Passwd, Shadow & Opasswd
Linux-based distributions can use many different authentication mechanisms. One of the most commonly used and standard mechanisms is Pluggable Authentication Modules (PAM). The modules used for this are called pam_unix.so or pam_unix2.so and are located in /usr/lib/x86_x64-linux-gnu/security/ in Debian based distributions. These modules manage user information, authentication, sessions, current passwords, and old passwords. For example, if we want to change the password of our account on the Linux system with passwd, PAM is called, which takes the appropriate precautions and stores and handles the information accordingly.
The pam_unix.so standard module for management uses standardized API calls from the system libraries and files to update the account information. The standard files that are read, managed, and updated are /etc/passwd and /etc/shadow. PAM also has many other service modules, such as LDAP, mount, or Kerberos.
Passwd File
The /etc/passwd file contains information about every existing user on the system and can be read by all users and services. Each entry in the /etc/passwd file identifies a user on the system. Each entry has seven fields containing a form of a database with information about the particular user, where a colon (:) separates the information.
cry0l1t3
:
x
:
1000
:
1000
:
cry0l1t3,,,
:
/home/cry0l1t3
:
/bin/bash
Login name
Password info
UID
GUID
Full name/comments
Home directory
Shell
Sometimes we may find the encrypted password in the password info field for old systems. New systems store the encrypted passwords in /etc/shadow file. Usually, we find the value x in this field, which means that the passwords are stored in an encrypted form in the /etc/shadow file.
However, if the /etc/passwd file is writable by mistake we can empty the root password so that we can log in without a password.
Before
root:x:0:0:root:/root:/bin/bashAfter
root::0:0:root:/root:/bin/bashShadow File
The /etc/shadow file is also only readable by users who have administrator rights. The format of this file is divided into nine fields:
cry0l1t3
:
$6$wBRzy$...SNIP...x9cDWUxW1
:
18937
:
0
:
99999
:
7
:
:
:
Username
Encrypted password
Last PW change
Min. PW age
Max. PW age
Warning period
Inactivity period
Expiration date
Unused
If the password field contains a character, such as ! or *, the user cannot log in with a Unix password. However, other authentication methods for logging in, such as Kerberos or key-based authentication, can still be used. The same case applies if the encrypted password field is empty. This means that no password is required for the login. However, it can lead to specific programs denying access to functions. The encrypted password also has a particular format by which we can also find out some information:
$<type>$<salt>$<hashed>
As we can see here, the encrypted passwords are divided into three parts. The types of encryption allow us to distinguish between the following:
$1$– MD5$2a$– Blowfish$2y$– Eksblowfish$5$– SHA-256$6$– SHA-512
By default, the SHA-512 ($6$) encryption method is used on the latest Linux distributions. We will also find the other encryption methods that we can then try to crack on older systems.
Opasswd
The PAM library (pam_unix.so) can prevent reusing old passwords. The file where old passwords are stored is the /etc/security/opasswd. Administrator/root permissions are also required to read the file if the permissions for this file have not been changed manually.
Cracking Linux Credentials
Once we have collected some hashes, we can try to crack them in different ways to get the passwords in cleartext.
Unshadow
Hashcat Crack Unshadowed Hashes
Hashcat - MD5 Hashes
Last updated