Results 1 to 4 of 4

Thread: How to clear the password in /etc/shadow

  1. #1
    Just burned his ISO
    Join Date
    Dec 2009
    Posts
    3

    Default How to clear the password in /etc/shadow

    Hi

    I have read several threads on the net about clearing a users password by removing the hash value between the two semi-colons (:... in /etc/shadow. However, having tried it a few times I am continually met by failure - I clear the entry leaving just :: with the other values to the left and right left in-tact, logout, then try to login as the respective user and just pressing Enter when asked for password and it just tells me incorrect password.

    Every thread I read about the subject though seems to suggest this is the way to do it?

    So I also tried creating two users, using Password1 and Password2 respectively. I then edited /etc/shadow and swapped the hash values round between the colons for each user. But when I try to then login with either user using either password it fails.

    What am I doing wrong?

    Many thanks

    Ted

  2. #2
    Developer
    Join Date
    Mar 2007
    Posts
    6,126

    Default

    First of all in linux the password is "salted" with the user name so simply switching hash's will not work. Thats pretty much password basics.

    In linix there are 2 files which make up the status of a users password. /etc/shadow & /etc/password.

    In anycase if you are already loged in with enough privs to change the password then I dont really see any reason to clear a user password. Either change the users password and then change it back when the audit is done or add yourself a new user.

  3. #3
    Just burned his ISO
    Join Date
    Dec 2009
    Posts
    3

    Default

    The reason I am trying to do this is for an academic study of a particular encryption system (eCryptfs) that is based, initially, on the users login password. Each user configures the encryption system for themselves and chooses their own mount passwords for their encrypted data. You only have to be root to install eCryptfs initially, from then on each user can configure their home directory with it using their own passwords.

    Imagine the scenario where a computer has been seized from a corrupt employee, for example, who has encrypted a directory in the home directory. The computer is then forensically imaged by the IT security team. The /etc/shadow file is then extracted out to their analysis workstation where the password is cleared or changed to something they know, and then it is written back to the original disk using a hex editor or whatever and the system booted. The IT security team can now login to the corrupt users account (in theory, if I can get this step to work!) to view the encrypted data and all of his other data. However, because the encryption system can only be mounted by unwrapping the original users login password it won't work now (as it's different) and all the data is scrambled, despite being logged in to the account OK using the new password. However, the encryption system ships with a facility to allow users to re-wrap their mount passphrase based on their new login password, so the IT security team can now run it (just as a standard user) so that the encrypted data is successfully mounted, using the new password. That is the theory that I am trying to demonstrate, but as I can't even work out how to clear or change the password of /etc/shadow I am somewhat stuck!

    So it's not so much a matter of permissions in this case, and as each user of the system configures the encryption system for themselves, adding a new user will not help.

    You mention the involvement of the second file, /etc/password...do you mean /etc/passwd? I knew they were linked but I thought on systems where the shadow suite is installed everything was concentrated on the shadow file. If this is not the case, is there something I'd need to do that file too? If so, can you tell me what?

    Thanks

    Ted

  4. #4
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Don't know if the attack you describe on the encrypted filesystem will work, but you should be able to change the password if you replace both the password AND the salt value with fields from an account that you know the password to, from a system that uses the same password encryption method.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •