首页 > 技术点滴 > Understanding the Shadow Hash

Understanding the Shadow Hash

2013年9月23日 baoz 阅读评论

So there are a LOT of posts about people trying to figure out these hashes so that they can be better at cracking the password rather than just leaving it to fate having a program do ALL of the work. So I have a SMALL amount of input:

$1$XROmcfDX$tF93GqnLHOJeGRHpaNyIs0:14513:0:99999:7 :::

This is a hash from the /etc/shadow file on one (not telling which one) of the ‘Vulnerable By Design’ systems.

The $1$ indicates the type of encryption used:
1 stands for MD5, 2 = Blowfish, 5 = SHA-256 and 6 = SHA-512.

The XROmcfDX is the Salt
“salt” stands for the up to 16 characters following “$id$” in the salt. The
encrypted part of the password string is the actual computed password. The
size of this string is fixed:

MD5 | 22 characters
SHA-256 | 43 characters
SHA-512 | 86 characters

The last part tF93GqnLHOJeGRHpaNyIs0 is the acutual password encrypted by the algorythm in the ‘id’ section.

So the shadow file format goes like this $id$salt$encrypted
everything is separated by the $.

In order to crack the password you need to:
look at the type of hash it is ($1$ =MD5)
Extract the salt and the encrypted password (XROmcfDX$tF93GqnLHOJeGRHpaNyIs0) notice the salt and encrypted password are separated by the $

The extra stuff on the end is just information about the account…sometimes it can be useful if you’re creative.

:14513:0:99999:7:::
It starts with the : and is a series of 6 different fields of information.
the first field :14513: means “last changed”: Days since Jan 1, 1970 that password was last changed.

The :0: is Minimum: The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password

The :99999: is Maximum: The maximum number of days the password is valid (after that user is forced to change his/her password)

The :7: is Warn: The number of days before password is to expire that user is warned that his/her password must be changed

The Last two fields are NORMALLY (in my experience) just two :: but just incase you come across one that is filled in, here is what it means:

:: Inactive : The number of days after password expires that account is disabled

:: Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used

Notice that the date specified is Jan 1, 1970.

And there you go.
Most of the information here are exerpts from
http://www.kernel.org/doc/man-pages/…3/crypt.3.html
and
http://www.cyberciti.biz/faq/underst…tcshadow-file/
If you want to read more, pleaase visit those sites and LOOK FOR MORE.

  1. 本文目前尚无任何评论.