Difference between pages "Operating System Password Encryption" and "Volatile Systems"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Salts)
 
m
 
Line 1: Line 1:
==Unix/Linux Password File==
+
{{expand}}
Unix and its various clones have traditionally used the /etc/passwd file to store user account information, including passwords. Because the /etc/password file needs to be world-readable in order for utilities such as `ls` and `finger` to work modern Unix operating systems store the encrypted passwords in 'shadow' file named /etc/shadow.
+
  
{| class="wikitable" border="1"
+
Memory forensics and consulting.
|-
+
!Username
+
|The user's username
+
|-
+
!Password
+
|Older Unixes store the password crypt here, more modern ones use an 'x' character to denote that a shadow file is in use.
+
|-
+
!UID
+
|The numeric user ID of the user
+
|-
+
!GID
+
|The primary numeric group ID of the user
+
|-
+
!GECOS Field
+
|This is a text field which may contain information about the user such as name and contact details
+
|-
+
!Home directory
+
|The user's home directory
+
|-
+
!Shell
+
|The user's Unix shell
+
|}
+
<pre>
+
user1:x:600:600:User 1:/home/user1:/bin/bash
+
user2:x:601:601:User 2:/home/user2:/bin/bash
+
admin:x:602:602:Admin Account:/home/admin:/bin/bash
+
apache:x:603:603:Apache HTTP User:/var/www:/bin/bash
+
someguy:x:604:604:Someguy:/home/someguy:/bin/bash
+
</pre>
+
  
The password is stored as an encrypted one-way hash of the original password. When a user attempts to authenticate the password supplied is encrypted using the same algorithm and compared to the stored password crypt.
+
== External Links ==
 +
* [https://www.volatilesystems.com/ Official web site]
  
===Unix Crypt===
+
[[Category:Vendors]]
The most commonly used password encryption in Unix for many year was crypt(). The Unix crypt command can be used to generate the Unix crypt value for a given string.
+
 
+
<pre>
+
jim@localhost ~
+
$ crypt hello
+
S84xRArsM.gtk
+
</pre>
+
 
+
In modern computing Unix crypt is severly limited. Passwords are restricted to 8 character passwords, and any trailing character as ignored. This puts brute force attacks on Unix crypts well within the realms of possibility.
+
 
+
<pre>
+
jim@localhost ~
+
$ crypt xx hellohel
+
xxiHMKqoMTDuc
+
 
+
jim@localhost ~
+
$ crypt xx hellohello
+
xxiHMKqoMTDuc
+
</pre>
+
 
+
===Salts===
+
Unix passwords usually use what is know as a salt to help make pre-computation of password hashes more difficult. A salt is a string which is prepended to the password before it is encrypted and stored along with the password in /etc/passwd. You cannot simply pre-compute crypt() values for a list of dictionary words, you would need to pre-compute the hash for each word along with every possible salt to produce a rainbow table of Unix password hashes. The result is a number of different hashes for any given password.
+
 
+
If we use the Unix crypt command to encrypt a password and do not specify a salt then a random salt value is chosen.
+
 
+
<pre>
+
jim@localhost ~
+
$ crypt hello
+
YnxINyIeMlKCM
+
 
+
jim@localhost ~
+
$ crypt hello
+
v3njh4QHNjoWk
+
</pre>
+
 
+
The first two characters of the resulting hash are the salt and must be used when subsequently comparing a supplied password with the stored crypt.
+
 
+
<pre>
+
jim@localhost ~
+
$ crypt v3 hello
+
v3njh4QHNjoWk
+
</pre>
+
 
+
Salts can be of any length
+
 
+
===MD5/SHA1===
+
 
+
NIS
+

Revision as of 22:16, 25 May 2009

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Memory forensics and consulting.

External Links