Wednesday, 13 February 2013

User Authentication In Linux



How does the OS identify if the user has supplied the correct password each time he logs in? Is the actual password present in the hard disk?
Lets take a look at this, the password supplied by the user is hashed and is stored at some location, irreversible functions are used to convert the password to hashes (Actually hashing is the process of converting data into something rubbish). ie the passwords cannot be retrieved directly from the hash even if we manage to hack out the file, storing hashes. At the time the user supplies the password the OS hashes the supplied passwords and compare it with the stored hashes and will find out whether it is the correct password.

I said there is no direct method to crack the hashes, but there are indirect ones.  
So one of the methods to crack the password will be to use a pre-calculated hash table to search for, and find the hash and the corresponding passwords.
Those tables are called rainbow tables. They contain passwords and the corresponding hashes. This method will be feasible only if the user uses dictionary words or its modifications as their passwords. As it is not possible to store the hash of every possible random code.
 Another method would be to hash every possible combination of characters one by one and compare it with the hash to crack. This is called Brute-forcing. This method will be feasible only if the user uses small passwords, long passwords can take years to crack, number and speed of processors is an important parameter.

                                                                    THE LINUX OS

In almost every modern linux distro the password is hashed and stored in the /etc/shadow file. You need root permissions to open it. It would look something like this.

Let us analyse the entry
Each field is separated by columns, some of them are empty.


The first entry is the user-name here it is "root"

The next one is the password information  "$6$7g......NnB6."

The next entries are related to password expiration and is less important and we wont cover it here.

Now let us look at the password information, the password information itself divided into 3, delimited by $.

First one is encryption method used here it is $6$, the 6 represents sha-512 encryption. Other possible values are.
              $1$      -- Denotes MD5 algorithm being used
              $2a$    -- Blowfish algorithm
              $5$      -- SHA-256 algorithm

Next field contains the salt generated by the OS at the time of encryption. The salt is a string (here it is 7gPuSkeH). The salt is simply appended to the supplied password and the combination is hashed. The salt is used because hash obtained will be that of hash-password combination which is a long, out of dictionary, word and hence the hash will not be vulnerable to brute-forcing and dictionary attacks.

The next field is a long hash of the password-salt combination obtained by any one of the above encryption algorithms, the function crypt() is used to generate it. In terminal use the command man crypt for more information about it.

So when you create a an account, the system generates a random salt and stores along with it the above information into shadow file (\etc\shadow). When a user supplies a password at the login screen the system hashes using the encryption algorithm and salt stored in the shadow file and compares the obtained password with the stored hash (in shadow file), if the hashes match the user is allowed to log in, else not.

Understanding these techniques now we will hack into any linux account that too undetectable, wait for the next post.

tags:- ubuntu, linux, shadow, /etc/shadow, brute, forcing, dictionary, attack, salt, crypt, crypt(), encryption, sha-512, sha-256, md-5, hash, username, password, information