Linux Authentication
Summary
Linux uses Pluggable Authentication Modules (PAM) for authentication. The key modules (pam_unix.so, pam_unix2.so) are located in /usr/lib/x86_64-linux-gnu/security/ on Debian-based systems. PAM handles user information, authentication, sessions, and password changes.
Key Files
| File | Purpose | Permissions |
|---|---|---|
/etc/passwd | User account info | World-readable |
/etc/shadow | Password hashes | Root only |
/etc/security/opasswd | Previous passwords | Root only |
/etc/passwd
Contains user information in seven colon-separated fields:
htb-student:x:1000:1000:,,,:/home/htb-student:/bin/bash
| Field | Description |
|---|---|
| Username | Login name |
| Password | x = hash in shadow file; empty = no password |
| UID | User ID |
| GID | Primary group ID |
| GECOS | User info (name, phone, etc.) |
| Home | Home directory path |
| Shell | Default login shell |
Security Note: If password field contains an actual hash (rare, old systems) or the file is writable, this is a critical vulnerability.
/etc/shadow
Stores password hashes with nine colon-separated fields:
htb-student:$y$j9T$3QSBB6CbHEu...SNIP...f8Ms:18955:0:99999:7:::
| Field | Description |
|---|---|
| Username | Login name |
| Password | Hashed password |
| Last change | Days since epoch of last change |
| Min age | Minimum days between changes |
| Max age | Maximum days before change required |
| Warning | Days before expiry to warn |
| Inactivity | Days after expiry until disabled |
| Expiration | Absolute expiry date |
| Reserved | Unused |
Special Password Values:
!or*= Unix password login disabled (other methods may work)- Empty = No password required
Hash Format
$<id>$<salt>$<hashed>
| ID | Algorithm |
|---|---|
| 1 | MD5 |
| 2a | Blowfish |
| 5 | SHA-256 |
| 6 | SHA-512 |
| sha1 | SHA1crypt |
| y | Yescrypt (modern default) |
| gy | Gost-yescrypt |
| 7 | Scrypt |
/etc/security/opasswd
PAM stores previous passwords here to prevent reuse. Contains comma-separated historical hashes per user:
cry0l1t3:1000:2:$1$HjFAfYTG$qNDkF0zJ3v8ylCOrKB0kt0,$1$kcUjWZJX$E9uMSmiQeRh4pAAgzuvkq1
Note: Older hashes (e.g., MD5 $1$) are easier to crack and may reveal password patterns.
Cracking Linux Credentials
Using unshadow
Combine passwd and shadow files for cracking:
sudo cp /etc/passwd /tmp/passwd.bak
sudo cp /etc/shadow /tmp/shadow.bak
unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hashes
Cracking with hashcat
hashcat -m 1800 -a 0 /tmp/unshadowed.hashes rockyou.txt -o /tmp/unshadowed.cracked
Cracking with John the Ripper
John’s single crack mode is ideal for this scenario as it uses GECOS/username data:
john --single /tmp/unshadowed.hashes
Or with a wordlist:
john --wordlist=rockyou.txt /tmp/unshadowed.hashes
Common Hashcat Modes for Linux
| Mode | Algorithm |
|---|---|
| 500 | MD5crypt ($1$) |
| 1800 | SHA-512crypt ($6$) |
| 7400 | SHA-256crypt ($5$) |
| 3200 | bcrypt ($2a$) |