Passwd, Shadow & Opasswd in Linux

Linux authentication systems are often built on PAM (Pluggable Authentication Modules). One of the most commonly used modules is pam_unix.so, which is responsible for managing user authentication, sessions, and password changes using key files like /etc/passwd, /etc/shadow, and /etc/security/opasswd.

---

PAM Modules Overview

• PAM modules manage authentication and password policies.

• Located in: /usr/lib/x86_64-linux-gnu/security/ (Debian-based)

🔹 Modules like pam_unix.so or pam_unix2.so interact with:

• /etc/passwd

• /etc/shadow

• /etc/security/opasswd

---

/etc/passwd File

The /etc/passwd file stores user account details, accessible by all users:

Format

username : password : UID : GID : comment : home_directory : shell

Example:

cry0l1t3:x:1000:1000:cry0l1t3,,,:/home/cry0l1t3:/bin/bash

Security Implications

• x indicates the encrypted password is in /etc/shadow.

• If password is directly present, it’s a security risk.

• If root has a blank password field, no prompt is shown.

Before & After Edit Example

Before:

root:x:0:0:root:/root:/bin/bash

After:

root::0:0:root:/root:/bin/bash

Now su command will grant direct root access:

[cry0l1t3@parrot]─[~]$ su
[root@parrot]─[/home/cry0l1t3]#

---

etc/shadow File

The /etc/shadow file is restricted to root/admin and holds encrypted password data.

🔍 Format

username : encrypted_password : last_change : min_age : max_age : warn : inactive : expire : unused

Example:

kali:$y$j9T$ufXTBpN1QpgwlgqRFmb/B0$/.y0ybAF4iNQXniErsDWf9QSl2HZH7LnBeRHB4ZiQa9:20057:0:99999:7:::

Password Field Symbols

Symbol	Meaning
x	Password stored in shadow
* or !	Account is locked
(empty)	No password required

Encryption Types

Prefix	Algorithm
$1$	MD5
$2a$	Blowfish
$2y$	Eksblowfish
$5$	SHA-256
$6$	SHA-512 (default in modern distros)

---

/etc/security/opasswd

Used by PAM to store old passwords, preventing password reuse.

Reading the /etc/security/opasswd

sudo cat /etc/security/opasswd

Example:

cry0l1t3:1000:2:$1$HjFAfYTG$qNDkF0zJ3v8ylCOrKB0kt0,$1$kcUjWZJX$E9uMSmiQeRh4pAAgzuvkq1

• Stores multiple hashes

• Notice older, weaker hashes (like MD5)

---

Cracking Linux Password Hashes

Once you obtain hashes from passwd + shadow, you can attempt to crack them.

1. Unshadowing Files

sudo cp /etc/passwd /tmp/passwd.bak
sudo cp /etc/shadow /tmp/shadow.bak
unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hashes

2. Cracking with Hashcat

Unshadowed Hashes (SHA-512)

hashcat -m 1800 -a 0 /tmp/unshadowed.hashes rockyou.txt -o /tmp/unshadowed.cracked

MD5 Hashes

Prepare MD5 hash list:

cat md5-hashes.list

Example:

qNDkF0zJ3v8ylCOrKB0kt0
E9uMSmiQeRh4pAAgzuvkq1

Run hashcat:

hashcat -m 500 -a 0 md5-hashes.list rockyou.txt

---

✅ Summary

File	Purpose
/etc/passwd	Stores user account metadata
/etc/shadow	Stores encrypted passwords securely
/etc/security/opasswd	Stores old passwords for reuse prevention

🧠 Be cautious of:

• Misconfigured permissions (e.g., writable /etc/passwd)

• Weak hashes (e.g., MD5 in opasswd)

• Password reuse patterns

🧰 Tools used:

• unshadow

• hashcat

• rockyou.txt (wordlist)

---

Let me know if you'd like to merge this with the previous credential hunting notes or export it as a file!