Skip to main content

Quickly find out the weak password hashes on a unix box

A password hash generated using algorithms like MD5, BSD, SHA1 or other default hashing algorithm is said be a weak hash, since there are known attacks. Its important to using a hashing algorithm like SHA-2 ( SHA-224, SHA-256, SHA-384, SHA-512 ) since till date there are no known attacks. On a UNIX based operating system , passwords are hashed and stored in either /etc/passwd or /etc/shadow file. If the /etc/shadow file is missing on the system, it can be generated by running the command pwconv, which will move the password hashes from /etc/passwd to /etc/shadow and then place character 'x' as a placeholder in passwd file - indicating that the password hash is stored in shadow file.

Linux/Unix systems must employ password hashes using the SHA-2 family of algorithms or FIPS 140-2 approved successors. Use of unapproved algorithms may result in weak password hashes, which are more vulnerable to compromise. Check /etc/passwd and /etc/shadow file for password hashes. Typically /etc/passwd file looks like:

The hash will always begin with a 3 letter identifier - indicating the hashing algorithm. Format of password hash will be "$id$salt$hashed", where $id is the algorithm used. Below table should help :

Alogrithm usedHashed value starts with
BSDi_
MD5$1$
Blowfish$2$, $2a$, $2x$ or $2y$
NT Hash$3$
SHA1$4$
SHA2 (256 or 384 bits)$5$
SHA2 (512 bits)$6$

Typically /etc/shadow file looks like :
 So the easiest way to find out weak password hashes is by analyzing the first 3 characters of the password placeholder field as shown above. You can use a simple shell script to detect this. Before doing this you need to know about some special characters which are never present in a password hash string. Below are the important character sequences:

"NP" or "!" or null - No password, the account has no password.
"LK" or "*" or "*LK*" - the account is Locked, user will be unable to log-in
"!!" - the password has expired

Our shell script should skip such password hashes and only report those which are actual hashes using weak hashing algorithms. Read the files /etc/passwd and /etc/shadow line by line and use the below code to analyze the hash.

#!/bin/sh
algoname="SHA-2"
while read line
do
    checkline=`echo $line | cut -d':' -f2 | grep -v "NP" | grep -v "LK" | grep "^[0-9a-zA-Z./\$][^\*]"`
    if [ -n "$checkline" ]
    then
           algo=`echo $checkline | cut -c 1-3`
           # 'x' means password hash is stored in /etc/shadow file
           if [ $algo = 'x' ]
           then
                  continue
           fi
           if [ ! $algo = '$5$' ] && [ ! $algo = '$6$' ]
           then
                  accname=`echo $line | cut -d':' -f1`
                  echo "User $accname is not using $algoname hashing algorithm."
           fi
    fi
done </etc/passwd


while read line
do
    checkline=`echo $line | cut -d':' -f2 | grep -v "NP" | grep -v "LK" | grep "^[0-9a-zA-Z./\$][^\*]"`
    if [ -n "$checkline" ]
    then
           algo=`echo $checkline | cut -c 1-3`
           if [ ! $algo = '$5$' ] && [ ! $algo = '$6$' ]
           then
                  accname=`echo $line | cut -d':' -f1`
                  echo "User $accname is not using $algoname hashing algorithm."
           fi
    fi
done </etc/shadow

No output from the above script means, all users on the system are using SHA-2 based password hashing algorithm. You can modify the parameters in RED to detect other algorithms also.