Hack 30 Monitor Password Policy Compliance
|
When to use a password cracker utility. Now that you've tightened up your password policy to thwart password crackers, it's time to learn how to use a password cracker to monitor the effectiveness of that password policy. You're probably thinking, "Hey, wait a minute! Isn't that some sort of oxymoron? An administrator cracking passwords?" Well, it depends upon the type of password cracker you plan on using. A brute-force password cracker such as John the ripper or slurpie will systematically try every possible keyboard combination until it has cracked every password in the password database. Does an administrator need to know every password in his network? Definitely not. However, an administrator does need to know if her users are choosing easy-to-guess passwords, especially if she's responsible for enforcing compliance to the network's password policy. A properly tweaked dictionary password cracker such as crack is an effective way to monitor that compliance. It is important that a network's security policy indicates in writing who runs the dictionary cracker, when it is run, and how the results are handled. For example, if the password policy forces users to change their passwords every 30 days, the following day is an excellent time for the delegated administrator to run the cracker. Ideally, the cracker will return no results. This means all users chose a strong password. Should the cracker find some weak passwords, the security policy should clearly outline the procedure used to ensure that noncompliant users change their passwords to ones that are harder to guess. 3.8.1 Installing and Using crackLet's take a look at the most commonly used dictionary password cracker used on Unix systems, crack. You'll have to be the superuser for this entire hack because, fortunately, only the superuser has permission to crack the passwd database. crack should build on any Unix system; I'll demonstrate on FreeBSD: # cd /usr/ports/security/crack # make install clean On my system, this creates the /usr/local/crack directory which only the superuser can access. I need to cd into that directory in order to crack passwords. I'll start with a simple crack, then show you how to tweak this utility to serve your particular network. # cd /usr/local/crack # ./Crack -fmt bsd /etc/master.passwd Crack is a Bourne shell script contained within this directory, so you'll have to run it with the command ./Crack. Use the -fmt switch to indicate the type of system; in my case, it is bsd. Finally, pass the path of the database containing the actual password hashes. On my system, this is the BSD shadow password database at /etc/master.passwd. The command and output on my test system is: # ./Crack -fmt bsd /etc/master.passwd Crack 5.0a: The Password Cracker. (c) Alec Muffett, 1991, 1992, 1993, 1994, 1995, 1996 System: FreeBSD genisis 5.1-RELEASE FreeBSD 5.1-RELEASE #7: \ Tue Jul 29 09:54:11 EDT 2003 dru@genisis:/usr/obj/usr/src/sys/NEW i386 Home: /usr/local/crack Invoked: ./Crack -fmt bsd /etc/master.passwd Stamp: freebsd-5-i386_ Crack: making utilities in run/bin/freebsd-5-i386_ find . -name "*~" -print | xargs -n50 rm -f ( cd src; for dir in * ; do ( cd $dir ; make clean ) ; done ) rm -f dawglib.o debug.o rules.o stringlib.o *~ /bin/rm -f *.o tags core rpw destest des speed libdes.a .nfs* *.old \ *.bak destest rpw des speed rm -f *.o *~ `../../run/bin/freebsd-5-i386_/libc5.a' is up to date. all made in util Crack: The dictionaries seem up to date... Crack: Sorting out and merging feedback, please be patient... Crack: Merging password files... Crack: Creating gecos-derived dictionaries mkgecosd: making non-permuted words dictionary mkgecosd: making permuted words dictionary Crack: launching: cracker -kill run/Kgenisis.27478 Done Note that the word Done is a bit of a misnomer. The gecos test is finished, but the actual dictionary attack has just begun and is quietly perking along in the background: # ps -acux | grep cracker root 14013 97.0 2.8 9448 8916 v5 R 10:32AM 4:17.68 cracker 3.8.1.1 Monitoring the resultsLet's