Unix/Linux Password Management - SANS GIAC LevelOne©2000 1Crack Is a password cracker that will take encrypted Unix passwords and compute the plain text password.. Unix/Linux Password
Trang 1Unix/Linux Password Management - SANS GIAC LevelOne©2000 1
Crack
Is a password cracker that will
take encrypted Unix passwords and compute the
plain text password.
Thank you, and welcome to SANS LevelOne We will be covering Crack Hello, my name is Eric
Cole and I will be explaining Crack to you If you have any question or comments regarding this
program please contact me at eric7095@aol.com
Trang 2Unix/Linux Password Management - SANS GIAC LevelOne©2000 2
Password Cracker Details
• Name: Crack
• Operating System: Unix
• Brief Description: Crack is a
password guessing program that is
designed to quickly locate
insecurities in Unix (or other)
password files by scanning the
contents of a password file
Crack is a freely available program designed to find standard Unix DES-encrypted passwords by
standard guessing techniques It is written to be flexible, configurable and fast, and to be able to
make use of several networked hosts via the Berkeley rshprogram (or similar), where possible
This program checks your users' passwords for "guessable" values It works by encrypting a list of
likely passwords and seeing if the result matches any of your user's encrypted passwords (which
must be provided to it) It is surprisingly effective and easy to use
Trang 3Unix/Linux Password Management - SANS GIAC LevelOne©2000 3
Checklist
• The following are the objectives for this course After
completion a user should understand the following:
– what password cracking is
– why it is important
– methods of password cracking
– what Crack is
– how to install and run Crack
– how to view the results of Crack
– how to protect against password cracking on Unix
– features of a strong password
– what is a shadow password file
Trang 4Unix/Linux Password Management - SANS GIAC LevelOne©2000 4
Why are passwords so
important?
• First line of defense
• Control access
• Get additional access
• Create back door for future access
Passwords are very important because they are the first line of defense against interactive attacks on
your system Since it is fairly easy for someone to figure out a user ID, the only thing that is
protecting access to your system is a user’s password Based on this, if an attacker cannot interact
with your system(s), and they have no access to read or write the information contained in the
password file, then they have almost no avenues of attack left open to break your system
This is why, if an attacker can at least read your password file (and if you are on a vanilla modern
Unix, you should assume this) it is so important that an attacker is not able to break any of the
passwords contained therein If they can, then it is also fair to assume that they can log on to your
system and can then break into "root" via an operating system hole
Trang 5Unix/Linux Password Management - SANS GIAC LevelOne©2000 5
How are passwords stored on
In most companies, passwords are the first and only line of defense to protecting their information
and servers Since most user IDs consist of the first initial/last name of an employee (or some
combination), it is fairly easy to find out valid user IDs for individuals at a company Based on this,
the only other piece of information you need to gain access is a user password Therefore they need
to be protected and very hard to guess
The key things passwords need to be protected against are unauthorized disclosure, unauthorized
modification and unauthorized removal If users write down their passwords or share them with
other people, then the user’s password is compromised and can be used as an entry point into the
system Being able to modify a password is just as risky, because as long as an attacker knows what
password is associated with a user ID, they can use it to gain access It does not matter if the real
user knows it or not This is potentially dangerous because if the user tries to get in and cannot, they
might be suspicious of foul play
In order to protect passwords, operating systems use encryption, which basically hides the originally
content so if someone gets the encrypted password they will not be able to determine what the
original password was
Trang 6Unix/Linux Password Management - SANS GIAC LevelOne©2000 6
Encryption 101
• Encryption is the process of converting
plaintext into ciphertext.
• The goal is the make the original text
unreadable.
• Three basic methods:
– symmetric - single key – asymmetric - two keys (public and private) – hash – one-way algorithm, no key
This section will cover a brief overview of encryption so that you can understand why and how password cracking works
For additional details, there are several good cryptography books on the market
In its most basic form, cryptography is the process of converting plaintext into ciphertext, with the goal of
making the original text unreadable Basically, plaintext is the original, human-readable message and
ciphertext is the unreadable message in its encrypted form
Therefore, since the goal of passwords is to make them unreadable, they are stored in encrypted form
There are three basic types of encryption Symmetric encryption uses a single key to encrypt and decrypt the
message If two people wanted to communicate, they would both have to have the same key One person
would use it to encrypt the message, and the other person would use the same key to decrypt it (Editor’s
note: Symmetric encryption is also known as private key encryption because a single, private key is used for
encryption and decryption – JEK)
Asymmetric encryption uses two keys, a public and a private key The public key is given to everyone and is
used to only encrypt The private key is known by only the owner and is used to decrypt messages (Editor’s
Trang 7Unix/Linux Password Management - SANS GIAC LevelOne©2000 7
What is password cracking?
• Guessing someone's plain text
password when you only have the
encrypted password.
• General method number one:
• find a valid user ID
• create a list of possible passwords
• try typing in each password
• if system allows you in - success
• if not - try again
Password cracking is the process of trying to guess or determine someone’s plaintext password,
when you only have their encrypted password
The general method for this is the following:
• find a valid user ID
• create a list of possible passwords
• try typing in each password
• if system allows you in – success!
