's O.S. has encrypted the home directory, and there lies some important stuff (tax data, PhD thesis, work project.. you name it) and there is no backup for that data.
He then goes to the local sysop/guru. The sysop, being a wise sysop, does not simply use 'sudo passwd user', since that will change the password in /etc/shadow but will not unlock the encrypted home directory. (Moreover the proposed script uses /etc/shadow to try to recover the password; so if the sysop really used 'sudo passwd user', then the script will not be useful anymore, unless somebody adds a encfs/ecryptfs module to the script).
Currently Abs remembers that he used the names of the two family dogs, sigma and bravo, to create the password; and that he altered the names somehow, adding some '+' or '-' or space characters in between, and capitalizing some letters. So the password may be one of the following: 'braoS-igma','+bravo-','bra-sig','bRA vO','am-gis','aMgi+brav','mgisbravO','sIgMa','sig ma'.
The sysop then copies /etc/shadow from delta to a directory in a powerful host, and downloads the code from here to that same directory. The sysop configures the downloaded file shadow_crack.conf and runs python shadow_crack.py shadow_crack.conf. Hopefully after a few hours the program will find the forgotten password.

Test run

To see a test run of the above situation, download the code from here to a local directory, and run
python shadow_crack.py shadow_crack.conf-test

TODO

It would be useful to add some modules to shadow_crack.py so as to support cracking encfs or ecryptfs passwords directly. (If you wish to help, look at the test_shadow class).

Final remark

Do not be as Abs Entmi Nded!

Always backup your data to a safe place.
If your O.S. encrypts your data, write down the master password on paper and save it to a safe place. In the case of Ubuntu, that uses ecryptfs, the command ecryptfs-unwrap-passphrase will show the internal master password that is used to crypt the home directory: print it on a piece of paper and store it somewhere safe.
Always backup your data to a safe place. Yes, really!