Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

Unshadow

Unshadow is a utility included with John the Ripper that combines the /etc/passwd and /etc/shadow files into a single file format suitable for password cracking. This combined format is what John the Ripper’s single crack mode was specifically designed for.

Purpose

On modern Linux systems, user information is split between two files:

  • /etc/passwd - Contains user account info (username, UID, GID, GECOS, home, shell) - world-readable
  • /etc/shadow - Contains password hashes - readable only by root

Unshadow merges these files so that password crackers have access to both the hash and the user context (username, real name from GECOS field) in a single file.

Installation

Unshadow comes bundled with John the Ripper. On Debian-based systems:

sudo apt-get install john

Verify installation:

which unshadow

Basic Syntax

unshadow <passwd_file> <shadow_file> > <output_file>

Usage

Step 1: Copy System Files

Always work with copies to avoid modifying system files:

sudo cp /etc/passwd /tmp/passwd.bak
sudo cp /etc/shadow /tmp/shadow.bak

Step 2: Combine Files

unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hashes

Step 3: Crack with John the Ripper

Single Crack Mode (Recommended for Linux credentials):

Single crack mode uses the username, home directory, and GECOS field to generate password candidates. This is highly effective because users often base passwords on their name or username.

john --single /tmp/unshadowed.hashes

Wordlist Mode:

john --wordlist=/usr/share/wordlists/rockyou.txt /tmp/unshadowed.hashes

Show Cracked Passwords:

john --show /tmp/unshadowed.hashes

Alternative: Crack with hashcat

hashcat -m 1800 -a 0 /tmp/unshadowed.hashes /usr/share/wordlists/rockyou.txt -o cracked.txt

Output Format

The unshadowed file combines fields from both source files:

Input (passwd):

htb-student:x:1000:1000:HTB Student,,,:/home/htb-student:/bin/bash

Input (shadow):

htb-student:$y$j9T$3QSBB6CbHEu...f8Ms:18955:0:99999:7:::

Output (unshadowed):

htb-student:$y$j9T$3QSBB6CbHEu...f8Ms:1000:1000:HTB Student,,,:/home/htb-student:/bin/bash

Why Use Unshadow?

  1. Context for Single Crack Mode - John’s single crack mode leverages the username and GECOS data to generate intelligent password guesses (e.g., user “Bob Smith” might use “Smith1” as password)

  2. Complete User Context - Having the full passwd line helps identify which accounts are worth targeting (system accounts vs. real users)

  3. Standard Format - Creates the classic Unix password file format that many tools expect

Hash Algorithm Identification

The password hash in the unshadowed file indicates the algorithm:

PrefixAlgorithmHashcat Mode
$1$MD5crypt500
$5$SHA-256crypt7400
$6$SHA-512crypt1800
$y$Yescrypt-
$2a$bcrypt3200

Security Notes

  • Requires root access to read /etc/shadow
  • Work with file copies, never modify originals
  • Delete unshadowed files after use to avoid credential exposure
  • MD5crypt ($1$) hashes are significantly faster to crack than modern algorithms