• if not, try again
(Editor’s note: A distinction is sometimes drawn between password guessing, where the attacker
actually tries to log in with various passwords; and password cracking (discussed in the next slide),
where the attacker obtains a copy of the encrypted password file or database and attempts to derive
passwords from their encrypted form (i.e., “crack” the encryption, generally by taking a group of
passwords, generating the hash values, and comparing the generated hashes to those in the
password database to see if there is a match) – JEK)
Trang 8Unix/Linux Password Management - SANS GIAC LevelOne©2000 8
What is password cracking? (2)
• General method number two:
• find a valid user ID
• find the encryption algorithm used
• obtain the encrypted password
• create list of possible passwords
• encrypt each password
• see if there is a match
• Tips
• pre-compute dictionary
• pre-compute encrypted passwords
• automate
Another method is to:
• find a valid user ID
• find the encryption algorithm used
• obtain the encrypted password
• create a list of possible passwords
• encrypt each password
• see if there is a match
So, tips to speeding this process up include:
• pre-compute the dictionary
• pre-compute the encrypted passwords
• automate
Trang 9Unix/Linux Password Management - SANS GIAC LevelOne©2000 9
Methods of Password Cracking
• Dictionary attack
• Hybrid attack
• Brute force attack
The fastest method for cracking passwords is a dictionary attack This is done by testing all the
words in a dictionary or word file against the password hashes When it finds the correct password it
displays the result There are lots of sites that have downloadable dictionaries you can use
The second method to crack passwords is called a hybrid attack This builds upon the dictionary
method by adding numeric and symbol characters to dictionary words Many users choose
passwords such as "bogus11" or ”he11o!!” (where the letter L’s are replaced by numeric ones)
These passwords are just dictionary words slightly modified with additional numbers and symbols
The hybrid attack rapidly computes these passwords These are the types of passwords that will pass
through many password filters and policies, yet still are easily crackable
The final and most powerful cracking method is the brute force method This method will always
recover the password no matter how complex It is just a matter of time Really complex passwords
that use characters that are not directly available on the keyboard may take so much time that is not
feasible to crack them on a single machine using today's hardware But most complex passwords can
be cracked in a matter of days This is usually much shorter than the time most administrators set
their password policy expiration time to Using a real-world cracking tool is the only good way to
know what time one should set for password expirations
Trang 10Unix/Linux Password Management - SANS GIAC LevelOne©2000 10
Why is password cracking
useful?
• Auditing strength of passwords
• Recovering forgotten password
• Recovering unknown password
• Migrating users
• Checks and balances
There are many uses for computing user passwords First and foremost is for a system administrator
to audit the strength of the passwords that their users are using There are password filters for Unix,
but how do you know how well you have chosen a filter? Without testing the passwords generated
by users against a real-world password cracker, you are guessing at the time it will take an external
attacker or malicious insider to uncover the passwords Other uses include recovering a forgotten
password, retrieving the password of a user in order to impersonate them, or migrating Windows NT
users to another platform such as Unix
Trang 11Unix/Linux Password Management - SANS GIAC LevelOne©2000 11
– Modular approach with various scripts
– Combining and extracting password files
Crack is a program written by Alec Muffett to crack passwords on Unix systems It basically uses
dictionary and hybrid attacks to break the passwords It uses dictionary and connotations of words
that are encrypted with CRYPT (which is the algorithm Unix uses to store passwords) It then takes
the encrypted values and sees if there is a match If there is, then Crack has just guessed the correct
password
Crack’s main function is to crack passwords on a Unix machine There are some versions that have
been ported to other operating systems, but the original program works only on Unix Crack also has
a modular approach where Crack is used only to crack user passwords But what makes Crack so
useful is that it comes with various other scripts For example, one script is used to view the results
of running Crack Another script is used to combine password files This is very useful because it
makes it very flexible and adaptable to be used in various environments
(Editor’s note: Purdue University’s COAST site is now CERIAS – the Center for Education and
Research in Information Assurance and Security The CERIAS home page can be found at
http://www.cerias.purdue.edu Additional information on Crack can be found on Alec Muffet’s site at
http://www.users.dircon.co.uk/~crypto/ – JEK)
Trang 12Unix/Linux Password Management - SANS GIAC LevelOne©2000 12
Crack New Features
• Uses less memory
• API for easy integration
• More powerful rule sets
• Easy to control
• Tested on various Unix operating
systems
New features in Crack include:
* Complete restructuring - uses less memory
* Ships with Eric Young's "libdes" as standard
* API for ease of integration with arbitrary crypt() functions
* API for ease of integration with arbitrary passwd file format
* Considerably better gecos-field checking
* More powerful rule sets
* Ability to read dictionaries generated by external commands
* Better recovery mechanisms for jobs interrupted by crashes
* Easier to control (eg: to put to sleep during working hours)
* Bundled with Crack6 (minimalist password cracker)
Trang 13Unix/Linux Password Management - SANS GIAC LevelOne©2000 13
Crack Requirements
• Requirements
– Unix-like operating system.
