Linux Artifacts: Passwd and Shadow Flashcards
What are ‘/etc/passwd’ and ‘/etc/shadow’?
Traditionally, the /etc/passwd file is used to keep track of every registered user that has access to a system. All users will have read access, but only super users will have the ability to write to the file. Why is this useful? Because it gives us information about every user on the system. In a forensic investigation maybe the user has a secret second user account that they have disguised to look like a service account, or maybe during an incident response, an attacker gained access to this Linux system and created an additional account for persistence.
Below is a screenshot of the passwd file on our Kali Linux virtual machine. We can see our account “root” at the top on the second line, with a lot of other entries below. These are all service accounts created by different programs to manage and run daemons. You can see how a second user account could get lost in all of this mess, and identifying it could uncover a lot of digital evidence.
What are ‘/etc/passwd’ and ‘/etc/shadow’? 2
On the second line where we have our current user “root” we can see an X next to the username. This is the account password. Well, it’s really just a variable, because the password is encrypted, and stored somewhere else. The second file we’re going to cover, called /etc/shadow, contains encrypted passwords as well as other information such as account or password expiration values. The /etc/shadow file is readable only by the root account to prevent standard users from grabbing the contents and then using a tool such as hashcat or John The Ripper to brute force, perform a dictionary attack, or use rainbow tables to crack the hashes and reveal the plaintext passwords.
Let’s read the contents of this file using sudo cat /etc/shadow. We can see that next to our root account there’s an encrypted password value.
In the case of a system compromise, if an attacker gained access to a super user account, either by attacking the account or performing privilege escalation on a standard user, they will be able to retrieve both /etc/passwd and /etc/shadow and use these two files to retrieve the passwords for every user on the system. Not good. In the scenario of a digital forensics investigation, investigators working on a forensic copy of the hard drive could use the same techniques to crack the passwords for any other users, and then log in and investigate them.
Cracking Passwords
Although not really in scope of Blue Team Level 1, we decided to give you a chance to crack some passwords using the passwd and shadow files, and a tool called John The Ripper. We have created a new user named “CrackThisUser” and given it the password “bulldog!”. We can confirm the user exists, and has an encrypted password by reading the /etc/shadow file using the command cat /etc/shadow.
Cracking Passwords 2
We’re going to be using the famous “rockyou.txt” wordlist, a file full of the most common passwords. This comes built in with Kali, but it may be in a zip container. Ours was still in it’s zip, so we used gunzip to remove the .gz file type, and then copied it to our Desktop, so we don’t need to keep typing out the long file path.
Cracking Passwords 3
Next we’re going to copy the passwd and shadow files to our desktop for ease of use.
Cracking Passwords 4
To combine the passwd and shadow files, we need to run the linux command unshadow, like this: unshadow passwd shadow > CrackMe. This will create a new file named CrackMe that contains the information from both input files. Now we can crack the output file!
We need to verify we have John (The Ripper) installed by running the command john. We are presented with command guidance, so we know it’s installed. If not, we can use the command sudo apt-get install john. On our Desktop we should now have two files:
Rockyou.txt
crackme
The command we want to use to perform a dictionary attack against the encrypted passwords is: john CrackMe –wordlist=rockyou.txt. John is now working hard to identify the plain text versions of the encrypted passwords. After 2 minutes and 29 seconds, John has successfully cracked the password of our account CrackThisUser!