Installing and Using crack

Một phần của tài liệu bsd hacks - 100 industrial-strength tips & tools (2004) (Trang 152 - 155)

Hack 30 Monitor Password Policy Compliance

3.8.1 Installing and Using crack

Let's take a look at the most commonly used dictionary password cracker used on Unix systems, crack. You'll have to be the superuser for this entire hack because, fortunately, only the superuser has permission to crack the passwd database. crack should build on any Unix system; I'll demonstrate on FreeBSD:

# cd /usr/ports/security/crack

# make install clean

On my system, this creates the /usr/local/crack directory which only the superuser can access. I need to cd into that directory in order to crack passwords. I'll start with a simple crack, then show you how to tweak this utility to serve your particular network.

# cd /usr/local/crack

# ./Crack -fmt bsd /etc/master.passwd

Crack is a Bourne shell script contained within this directory, so you'll have to run it with the command ./Crack. Use the -fmt switch to indicate the type of system; in my case, it is bsd. Finally, pass the path of the database containing the actual password hashes. On my system, this is the BSD shadow password database at /etc/master.passwd. The command and output on my test system is:

# ./Crack -fmt bsd /etc/master.passwd Crack 5.0a: The Password Cracker.

(c) Alec Muffett, 1991, 1992, 1993, 1994, 1995, 1996

System: FreeBSD genisis 5.1-RELEASE FreeBSD 5.1-RELEASE #7: \

Tue Jul 29 09:54:11 EDT 2003 dru@genisis:/usr/obj/usr/src/sys/NEW i386 Home: /usr/local/crack

Invoked: ./Crack -fmt bsd /etc/master.passwd Stamp: freebsd-5-i386_

Crack: making utilities in run/bin/freebsd-5-i386_

find . -name "*~" -print | xargs -n50 rm -f

( cd src; for dir in * ; do ( cd $dir ; make clean ) ; done ) rm -f dawglib.o debug.o rules.o stringlib.o *~

/bin/rm -f *.o tags core rpw destest des speed libdes.a .nfs* *.old \ *.bak destest rpw des speed

rm -f *.o *~

`../../run/bin/freebsd-5-i386_/libc5.a' is up to date.

all made in util

Crack: The dictionaries seem up to date...

Crack: Sorting out and merging feedback, please be patient...

Crack: Merging password files...

Crack: Creating gecos-derived dictionaries mkgecosd: making non-permuted words dictionary mkgecosd: making permuted words dictionary

Crack: launching: cracker -kill run/Kgenisis.27478 Done

Note that the word Done is a bit of a misnomer. The gecos test is finished, but the actual dictionary attack has just begun and is quietly perking along in the background:

# ps -acux | grep cracker

root 14013 97.0 2.8 9448 8916 v5 R 10:32AM 4:17.68 cracker

3.8.1.1 Monitoring the results

Let's take a look at my current results, then analyze what is happening here:

# ./Reporter -quiet

---- passwords cracked as of Mon Nov 17 10:33:18 EST 2003 ----

1069099872:Guessed test [test] User & [/etc/master.passwd /bin/csh]

---- done ----

The Reporter script, which is also found in the /usr/local/crack/ directory, sends the current results of the dictionary crack to standard output. I ran Reporter shortly after Crack had returned my prompt. Notice that it found that the password for the test account was test.

The reason why it found this password so quickly is because of the gecos field in

/etc/master.passwd. If you're familiar with man master.passwd, you know that the gecos field contains the user's full name, possibly followed by her extension, office phone number, and home phone number. This means that if a user uses any of those values for a

password, her password can be cracked within a second or two.

The actual dictionary attack will take a while to run. How long will depend upon the speed of your CPU. However, you should expect crack to run for a good portion of a business day.

Why so long? If you've ever had the opportunity to run a dictionary cracker on a non-Unix system, you may have had your results back in well under an hour. The answer is that BSD password hashes are protected by a salt. In simple terms, the salt adds random characters to a user's password before the encryption algorithm creates the hash. Those are encrypted hashes, not the actual passwords, stored in /etc/master.passwd. In order for the password cracker to bypass the salt, it has to try many variations of the same word before it can determine if that word is indeed the user's password.

You may want to write a script that will tell you when Crack is finished. Here is a simple example:

#!/bin/sh

#script to see if Crack is still running

#and to display current report

while ps -acux | grep -l "cracker" > /dev/null do sleep 600

echo "Still running. Here's the latest report:"

cd /usr/local/crack && ./Reporter -quiet done

echo "Execution is complete."

This script uses a simple while loop that runs every ten minutes (600 seconds). If cracker still shows up as a running process in the ps output, the ./Reporter -quiet script will run.

Otherwise, the script ends, printing Execution is complete.

If you'd like to receive a pop-up message showing the results of the script, see [Hack #100] .

3.8.1.2 Cleanup

Your security policy should also provide guidelines on how to clean up after crack finishes.

The program stores several working files in the run subdirectory. They will all have a numeric extension:

# ls run

D.boot.69783 Egenisis.69783 bin/

Dgenisis.69783 Kgenisis.69783 dict/

When you remove those files, ensure you leave the subdirectories intact:

# cd run

# rm *.69783

# ls

bin/ dict/

Một phần của tài liệu bsd hacks - 100 industrial-strength tips & tools (2004) (Trang 152 - 155)

Tải bản đầy đủ (PDF)

(503 trang)