Unshadow Cheatsheet
Basic Syntax
unshadow <passwd_file> <shadow_file> > <output_file>
Description
unshadow is a utility included with John the Ripper that combines /etc/passwd and /etc/shadow files into a single file suitable for password cracking. This is the format that John’s single crack mode was designed for.
Basic Usage
| Command | Description |
|---|---|
unshadow passwd shadow > hashes.txt | Combine files for cracking |
unshadow /tmp/passwd.bak /tmp/shadow.bak > unshadowed.hashes | Using backup copies |
Workflow
1. Copy System Files
sudo cp /etc/passwd /tmp/passwd.bak
sudo cp /etc/shadow /tmp/shadow.bak
2. Combine with unshadow
unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hashes
3. Crack with John (Single Mode - Recommended)
john --single /tmp/unshadowed.hashes
4. Crack with John (Wordlist Mode)
john --wordlist=rockyou.txt /tmp/unshadowed.hashes
5. Crack with hashcat
hashcat -m 1800 -a 0 /tmp/unshadowed.hashes rockyou.txt -o cracked.txt
Output Format
The output combines user info from passwd with the hash from shadow:
root:$6$xyz...:0:0:root:/root:/bin/bash
htb-student:$y$j9T$abc...:1000:1000:,,,:/home/htb-student:/bin/bash
Common Hash Modes (hashcat)
| Mode | Algorithm | Identifier |
|---|---|---|
| 500 | MD5crypt | $1$ |
| 1800 | SHA-512crypt | $6$ |
| 7400 | SHA-256crypt | $5$ |
| 3200 | bcrypt | $2a$ |
Tips
- John’s single crack mode is ideal for unshadowed files as it uses GECOS data (full name, username) to generate candidate passwords
- Always work with copies of system files, not the originals
- The passwd file provides context (username, GECOS) that helps single crack mode
- Requires root access to read
/etc/shadow