13 - Linux Authentication Process

# Introduction & PAM - Linux supports many authentication mechanisms - [Pluggable Authentication Modules (PAM)](https://web.archive.org/web/20220622215926/http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html) is often used for authentication - Modules responsible for this functionality, such as `pam_unix.so` or `pam_unix2.so`, are typically located in `/usr/lib/x86_64-linux-gnu/security/` on Debian-based systems - These modules manage user information, authentication, sessions, and password changes - PAM also includes many other service modules, such as those for LDAP, mount operations, and Kerberos authentication - `pam_unix.so` module uses standardized API calls from system libraries to update account information - Primarily reads from and writes to `/etc/passwd` and `/etc/shadow` # Passwd file - `/etc/passwd` file contains information about every user on the system and is readable by all users and services - Each entry in the file corresponds to a single user and consists of `seven fields`, which store user-related data in a structured format - Example: `htb-student:x:1000:1000:,,,:/home/htb-student:/bin/bash` |Field|Value| |---|---| |Username|`htb-student`| |Password|`x`| |User ID|`1000`| |Group ID|`1000`| |[GECOS](https://en.wikipedia.org/wiki/Gecos_field)|`,,,`| |Home directory|`/home/htb-student`| |Default shell|`/bin/bash`| - Usually, we will find the value `x` in the password field, indicating that the passwords are stored in a hashed form within the `/etc/shadow` file. - However, `/etc/passwd` could be writeable by mistake, which would allow us to remove the password field for the `root` user entirely # Shadow file - Solely responsible for password storage and management with a similar format to `/etc/passwd` - Example: `htb-student:$y$j9T$3QSBB6CbHEu...SNIP...f8Ms:18955:0:99999:7:::` | Field | Value | | ----------------- | ---------------------------------- | | Username | `htb-student` | | Password | `$y$j9T$3QSBB6CbHEu...SNIP...f8Ms` | | Last change | `18955` | | Min age | `0` | | Max age | `99999` | | Warning period | `7` | | Inactivity period | `-` | | Expiration date | `-` | | Reserved field | `-` | - Password field follows a particular format, from which we can extract additional information: - `lt;id>lt;salt>lt;hashed>` - id value specifies which cryptographic hash algorithm was used, typically one of the following: |ID|Cryptographic Hash Algorithm| |---|---| |`1`|[MD5](https://en.wikipedia.org/wiki/MD5)| |`2a`|[Blowfish](https://en.wikipedia.org/wiki/Blowfish_$cipher$)| |`5`|[SHA-256](https://en.wikipedia.org/wiki/SHA-2)| |`6`|[SHA-512](https://en.wikipedia.org/wiki/SHA-2)| |`sha1`|[SHA1crypt](https://en.wikipedia.org/wiki/SHA-1)| |`y`|[Yescrypt](https://github.com/openwall/yescrypt)| |`gy`|[Gost-yescrypt](https://www.openwall.com/lists/yescrypt/2019/06/30/1)| |`7`|[Scrypt](https://en.wikipedia.org/wiki/Scrypt)| - Many Linux distributions, including Debian, now use `yescrypt` as the default hashing algorithm # Opasswd - `pam_unix.so` can prevent users from reusing old passwords - Previous passwords are stored in `/etc/security/opasswd` - Administrator (root) privileges are required to read this file, assuming its permissions have not been modified manually. ```bash sudo cat /etc/security/opasswd cry0l1t3:1000:2:$1$HjFAfYTG$qNDkF0zJ3v8ylCOrKB0kt0,$1$kcUjWZJX$E9uMSmiQeRh4pAAgzuvkq1 #multiple id fileds with $1 indicate that MD5 may still be in use, which is crackable ``` # Cracking Linux Creds - After gaining root access, we can gather user password hashes and attempt to crack them using various methods to recover the plaintext passwords - One tool for this process is [unshadow](https://github.com/pmittaldev/john-the-ripper/blob/master/src/unshadow.c), which is included with John the Ripper (JtR). - Combines the `passwd` and `shadow` files into a single file suitable for cracking ```bash #create unshadowed hashes file sudo cp /etc/passwd /tmp/passwd.bak sudo cp /etc/shadow /tmp/shadow.bak unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hashes #crack unshadowed hashes hashcat -m 1800 -a 0 /tmp/unshadowed.hashes rockyou.txt -o /tmp/unshadowed.cracked ```