π‘οΈ Methodology Checklist
- Understand auth stack: PAM β /etc/passwd β /etc/shadow
- Check
/etc/passwdfor weak permissions:ls -la /etc/passwd /etc/shadow - Check for writable
/etc/passwd: add root-level user manually - Identify hash algorithm from shadow:
$1$=MD5,$6$=SHA-512 - Crack shadow hashes:
john /etc/shadow --wordlist=rockyou.txt - Check SSH authorized_keys for all users
- Review PAM configs for auth bypass:
cat /etc/pam.d/*
π― Operational Context
Use when: Understanding Linux authentication flow to identify credential interception points β /etc/passwd, /etc/shadow, PAM, and SSH key authentication.
Think Dumber First: If you can read /etc/shadow, you can crack every account offline. If /etc/passwd has x in password field, shadow is in use. If any entry has a direct hash in passwd (old systems), crack it directly.
Skip when: Modern hardened Linux with PAM + SSSD + Kerberos β shadow cracking only works on local accounts.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
cat /etc/passwd | Read user database (world-readable) |
sudo cat /etc/shadow | Read password hashes (root/shadow group only) |
sudo cat /etc/security/opasswd | Read old password history (often weaker hashes) |
ls -l /etc/passwd | Check if passwd is world-writable (instant privesc if rw-rw-rw-) |
sudo cp /etc/passwd /tmp/passwd.bak && sudo cp /etc/shadow /tmp/shadow.bak | Copy files for offline processing |
unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hashes | Merge passwd + shadow for cracking |
hashcat -m 1800 -a 0 /tmp/unshadowed.hashes rockyou.txt | Crack SHA-512 Linux hashes |
hashcat -m 18200 -a 0 /tmp/unshadowed.hashes rockyou.txt | Crack Yescrypt hashes (modern Debian/Kali) |
john --single /tmp/unshadowed.hashes | JtR single mode β uses GECOS metadata as guesses |
π¬ Deep Dive & Workflow
PAM and the Authentication Files
Linux authentication is managed by PAM (pam_unix.so). It reads from two files:
/etc/passwd β world-readable user metadata:
htb-student:x:1000:1000:,,,:/home/htb-student:/bin/bash
xin password field = hash stored in/etc/shadow- If the password field is empty = no password required
- If the file is world-writable:
root::0:0:root:/root:/bin/bash= instant root
/etc/shadow β root-only hashes:
htb-student:$y$j9T$3QS...:18955:0:99999:7:::
/etc/security/opasswd β password history file. Often contains older MD5 ($1$) hashes from when the account was created β significantly easier to crack than the current SHA-512 or Yescrypt hash.
Hash Algorithm Identification
The $ID$ prefix in the shadow file identifies the algorithm:
| ID | Algorithm | Hashcat Mode |
|---|---|---|
$1$ | MD5 | 500 |
$2a$ | Blowfish | 3200 |
$5$ | SHA-256 | 7400 |
$6$ | SHA-512 | 1800 |
$y$ | Yescrypt | 18200 |
SHA-512 ($6$) is standard on most Linux distributions. Yescrypt ($y$) is the new default on Debian/Ubuntu/Kali.
Unshadow Workflow
unshadow (bundled with John the Ripper) merges passwd and shadow into a combined format that both John and Hashcat can process:
unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hashes
hashcat -m 1800 -a 0 /tmp/unshadowed.hashes /usr/share/wordlists/rockyou.txtThe unshadowed format is also optimal for Johnβs --single mode, which uses the username and GECOS fields to generate targeted guesses.
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Cannot read /etc/shadow | Insufficient privileges | Find SUID cat/less: find / -perm -4000 -name 'cat' 2>/dev/null; or check if in shadow group: id |
| Hash format unrecognized | Unknown hash prefix | Identify: $1$=MD5, $2$/$2b$=bcrypt, $5$=SHA256, $6$=SHA512; use hashcat mode list |
| Shadow hash takes too long to crack | bcrypt rounds high | Check: $2b$12$ means 12 rounds = very slow; prioritize other attack paths |
| PAM misconfiguration not obvious | Config spread across files | Check all PAM files: ls /etc/pam.d/; grep -r 'sufficient|requisite' /etc/pam.d/ |
| NSS/SSSD users not in /etc/passwd | Centralized auth | List all users: getent passwd which queries NSS; domain users wonβt be in local files |
π Reporting Trigger
Finding Title: Weak Password Hash Algorithm in /etc/shadow Enables Offline Cracking Impact: MD5 or SHA-256 password hashes in /etc/shadow are crackable in minutes to hours with modern GPU hardware, providing plaintext passwords for all local accounts on the compromised system. Root Cause: Legacy system using MD5 () or SHA-256 () hashing instead of bcrypt or Argon2. No password complexity enforcement. Recommendation: Migrate to bcrypt or Argon2 hashing (update PAM configuration). Enforce password complexity and rotation. Implement centralized authentication (SSSD + Kerberos) to eliminate local password-based authentication where possible.