take a look at my current results, then analyze what is happening here: # ./Reporter -quiet ---- passwords cracked as of Mon Nov 17 10:33:18 EST 2003 ---- 1069099872:Guessed test [test] User & [/etc/master.passwd /bin/csh] ---- done ---- The Reporter script, which is also found in the /usr/local/crack/ directory, sends the current results of the dictionary crack to standard output. I ran Reporter shortly after Crack had returned my prompt. Notice that it found that the password for the test account was test. The reason why it found this password so quickly is because of the gecos field in /etc/master.passwd. If you're familiar with man master.passwd, you know that the gecos field contains the user's full name, possibly followed by her extension, office phone number, and home phone number. This means that if a user uses any of those values for a password, her password can be cracked within a second or two. The actual dictionary attack will take a while to run. How long will depend upon the speed of your CPU. However, you should expect crack to run for a good portion of a business day. Why so long? If you've ever had the opportunity to run a dictionary cracker on a non-Unix system, you may have had your results back in well under an hour. The answer is that BSD password hashes are protected by a salt. In simple terms, the salt adds random characters to a user's password before the encryption algorithm creates the hash. Those are encrypted hashes, not the actual passwords, stored in /etc/master.passwd. In order for the password cracker to bypass the salt, it has to try many variations of the same word before it can determine if that word is indeed the user's password. You may want to write a script that will tell you when Crack is finished. Here is a simple example: #!/bin/sh #script to see if Crack is still running #and to display current report while ps -acux | grep -l "cracker" > /dev/null do sleep 600 echo "Still running. Here's the latest report:" cd /usr/local/crack && ./Reporter -quiet done echo "Execution is complete." This script uses a simple while loop that runs every ten minutes (600 seconds). If cracker still shows up as a running process in the ps output, the ./Reporter -quiet script will run. Otherwise, the script ends, printing Execution is complete.
3.8.1.2 CleanupYour security policy should also provide guidelines on how to clean up after crack finishes. The program stores several working files in the run subdirectory. They will all have a numeric extension: # ls run D.boot.69783 Egenisis.69783 bin/ Dgenisis.69783 Kgenisis.69783 dict/ When you remove those files, ensure you leave the subdirectories intact: # cd run # rm *.69783 # ls bin/ dict/ 3.8.2 Customizing Password DictionariesOnce you implement regular dictionary cracks, you'll find that after a few months, your users will start to consistently choose strong passwords. However, bear in mind that a dictionary cracker is only as good as its dictionaries. The dictionaries that come with crack are a good start if your users speak English. Let's start by seeing what dictionaries crack included: # ls dict/1/ abbr.dwg list.dwg assurnames.dwg male-names.dwg asteroids.dwg movies.dwg bad_pws.dat.dwg myths-legends.dwg biology.dwg names.french.dwg cartoon.dwg numbers.dwg chars.dwg other-names.dwg common-passwords.txt.dwg paradise.lost.dwg crl.words.dwg phrases.dwg dosref.dwg places.dwg family-names.dwg python.dwg famous.dwg roget.words.dwg fast-names.dwg sf.dwg female-names.dwg sports.dwg given-names.dwg trek.dwg jargon.dwg unix.dict.dwg junk.dwg yiddish.dwg lcarrol.dwg Notice that each built-in dictionary ends with a dwg extension. However, crack understands any dictionary or word list, even if it is compressed (i.e., its filename ends in either .Z or .gz). If you use the file command on the dwg files, you'll find that each file is ASCII text. Mind you, the contents don't look like the average dictionary file: # head abbr.dwg #!xdawg 02bon2b 04sa7ya 0bbroyg 6bvgw 0egbdf 0fsasya 0gok 0oottfogvh 0roygbiv Don't worry, those aren't the actual words. Instead, the numbers sort the words by likelihood. That is, the words don't appear in alphabetical order, but rather in the order they're likely to appear as a password. For example, the word password is much more likely to be used as a password than pasul. If your users speak other languages, consider downloading additional dictionaries. Start at the Cerias site mentioned at the end of this hack. It's well worth your while to browse through the site's dictionaries, local, and wordlists subdirectories looking for dictionaries that suit your particular needs. Let's go there now and check out the possible word lists: # ftp ftp.cerias.purdue.edu Connected to ftp.cerias.purdue.edu. <snip long banner> Name (ftp.cerias.purdue.edu:dru): anonymous 331 Guest login ok, send your complete e-mail address as password. 230 Logged in anonymously. Remote system type is UNIX. Using binary mode to transfer files. ftp> cd pub/dict/wordlists 250 "/pub/dict/wordlists" is new cwd. ftp> ls 227 Entering Passive Mode (128,10,252,10,169,45) 150 Data connection accepted from 1.2.3.4:49460; transfer starting. -rw-rw-r-- 1 ftpuser ftpusers 1971 Jun 14 2000 README.gz drwxrwxr-x 2 ftpuser ftpusers 4096 Jun 14 2000 aussie drwxrwxr-x 2 ftpuser ftpusers 4096 Jun 14 2000 chinese drwxrwxr-x 2 ftpuser ftpusers 4096 Jun 14 2000 computer drwxrwxr-x 2 ftpuser ftpusers 4096 Jun 14 2000 danish drwxrwxr-x 2 ftpuser ftpusers 4096 Jun 14 2000 dictionaries drwxrwxr-x 2 ftpuser ftpusers 4096 Jun 14 2000 dutch drwxrwxr-x 2 ftpuser ftpusers 4096 Jun 14 2000 french drwxrwxr-x 2 ftpuser ftpusers 4096 Jun 14 2000 german drwxrwxr-x 2 ftpuser ftpusers 4096 Jun 14 2000 italian drwxrwxr-x 2 ftpuser ftpusers 4096 Jun 14 2000 japanese drwxrwxr-x 2 ftpuser ftpusers 4096 Jun 14 2000 literature drwxrwxr-x 2 ftpuser ftpusers 4096 Jun 14 2000 movieTV drwxrwxr-x 2 ftpuser ftpusers 4096 Jun 14 2000 names drwxrwxr-x 2 ftpuser ftpusers 4096 Jun 14 2000 norwegian drwxrwxr-x 2 ftpuser ftpusers 4096 Jun 14 2000 places drwxrwxr-x 2 ftpuser ftpusers 4096 Jun 14 2000 random drwxrwxr-x 2 ftpuser ftpusers 4096 Jun 14 2000 religion drwxrwxr-x 2 ftpuser ftpusers 4096 Jun 14 2000 science drwxrwxr-x 2 ftpuser ftpusers 4096 Jun 14 2000 spanish drwxrwxr-x 2 ftpuser ftpusers 4096 Jun 14 2000 swedish drwxrwxr-x 2 ftpuser ftpusers 4096 Jun 14 2000 yiddish 226 Listing completed. My network includes several French-speaking users, so I'll take a look at the French word list: ftp> cd french 250 "/pub/dict/wordlists/french" is new cwd. ftp> ls 227 Entering Passive Mode (128,10,252,10,175,158) 150 Data connection accepted from 1.2.3.4:49530; transfer starting. -rw-rw-r-- 1 ftpuser ftpusers 332537 Jun 14 2000 dico.gz 226 Listing completed. Before downloading the word list, I'll use the local change directory command to ensure I'm downloading the file to the correct directory on my system: ftp> lcd /usr/local/crack/dict/1 Local directory now /usr/local/crack/dict/1 ftp> get dico.gz local: dico.gz remote: dico.gz 227 Entering Passive Mode (128,10,252,10,175,160) 150 Data connection accepted from 1.2.3.4:49531; transfer starting for dico.gz (332537 bytes). 226 Transfer completed. 332537 bytes received in 00:02 (142.24 KB/s) ftp> bye 221 Goodbye. Now that I have a new word list in /usr/local/crack/dict/1/, I'll run the following command: # cd /usr/local/crack # make rmdict # rm -rf run/dict That's it. The next time I run ./Crack, I'll see the following message appended to the usual Crack message: Crack: making dictionary groups, please be patient... doing group 1... doing group 2... doing group 3... mkdictgrps: uniq'ing dictionary groups... group 1 and 2... group 1 and 3... group 2 and 3... mkdictgrps: compressing dictionary groups... Crack: Created new dictionaries... Crack: Sorting out and merging feedback, please be patient... Crack: Merging password files... Crack: Creating gecos-derived dictionaries mkgecosd: making non-permuted words dictionary mkgecosd: making permuted words dictionary Crack: launching: cracker -kill run/Kgenisis.55941 Done This indicates that crack has found the new dictionary and is merging it into its logic. 3.8.3 See Also
|
