Difference between pages "Operating System Password Encryption" and "File:Reporting.jpg"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Salts)
 
 
Line 1: Line 1:
==Unix/Linux Password File==
 
Unix and its various clones have traditionally used the /etc/passwd file to store user account information, including passwords. Because the /etc/password file needs to be world-readable in order for utilities such as `ls` and `finger` to work modern Unix operating systems store the encrypted passwords in 'shadow' file named /etc/shadow.
 
  
{| class="wikitable" border="1"
 
|-
 
!Username
 
|The user's username
 
|-
 
!Password
 
|Older Unixes store the password crypt here, more modern ones use an 'x' character to denote that a shadow file is in use.
 
|-
 
!UID
 
|The numeric user ID of the user
 
|-
 
!GID
 
|The primary numeric group ID of the user
 
|-
 
!GECOS Field
 
|This is a text field which may contain information about the user such as name and contact details
 
|-
 
!Home directory
 
|The user's home directory
 
|-
 
!Shell
 
|The user's Unix shell
 
|}
 
<pre>
 
user1:x:600:600:User 1:/home/user1:/bin/bash
 
user2:x:601:601:User 2:/home/user2:/bin/bash
 
admin:x:602:602:Admin Account:/home/admin:/bin/bash
 
apache:x:603:603:Apache HTTP User:/var/www:/bin/bash
 
someguy:x:604:604:Someguy:/home/someguy:/bin/bash
 
</pre>
 
 
The password is stored as an encrypted one-way hash of the original password. When a user attempts to authenticate the password supplied is encrypted using the same algorithm and compared to the stored password crypt.
 
 
===Unix Crypt===
 
The most commonly used password encryption in Unix for many year was crypt(). The Unix crypt command can be used to generate the Unix crypt value for a given string.
 
 
<pre>
 
jim@localhost ~
 
$ crypt hello
 
S84xRArsM.gtk
 
</pre>
 
 
In modern computing Unix crypt is severly limited. Passwords are restricted to 8 character passwords, and any trailing character as ignored. This puts brute force attacks on Unix crypts well within the realms of possibility.
 
 
<pre>
 
jim@localhost ~
 
$ crypt xx hellohel
 
xxiHMKqoMTDuc
 
 
jim@localhost ~
 
$ crypt xx hellohello
 
xxiHMKqoMTDuc
 
</pre>
 
 
===Salts===
 
Unix passwords usually use what is know as a salt to help make pre-computation of password hashes more difficult. A salt is a string which is prepended to the password before it is encrypted and stored along with the password in /etc/passwd. You cannot simply pre-compute crypt() values for a list of dictionary words, you would need to pre-compute the hash for each word along with every possible salt to produce a rainbow table of Unix password hashes. The result is a number of different hashes for any given password.
 
 
If we use the Unix crypt command to encrypt a password and do not specify a salt then a random salt value is chosen.
 
 
<pre>
 
jim@localhost ~
 
$ crypt hello
 
YnxINyIeMlKCM
 
 
jim@localhost ~
 
$ crypt hello
 
v3njh4QHNjoWk
 
</pre>
 
 
The first two characters of the resulting hash are the salt and must be used when subsequently comparing a supplied password with the stored crypt.
 
 
<pre>
 
jim@localhost ~
 
$ crypt v3 hello
 
v3njh4QHNjoWk
 
</pre>
 
 
Salts can be of any length
 
 
===MD5/SHA1===
 
 
NIS
 

Revision as of 14:31, 12 October 2009