Linux Shadow hashes - Printable Version +- hashcat Forum (https://hashcat.net/forum) +-- Forum: Support (https://hashcat.net/forum/forum-3.html) +--- Forum: hashcat (https://hashcat.net/forum/forum-45.html) +--- Thread: Linux Shadow hashes (/thread-6703.html) |
Linux Shadow hashes - elidell - 07-12-2017 I am trying to crack a shadow hash that i pulled off the firmware to a wifipineapple.. no big secret as to what the default password for root actually is on this device, but i am just trying to learn. so the hash from the shadow file is as such: root:$1$hash removed by philsmd:16786:0:99999:7::: my assumptions are that 1. root is the user 2. $1 indicates the hashtype - md5 3. $salt (changed by phil) is the salt 4. $after salt (changed by phil) is the actual password 5. i have no idea what the rest is (maybe a time stamp?) anyway, i have tried putting this through hash identifiers, and hashcat itself with -m as 0, 4010, 20 and clipping it every which possible way i could think of.. but hashcat always gives me errors like 'line length exception' or Hash-encoding exception saying no hashes loaded.. could someone help this young grasshopper learn? RE: Linux Shadow hashes - devilsadvocate - 07-12-2017 The first thing you need to know, grasshopper, is that posting hashes is against the forum rules. Don't be surprised if you get banned. RE: Linux Shadow hashes - elidell - 07-12-2017 (07-12-2017, 03:11 AM)devilsadvocate Wrote: The first thing you need to know, grasshopper, is that posting hashes is against the forum rules. Don't be surprised if you get banned. I didn't realize, I didn't think there would be a problem as it's a documented password RE: Linux Shadow hashes - rvn - 07-12-2017 The Fields are IMHO: 16786: The number of days (since January 1, 1970) since the password was last changed. 0: The number of days before password may be changed (0 indicates it may be changed at any time) 99999: The number of days after which password must be changed (99999 indicates user can keep his or her password unchanged for many, many years 7 : The number of days to warn user of an expiring password (7 for a full week) RE: Linux Shadow hashes - rvn - 07-12-2017 I also think $1$ might be md5crypt and not plain md5 RE: Linux Shadow hashes - undeath - 07-12-2017 (07-12-2017, 01:12 AM)elidell Wrote: so the hash from the shadow file is as such:This is not the hash but the full user entry. (07-12-2017, 11:35 AM)rvn Wrote: I also think $1$ might be md5crypt and not plain md5Yes. Most unix systems use PBKDF2 with some default settings something different for hashing, not plain hashes. If in doubt compare with the examples on https://hashcat.net/wiki/doku.php?id=example_hashes RE: Linux Shadow hashes - philsmd - 07-12-2017 Please do not forget that hashcat supports loading of different/special file types like pwdump, linux shadow, passwd, DCC, NetNTLM, nsldaps etc. Therefore you actually only need to specify that you want to crack a -m 500 hash (md5crypt) and the HLFMT detection routine will automatically figure out that in this particular case it is a shadow file. And yes, md5crypt is not just md5. I'm not sure why so many people just say "I have a md5" if it is md5crypt instead etc RE: Linux Shadow hashes - epixoip - 07-16-2017 (07-12-2017, 12:08 PM)undeath Wrote: Yes. Most unix systems use PBKDF2 with some default settings for hashing No, crypt(3) does not implement PBKDF2. md5crypt and sha2crypt are distinctly different from PBKDF2. Outside of "salted and iterated" the similarities stop there. |