8

Linux typically stores user names and password hashes in /etc/passwd or /etc/shadow.

Now lets say I have an old CentOS distro and I want to attempt to recover a user's password (it's in a legal, learning context at school) encrypted with DES, I figured I would need a plaintext and a cipher encrypted using the same key as my unknown password, crack said key, then decrypt the cipher stored for said user (right?).

Now, my question is, how/when does Linux generate keys when creating users? Could I assume the key used to be the same if I juste created a new user? If so, is the key used by the system just plain recoverable?

anthonyvd
  • 191
  • 1
  • 1
  • 4

3 Answers3

9

The passwords aren't encrypted, they're hashed. It is mathematically impossible to derive the original password from the hash. Verification is done by hashing the password that the user enters and comparing it to the one in the vault. If they match, the user is authenticated and they can log in.

Polynomial
  • 133,763
  • 43
  • 302
  • 380
  • DES is a crypt function though, not a hash, so how does that work? – anthonyvd Oct 14 '12 at 19:00
  • 1
    DES also hasn't been used by default on a Red Hat system since the 1990s, if ever. At minimum, a real system probably has MD5 hashed passwords. RHEL 6 switched to SHA-512 hashed passwords by default. – Michael Hampton Oct 14 '12 at 19:08
  • The system in question is like a CentOS 2, it IS really old. Hence the question about DES – anthonyvd Oct 14 '12 at 19:19
  • 3
    @pwny Older *nix systems used `crypt`, which uses a DES-based hash scheme. The password is used to form a key, which is then used to encrypt an all-zero block. ([Source](http://en.wikipedia.org/wiki/Crypt_%28Unix%29#Traditional_DES-based_scheme)) – Polynomial Oct 14 '12 at 21:49
  • "mathematically impossible"? I think typically we say that the hash algorithm makes it expensive to find the password given the hash. By randomly guessing every input an attacker will eventually find a solution. – this.josh Oct 15 '12 at 05:58
  • 1
    @this.josh No, that's not a mathematical derivation. It's possible to hash a large number of passwords and compare the results, but it's impossible to derive the original password directly from the hash. – Polynomial Oct 15 '12 at 06:11
  • @this.josh or think about it in another way - there is infinite amount of passwords but only finite amount of hashes ;) – Lachezar Balev Oct 15 '12 at 07:26
7

In DES-based scheme salted password is a key, and plaintext is all zeroes, therefore it is not encryption, as key and message roles are swapped.

You can start with Wiki or crypt() man pages to read more about crypt() function:

http://en.wikipedia.org/wiki/Crypt_%28Unix%29

http://www.kernel.org/doc/man-pages/online/pages/man3/crypt.3.html

lubas
  • 367
  • 1
  • 2
  • Thanks a lot, that makes a lot of sense. It also explains how bruteforce tools try to break DES-based password hashing schemes. – anthonyvd Oct 15 '12 at 00:11
2

By default Linux uses SHA512 (hashed password starting with $6$) to hash user password.

The following hash algorithms are supported by crypt():

          ID  | Method
          ─────────────────────────────────────────────────────────
          1   | MD5
          2a  | Blowfish (not in mainline glibc; added in some
              | Linux distributions)
          5   | SHA-256 (since glibc 2.7)
          6   | SHA-512 (since glibc 2.7)

To change Linux hash algorithm by default you should edit ENCRYPT_METHOD variable in /etc/login.defs file or you can use authconfig program.

Bruteforce is the only way to crack password hash. If you are searching for cracking tools look at JohnTheRipper or oclhashcat.

insider
  • 137
  • 3
  • 1
    "Bruteforce is the only way to crack password hash." No, please see http://security.stackexchange.com/questions/379/what-are-rainbow-tables-and-how-are-they-used – this.josh Oct 15 '12 at 06:00
  • 3
    It is still an advanced way of bruteforce attack. The password is being changed one by one from hashed values. It takes less time but still is an iteration over a known values of ahead prepared passwords. – insider Oct 15 '12 at 09:11