## Encoding, Encryption, and Hashing

Then read this: https://crackstation.net/hashing-security.htm It is significantly more advanced, but is a pretty cool read. Don't rabbit hole too hard, just enough to answer the question: "How does hashing and salting effect password cracking?"

As we said, modern Linux versions don't store passwords in /etc/passwd. Instead, they have been moved to /etc/shadow. So now, guess we just have to cat /etc/shadow instead, right?

If you have been paying attention to this course so far, I bet you guessed that wouldn't work. If you check the permissions, in order to read /etc/passwd, we need root access. So now we try it with superuser privileges and we should see the results.

There should be a bunch of entries, but let's break one down.

dennis:$6$iU9KjTeD$5myyo4W7zppTOEdVUeP8/E6Kmjl7CtYYFqIIyes.fnNHy1fR0gJLb0q2KLhjAH6KrPpHZ0eJorBh.D74mq.vQ.:17952:0:99999:7:::  Briefly read through the man page for "shadow" and see the breakdown: man shadow The most notable part of this is the password field, field #2. To break it out, we can see that it is represented by: :$6$iU9KjTeD$5myyo4W7zppTOEdVUeP8/E6Kmjl7CtYYFqIIyes.fnNHy1fR0gJLb0q2KLhjAH6KrPpHZ0eJorBh.D74mq.vQ.:

Notably, you can't actually read the password! Let's break this field down ever further:

• $6 • This represents the hashing mechanism we are using to generate the hash from this password •$iU9KjTeD
• This represents the randomly generated salt used
• By adding the random salt, we minimize the effectiveness of rainbow table attacks, which makes our passwords much harder to crack.
• $5myyo4W7zppTOEdVUeP8... • This is the resulting hash of taking the user's password and the randomly generated salt When a user types in a password, the OS takes the input, adds the salt that is saved in /etc/shadow, hashes the string, and then compares the output to the saved hash in /etc/shadow. If the hashes match, access is granted. Beyond this format, there are a few other characters that can be saved in an /etc/shadow password field. The use of "!" or "*" in this field indicates that the account cannot be logged into using a password, and must instead be logged into using an alternate method, such as an SSH key. This minimizes risk by forcing an attacker to know or have something besides a simple password. As a note, on modern Linux systems there are a variety of authentication methods which use /etc/shadow in various ways. They are outside of the scope of this course, if you ever find yourself in a job that focuses on Linux auth, blame me for not teaching you more. ## Lock or Delete an Account If you need to lock an account so that it cannot be logged into, but still exists, use this command. $ sudo usermod -L account_name


It will modify the /etc/shadow file to have an "*" in front of the password field so the account cannot be logged into. Check this using cat.

To delete an account:

$sudo userdel account_name  # Assignment: 1. What is in /etc/shadow? Describe how hashing, salting, and cracking work from the perspective of a defender. 2. Break down this entry from /etc/shadow. Describe each field. especially focusing on the password field. • dennis:$6$iU9KjTeD$5myyo4W7zppTOEdVUeP8/E6Kmjl7CtYYFqIIyes.fnNHy1fR0gJLb0q2KLhjAH6KrPpHZ0eJorBh.D74mq.vQ.:17952:0:99999:7:::
3. Create an account, set the password, check the password in /etc/shadow. Then lock the account using usermod, check the password again. Now, unlock the account, you will have to Google or use man pages for this. Check /etc/shadow again. Briefly write up what you saw and any problems you had doing this.

 Answers:

1.

Resources:

Pre-Questions:

Post-Questions:

Feedback: