Results 1 to 3 of 3

Thread: Understanding the Shadow Hash

  1. #1
    Just burned his ISO
    Join Date
    Mar 2011
    Colorado Springs, CO

    Post Understanding the Shadow Hash

    So there are a LOT of posts about people trying to figure out these hashes so that they can be better at cracking the password rather than just leaving it to fate having a program do ALL of the work. So I have a SMALL amount of input:

    $1$XROmcfDX$tF93GqnLHOJeGRHpaNyIs0:14513:0:99999:7 :::

    This is a hash from the /etc/shadow file on one (not telling which one) of the 'Vulnerable By Design' systems.

    The $1$ indicates the type of encryption used:
    1 stands for MD5, 2 = Blowfish, 5 = SHA-256 and 6 = SHA-512.

    The XROmcfDX is the Salt
    "salt" stands for the up to 16 characters following "$id$" in the salt. The
    encrypted part of the password string is the actual computed password. The
    size of this string is fixed:

    MD5 | 22 characters
    SHA-256 | 43 characters
    SHA-512 | 86 characters

    The last part tF93GqnLHOJeGRHpaNyIs0 is the acutual password encrypted by the algorythm in the 'id' section.

    So the shadow file format goes like this $id$salt$encrypted
    everything is separated by the $.

    In order to crack the password you need to:
    look at the type of hash it is ($1$ =MD5)
    Extract the salt and the encrypted password (XROmcfDX$tF93GqnLHOJeGRHpaNyIs0) notice the salt and encrypted password are separated by the $

    The extra stuff on the end is just information about the account...sometimes it can be useful if you're creative.

    It starts with the : and is a series of 6 different fields of information.
    the first field :14513: means "last changed": Days since Jan 1, 1970 that password was last changed.

    The :0: is Minimum: The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password

    The :99999: is Maximum: The maximum number of days the password is valid (after that user is forced to change his/her password)

    The :7: is Warn: The number of days before password is to expire that user is warned that his/her password must be changed

    The Last two fields are NORMALLY (in my experience) just two :: but just incase you come across one that is filled in, here is what it means:

    :: Inactive : The number of days after password expires that account is disabled

    :: Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used

    Notice that the date specified is Jan 1, 1970.

    And there you go.
    Most of the information here are exerpts from
    If you want to read more, pleaase visit those sites and LOOK FOR MORE.

  2. #2
    Senior Member
    Join Date
    Jan 2011
    over the under

    Default Re: Understanding the Shadow Hash

    this was very informative, thank you!

  3. #3
    Very good friend of the forum TAPE's Avatar
    Join Date
    Jan 2010

    Default Re: Understanding the Shadow Hash

    Interesting read, thanks for the post!

Similar Threads

  1. MSN Shadow
    By sud0x3 in forum OLD BackTrack 4 Package and feature Requests
    Replies: 13
    Last Post: 03-03-2010, 07:52 PM
  2. How to clear the password in /etc/shadow
    By gizmo_the_great in forum OLD Newbie Area
    Replies: 3
    Last Post: 12-07-2009, 11:25 PM
  3. /etc/shadow
    By spawn in forum OLD Pentesting
    Replies: 2
    Last Post: 11-06-2009, 04:35 PM
  4. Shadow kill
    By killadaninja in forum OLD General IT Discussion
    Replies: 45
    Last Post: 10-21-2008, 08:21 AM
  5. MSN Shadow
    By Mr-Protocol in forum OLD BackTrack 3 Final
    Replies: 0
    Last Post: 10-05-2008, 03:40 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts