# Passwd, Shadow & Opasswd in Linux Linux authentication systems are often built on **PAM (Pluggable Authentication Modules)**. One of the most commonly used modules is `pam_unix.so`, which is responsible for managing user authentication, sessions, and password changes using key files like `/etc/passwd`, `/etc/shadow`, and `/etc/security/opasswd`. *** ## PAM Modules Overview * PAM modules manage **authentication and password policies**. * Located in:\ `/usr/lib/x86_64-linux-gnu/security/` (Debian-based) πŸ”Ή Modules like `pam_unix.so` or `pam_unix2.so` interact with: * `/etc/passwd` * `/etc/shadow` * `/etc/security/opasswd` *** ## `/etc/passwd` File The **`/etc/passwd`** file stores user account details, accessible by all users: #### Format ```plaintext username : password : UID : GID : comment : home_directory : shell ``` Example: ```plaintext cry0l1t3:x:1000:1000:cry0l1t3,,,:/home/cry0l1t3:/bin/bash ``` #### Security Implications * `x` indicates the encrypted password is in `/etc/shadow`. * If password is directly present, it’s **a security risk**. * If `root` has a blank password field, no prompt is shown. **Before & After Edit Example** **Before**: ```plaintext root:x:0:0:root:/root:/bin/bash ``` **After**: ```plaintext root::0:0:root:/root:/bin/bash ``` Now `su` command will grant direct root access: ```bash [cry0l1t3@parrot]─[~]$ su [root@parrot]─[/home/cry0l1t3]# ``` *** ## etc/shadow File The **`/etc/shadow`** file is **restricted to root/admin** and holds encrypted password data. #### πŸ” Format {% code overflow="wrap" %} ```plaintext username : encrypted_password : last_change : min_age : max_age : warn : inactive : expire : unused ``` {% endcode %} Example: {% code overflow="wrap" %} ```plaintext kali:$y$j9T$ufXTBpN1QpgwlgqRFmb/B0$/.y0ybAF4iNQXniErsDWf9QSl2HZH7LnBeRHB4ZiQa9:20057:0:99999:7::: ``` {% endcode %} ### Password Field Symbols | Symbol | Meaning | | ---------- | ------------------------- | | `x` | Password stored in shadow | | `*` or `!` | Account is locked | | *(empty)* | No password required | ### Encryption Types | Prefix | Algorithm | | ------ | ----------------------------------- | | `$1$` | MD5 | | `$2a$` | Blowfish | | `$2y$` | Eksblowfish | | `$5$` | SHA-256 | | `$6$` | SHA-512 (default in modern distros) | *** ## /etc/security/opasswd Used by **PAM to store old passwords**, preventing password reuse. ### Reading the /etc/security/opasswd ```bash sudo cat /etc/security/opasswd ``` Example: ```plaintext cry0l1t3:1000:2:$1$HjFAfYTG$qNDkF0zJ3v8ylCOrKB0kt0,$1$kcUjWZJX$E9uMSmiQeRh4pAAgzuvkq1 ``` * Stores **multiple hashes** * Notice older, **weaker hashes** (like MD5) *** ## Cracking Linux Password Hashes Once you [obtain hashes](https://3ihi.gitbook.io/z3tssu/cybersecurity-certifications-and-notes/cybersecurity-knowledge-base/download-files-remotely) from `passwd` + `shadow`, you can attempt to crack them. ### 1. Unshadowing Files ```bash sudo cp /etc/passwd /tmp/passwd.bak sudo cp /etc/shadow /tmp/shadow.bak unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hashes ``` ### 2. Cracking with Hashcat **Unshadowed Hashes (SHA-512)** ```bash hashcat -m 1800 -a 0 /tmp/unshadowed.hashes rockyou.txt -o /tmp/unshadowed.cracked ``` **MD5 Hashes** Prepare MD5 hash list: ```bash cat md5-hashes.list ``` Example: ```plaintext qNDkF0zJ3v8ylCOrKB0kt0 E9uMSmiQeRh4pAAgzuvkq1 ``` Run hashcat: ```bash hashcat -m 500 -a 0 md5-hashes.list rockyou.txt ``` *** ### βœ… Summary | File | Purpose | | ----------------------- | ----------------------------------------- | | `/etc/passwd` | Stores user account metadata | | `/etc/shadow` | Stores encrypted passwords securely | | `/etc/security/opasswd` | Stores old passwords for reuse prevention | 🧠 Be cautious of: * **Misconfigured permissions** (e.g., writable `/etc/passwd`) * **Weak hashes** (e.g., MD5 in opasswd) * **Password reuse patterns** 🧰 Tools used: * `unshadow` * `hashcat` * `rockyou.txt` (wordlist) *** Let me know if you'd like to merge this with the previous credential hunting notes or export it as a file!