04-27-2023, 11:29 AM
(04-26-2023, 04:25 PM)andiaa734 Wrote:(04-26-2023, 12:44 PM)Snoopy Wrote: first of all, the starting $6 and the rest seems more to look like a typical mode 1800 -> sha512crypt $6$, SHA512 (Unix) taken from a linux shadow file (but malformed)
example entry from a typical shadow file without any data
Code:nobody:*:18375:0:99999:7:::
as you can see the 99999:7::: part is quite obvious
so in my opinion this is something taken from a shadow file and has nothing to to with DES as DES has to be of length 13
You are right. it is taken from a shadow file. After unsahdow it looks like this:
root:$6CJlS7VEVeK2:0:0:root:/:/bin/sh
But it doesn't makes it easier. I start to believe that the shadow file was somehow modified.
this entry on the other hand looks like taken from a passwd file (this is where the login shells are stored) see -> /bin/sh
but i also never saw an entry like that before, looks like some weird kind of malformed merge between a shadow and a passwd file, do you know what kind of linux distribution this was taken from?
anyways this hash entry is way to short and you will not be able to recover a pass from that