/Can etc / shadow be cracked?

Tips:

Hash （ The algorithm is also called hash ） Not encryption , It's not coding ; Hash is irreversible , Encryption is reversible ; No key is required for encoding and decoding , Encryption and decryption require a key

Common coding & Hash & The encryption and decryption algorithm is as follows

code ：base64 Hex code Huffman code

Hash ：md5 SHA-1 SHA-128 SHA-256 SHA-512 SM3

encryption ：

​ - Symmetric encryption （ Add and remove the secret key ）：DES AES SM4

​ - Asymmetric encryption （ The encryption and decryption keys are different ）：RSA DSA SM2

scene

utilize GlassFish Arbitrary file reading Loophole , Read out /etc/shadow file , But the password is hashed , How to crack it ？

/etc/shadow The file is introduced

First of all Linux shadow Document and passwd The little difference between files

file	User accessible ？
/etc/shadow	All users can read
/etc/passwd	root Readable

cat /etc/shadow          #  Take a look at my own shadow One line of the file 
root:$6$C.nLBV0u$Ya4XCw1/jEiqx8/nnwE0r6tEtw/l1zt5iUr8GMrsdxTN1Omp2uPVtFNIZb0ZsNFRImJvvj0CSgNvAcsZo7i6d0:18002:0:99999:7:::

And /etc/passwd equally ,shadow Each field in the file also uses “$:$” Colon separated , As shown below ：

1. user name ： A valid account name exists on the system .

2. password ： Your password is saved in hash format . Hash value length should be at least 15-20 Characters , Include special characters 、 Numbers 、 Small letters, etc . Here is the hash value of the password . at present Linux My password is SHA512 Hash algorithm , It used to be MD5 or DES Algorithm .SHA512 Hash algorithm is more secure .

   Be careful , The garbled code generated by this password can't be modified manually , If you modify it manually , The system will not recognize the password , Cause the password to fail . A lot of software through this function , Add... Before the password string “!”、“*” or “x” Disable the password temporarily .

   The passwords of all pseudo users are “!!” or “*”, You can't log in without a password . Of course , If the newly created user does not set a password , So its password entry is also “!!”, Represents that the user has no password , Can not login . The password format is set to $id$salt$hashed,$id Value and GNU/Linux The hash algorithm used on corresponds to the following ：

   • $1$ is MD5

   • $2a$ is Blowfish

   • $2y$ is Blowfish

   • $5$ is SHA-256

   • $6$ is SHA-512

3. Last password change (last changed)： Date of last password change , Expressed as from 1970 year 1 month 1 Japan （Unix Time ） Days since . value 0 Has a special meaning , That is, the user should change the password when logging in the system next time . An empty field indicates that the password aging function is disabled .

4. minimum value ： Minimum number of days between password changes , That is, the number of days remaining before the user is allowed to change the password again . Empty fields and values 0 Indicates that there is no minimum password duration .

5. Maximum ： The maximum number of days a password is valid , After the user was forced to change her password again .

6. Warning ： The number of days before the password expires , Warn the user that he must change / Her code

7. Inactive： The number of days after the password expires that the account is disabled .

8. Expire： The expiration date of the account , Expressed as from 1970 year 1 month 1 Days since .

What is salt ？

The plaintext password is passwd,salt Is a random string

hypothesis id=1, Namely choice md5 The hash algorithm .

So the process of adding salt is Calculation $hashed=md5(salt+passwd)$

After the calculation, we are shadow Read in the file $id$salt$hashed 了

Be careful , This is an example only ,Linux I didn't study how to add salt ,salt It can also be in passwd Back ~

Can you crack it ？

Due to hash When , Adopted salt Mechanism , So the traditional rainbow watch will not work .

Without salt, the common password now hash The value base is too big , It's too easy to leak the password ,cmd5 Teach to be a man

The cracking methods include dictionary cracking and violent cracking . I can't find a good dictionary ：https://github.com/DrKadron/List.txt

The cracking script is as follows , stay Linux Up operation (crypt This library is Linux Upper )

import crypt   ##  Import  Linux  Password encryption library 
def testPass(cryptPass):
    salt=cryptPass[cryptPass.find("$"):cryptPass.rfind("$")]  ##  Obtain salt value , contain  $id  part 
    dictFile=open('key.txt','r')
    for word in dictFile.readlines():
        word=word.strip("\n")
        cryptWord=crypt.crypt(word,salt)                   ##  Encrypt the value in the password dictionary with the salt value 
        if (cryptWord==cryptPass):                           ##  Judge whether the encrypted data and password fields are equal 
            print ("[+]Found Password:"+word+"\n" )      ##  If equal, print out 
            return 
    print ("[-] Password Not Found.\n")
    return 
 
def main():
    passFile=open('shadow.txt')
    for line in passFile.readlines():      ##  Read everything in the file 
        if ":" in line:
            user=line.split(":")[0]                     ##  Get username 
            cryptPass=line.split(":")[1].strip(' ')     ##  Get password field 
            print ("[*] Cracking Password for:"+user)
            testPass(cryptPass)
main()

I happened to see that Guoguang boss mentioned the use of GPU A tool for cracking passwords Hashcat, In the future, I will learn again when I meet the goal I want to do ！

References

• Linux /etc/shadow（ Shadow file ） analysis

• Hashcat Learning record | Guoguang (sqlsec.com)

• understand Linux Upper /etc/shadow File format