– C Compiler.
– Moderate amount of disk space.
– Lots of CPU time.
– PERMISSION FROM SYSADMIN.
– Root-privileges, quite possibly.
– "gzip" is extremely desirable.
In order to run Crack, you need to be running a Unix operating system It is highly recommended that you use
a more common version such as Solaris or Linux since Crack and most of the scripts have been tested on these
operating systems If you use an untested version of Unix, it will require more configuration and expertise to
get it running One other requirement for the operating system is that you have some way to get the Crack
program onto your system The easiest way is to FTP or download it from the web
Crack is not compiled when you download it, so you must have a C compiler running on your system It is
recommended that you use GNU C or gcc since this has been tested with Crack already and it will make it
much easier to compile
Crack is fairly large and computationally intensive, just by nature of what the program does So before you
install and run Crack, make sure you have enough resources to compile and run it If other people are using
the Unix machine, please check with them prior to running Crack because it could cause some issues if they
are running critical applications
If you do not own the machine always make sure you check with the appropriate people prior to
running it.
Trang 14Unix/Linux Password Management - SANS GIAC LevelOne©2000 14
Where to get Crack
Crack can be obtained from different FTP sites around the Internet The site I recommend is
COAST, which is located at Purdue University:
ftp://coast.cs.purdue.edu/pub/tools/unix/crack
The Crack we used is version 5.0 There is a README file in the directory which contains
instructions on how to install and configure Crack
(Editor’s note: Purdue University’s COAST site is now CERIAS – the Center for Education and
Research in Information Assurance and Security The CERIAS home page can be found at
http://www.cerias.purdue.edu The above URL for downloading Crack may no longer be valid; it
can be downloaded from ftp://ftp.cerias.purdue.edu/pub/tools/unix/pwdutils/crack Additional
information on Crack can be found on Alec Muffet’s site at http://www.users.dircon.co.uk/~crypto/ –
JEK)
Trang 15Unix/Linux Password Management - SANS GIAC LevelOne©2000 15
Configuring Crack
• Download crack file
• Unzip the file using gzip
Once you download Crack, there are several steps that must be performed prior to running it This is because you
do not download an executable like you do in Windows NT; you download the source files which need to be
compiled and configured in order to run the program
After you successfully download Crack, first unzip the file crack5.0.tar.Z with the command: gunzip -r
crack5.0.tar.Z This process creates the crack5.0.tar file
Then, untar the file crack5.0.tar with the command tar -xvf crack5.0.tar A directory called c50a is
generated with subdirectories holding configuration files, documents, scripts and source codes, etc Text files like
Makefile, Reporter, Crack are also generated A manual.txt file is there too (which is the the same as the
README file)
Next READ the manual.txt file This is just to give you an overview and more detailed information of how to use
the program These slides will give you enough information to get Crack up and running on supported systems
Then, edit the Crack script file and reconfigure the values of CRACK_PATH, C5FLAGS, CC, CFLAGSand
LIBSto suit the operating system
If you are running a supported operating system like Solaris, you do not need to make any changes to the script
files You would only need to do that if you are running it on a version of Unix that has not been tested or are
using a different encryption algorithm It is recommended that you look at these files, but you could also just try
compiling with the standard scripts to see what happens
Finally, issue the commands Crack -makeonlyand then Crack -makedict After these two steps, a
Trang 16Unix/Linux Password Management - SANS GIAC LevelOne©2000 16
Running Crack
• Run crack with a passwd file
– Crack [options] [-fmt format]
[file ]
– Crack /etc/passwd
• Pipe output to a file
– Crack /etc/passwd > output
• Run Reporter script to see results
– /Reporter [-quiet] [-html]
To run Crack, run the Crack file using any password file that you have The simplest syntax of Crack is Crack
followed by the path and name of the passwd file If you want to run it against the password file on your current
machine and it is not using shadow password files, just type Crack /etc/passwd If you are not the owner
and administrator of this machine, you should check with the appropriate people prior to running it.
While the Crack program is running, it keeps on displaying messages on the screen indicating the status of the
program This information can be captured by redirecting the output of crack to a file, say >output In order to
make sure Crack is running properly, create an account “eric” with a password of “eric” to make sure Crack
catches it
There is a switch in Crack, which is -mailwhich will email a warning message to anyone whose password is
cracked Sending mail to a cracked user actually may not be a good idea, because if the user keeps their mailbox
readable by everyone (accidentally) , everyone will know he/she has a weak password and his/her account may be
hacked in! It is also interesting to note that under the c50adirectory, there is a directory called dict This is a
dictionary directory that stores common passwords in files ending with dwgextensions These passwords are
arranged in categories like sports, cis, etc You can view and even modify these files with an editor If you are
going to edit these files, be extremely careful because you could cause Crack to stop working since these are the
files it uses to crack passwords
To check results of the Crack program, run the Reporter script This script outputs the results of which passwords
were cracked This can also be piped to a file If you used an earlier version of Crack, it no longer generates