A password hash generated using algorithms like MD5, BSD, SHA1 or other default hashing algorithm is said be a weak hash, since there are known attacks. Its important to using a hashing algorithm like SHA-2 ( SHA-224, SHA-256, SHA-384, SHA-512 ) since till date there are no known attacks. On a UNIX based operating system , passwords are hashed and stored in either /etc/passwd or /etc/shadow file. If the /etc/shadow file is missing on the system, it can be generated by running the command pwconv, which will move the password hashes from /etc/passwd to /etc/shadow and then place character 'x' as a placeholder in passwd file - indicating that the password hash is stored in shadow file.
Linux/Unix systems must employ password hashes using the SHA-2 family of algorithms or FIPS 140-2 approved successors. Use of unapproved algorithms may result in weak password hashes, which are more vulnerable to compromise. Check /etc/passwd and /etc/shadow file for password hashes. Typically /etc/passwd file looks like:
The hash will always begin with a 3 letter identifier - indicating the hashing algorithm. Format of password hash will be "$id$salt$hashed", where $id is the algorithm used. Below table should help :
Typically /etc/shadow file looks like :
So the easiest way to find out weak password hashes is by analyzing the first 3 characters of the password placeholder field as shown above. You can use a simple shell script to detect this. Before doing this you need to know about some special characters which are never present in a password hash string. Below are the important character sequences:
"NP" or "!" or null - No password, the account has no password.
"LK" or "*" or "*LK*" - the account is Locked, user will be unable to log-in
"!!" - the password has expired
Our shell script should skip such password hashes and only report those which are actual hashes using weak hashing algorithms. Read the files /etc/passwd and /etc/shadow line by line and use the below code to analyze the hash.
No output from the above script means, all users on the system are using SHA-2 based password hashing algorithm. You can modify the parameters in RED to detect other algorithms also.
Linux/Unix systems must employ password hashes using the SHA-2 family of algorithms or FIPS 140-2 approved successors. Use of unapproved algorithms may result in weak password hashes, which are more vulnerable to compromise. Check /etc/passwd and /etc/shadow file for password hashes. Typically /etc/passwd file looks like:
| Alogrithm used | Hashed value starts with | |
| BSDi | _ | |
| MD5 | $1$ | |
| Blowfish | $2$, $2a$, $2x$ or $2y$ | |
| NT Hash | $3$ | |
| SHA1 | $4$ | |
| SHA2 (256 or 384 bits) | $5$ | |
| SHA2 (512 bits) | $6$ |
Typically /etc/shadow file looks like :
"NP" or "!" or null - No password, the account has no password.
"LK" or "*" or "*LK*" - the account is Locked, user will be unable to log-in
"!!" - the password has expired
Our shell script should skip such password hashes and only report those which are actual hashes using weak hashing algorithms. Read the files /etc/passwd and /etc/shadow line by line and use the below code to analyze the hash.
#!/bin/sh
algoname="SHA-2"
while read line
do
checkline=`echo $line | cut -d':' -f2 | grep -v "NP" | grep -v "LK" | grep "^[0-9a-zA-Z./\$][^\*]"`
if [ -n "$checkline" ]
then
algo=`echo $checkline | cut -c 1-3`
# 'x' means password hash is stored in /etc/shadow file
if [ $algo = 'x' ]
then
continue
fi
if [ ! $algo = '$5$' ] && [ ! $algo = '$6$' ]
then
accname=`echo $line | cut -d':' -f1`
echo "User $accname is not using $algoname hashing algorithm."
fi
fi
done </etc/passwd
while read line
do
checkline=`echo $line | cut -d':' -f2 | grep -v "NP" | grep -v "LK" | grep "^[0-9a-zA-Z./\$][^\*]"`
if [ -n "$checkline" ]
then
algo=`echo $checkline | cut -c 1-3`
if [ ! $algo = '$5$' ] && [ ! $algo = '$6$' ]
then
accname=`echo $line | cut -d':' -f1`
echo "User $accname is not using $algoname hashing algorithm."
fi
fi
done </etc/shadow
algoname="SHA-2"
while read line
do
checkline=`echo $line | cut -d':' -f2 | grep -v "NP" | grep -v "LK" | grep "^[0-9a-zA-Z./\$][^\*]"`
if [ -n "$checkline" ]
then
algo=`echo $checkline | cut -c 1-3`
# 'x' means password hash is stored in /etc/shadow file
if [ $algo = 'x' ]
then
continue
fi
if [ ! $algo = '$5$' ] && [ ! $algo = '$6$' ]
then
accname=`echo $line | cut -d':' -f1`
echo "User $accname is not using $algoname hashing algorithm."
fi
fi
done </etc/passwd
while read line
do
checkline=`echo $line | cut -d':' -f2 | grep -v "NP" | grep -v "LK" | grep "^[0-9a-zA-Z./\$][^\*]"`
if [ -n "$checkline" ]
then
algo=`echo $checkline | cut -c 1-3`
if [ ! $algo = '$5$' ] && [ ! $algo = '$6$' ]
then
accname=`echo $line | cut -d':' -f1`
echo "User $accname is not using $algoname hashing algorithm."
fi
fi
done </etc/shadow
No output from the above script means, all users on the system are using SHA-2 based password hashing algorithm. You can modify the parameters in RED to detect other algorithms also.
