Check this out: https://www.cyberciti.biz/faq/understanding-etcpasswd-file-format/

Intro:

Pasted image 20250415175431.png

Pasted image 20250415175449.png

MSF Module:

search hashdump

  • It's gonna be this: post/linux/gather/hashdump This module Unshadows the /etc/shadow file "Basically formats the hashes as a crackable file"

  • auxiliary/analyze/crack_linux

More about Hashes Format:

/etc/passwd :

stores user account information: user ID, group ID, home directory, shell, and more. should have general read permission. However, write access to the /etc/passwd must only limit for the superuser/root account. Pasted image 20250415205421.png

Pasted image 20250415205438.png

/etc/shadow :

The shadow file stores the hashed passphrase (or “hash”) format for Linux user account with additional properties related to the user password. This shadow file is directly accessible only to the root user. All fields are separated by a colon (:) symbol.

Pasted image 20250415205607.png

Pasted image 20250415205636.png