Passwd, Shadow, Opasswd
Passwd Format
cryanight |
: |
x |
: |
1000 |
: |
1000 |
: |
cryanight,,, |
: |
/home/cryanight |
: |
/bin/bash |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Login name | Password info | UID | GUID | Full name/comments | Home directory | Shell |
Usually, we find the value x in this field, which means that the passwords are stored in an encrypted form in the /etc/shadow file. However, it can also be that the /etc/passwd file is writeable by mistake. This would allow us to clear this field for the user root so that the password info field is empty. This will cause the system not to send a password prompt when a user tries to log in as root.
Editing /etc/passwd - Before
root:x:0:0:root:/root:/bin/bash
Editing /etc/passwd - After
root::0:0:root:/root:/bin/bash
Shadow File
cryanight |
: |
$6$wBRzy$...SNIP...x9cDWUxW1 |
: |
18937 |
: |
0 |
: |
99999 |
: |
7 |
: |
: |
: |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Username | Encrypted password | Last PW change | Min. PW age | Max. PW age | Warning period | Inactivity period | Expiration date | Unused |
Shadow File
[cryanight@parrot]─[~]$ sudo cat /etc/shadow
root:*:18747:0:99999:7:::
sys:!:18747:0:99999:7:::
...SNIP...
cryanight:$6$wBRzy$...SNIP...x9cDWUxW1:18937:0:99999:7:::
Ff the encrypted password field is empty. This means that no password is required for the login.
Algorithm Types
-
$1$– MD5 -
$2a$– Blowfish -
$2y$– Eksblowfish -
$5$– SHA-256 -
$6$– SHA-512
Opasswd
The PAM library (pam_unix.so) can prevent reusing old passwords. The file where old passwords are stored is the /etc/security/opasswd. Administrator/root permissions are also required to read the file if the permissions for this file have not been changed manually.
Reading /etc/security/opasswd
neutron@kali[/kali]$ sudo cat /etc/security/opasswd
cryanight:1000:2:$1$HjFAfYTG$qNDkF0zJ3v8ylCOrKB0kt0,$1$kcUjWZJX$E9uMSmiQeRh4pAAgzuvkq1
Cracking Linux Credentials
Once we have collected some hashes, we can try to crack them in different ways to get the passwords in cleartext.
neutron@kali[/kali]$ sudo cp /etc/passwd /tmp/passwd.bak
neutron@kali[/kali]$ sudo cp /etc/shadow /tmp/shadow.bak
neutron@kali[/kali]$ unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hashes
Hashcat - Cracking Unshadowed Hashes
neutron@kali[/kali]$ hashcat -m 1800 -a 0 /tmp/unshadowed.hashes rockyou.txt -o /tmp/unshadowed.cracked
Hashcat - Cracking MD5 Hashes
neutron@kali[/kali]$ cat md5-hashes.list
qNDkF0zJ3v8ylCOrKB0kt0
E9uMSmiQeRh4pAAgzuvkq1
neutron@kali[/kali]$ hashcat -m 500 -a 0 md5-hashes.list rockyou.txt