Hack 30 Monitor Password Policy Compliance


figs/moderate.gif figs/hack30.gif

When to use a password cracker utility.

Now that you've tightened up your password policy to thwart password crackers, it's time to learn how to use a password cracker to monitor the effectiveness of that password policy.

You're probably thinking, "Hey, wait a minute! Isn't that some sort of oxymoron? An administrator cracking passwords?" Well, it depends upon the type of password cracker you plan on using.

A brute-force password cracker such as John the ripper or slurpie will systematically try every possible keyboard combination until it has cracked every password in the password database. Does an administrator need to know every password in his network? Definitely not.

However, an administrator does need to know if her users are choosing easy-to-guess passwords, especially if she's responsible for enforcing compliance to the network's password policy. A properly tweaked dictionary password cracker such as crack is an effective way to monitor that compliance.

It is important that a network's security policy indicates in writing who runs the dictionary cracker, when it is run, and how the results are handled. For example, if the password policy forces users to change their passwords every 30 days, the following day is an excellent time for the delegated administrator to run the cracker. Ideally, the cracker will return no results. This means all users chose a strong password. Should the cracker find some weak passwords, the security policy should clearly outline the procedure used to ensure that noncompliant users change their passwords to ones that are harder to guess.

3.8.1 Installing and Using crack

Let's take a look at the most commonly used dictionary password cracker used on Unix systems, crack. You'll have to be the superuser for this entire hack because, fortunately, only the superuser has permission to crack the passwd database. crack should build on any Unix system; I'll demonstrate on FreeBSD:

# cd /usr/ports/security/crack # make install clean

On my system, this creates the /usr/local/crack directory which only the superuser can access. I need to cd into that directory in order to crack passwords. I'll start with a simple crack, then show you how to tweak this utility to serve your particular network.

# cd /usr/local/crack # ./Crack -fmt bsd /etc/master.passwd

Crack is a Bourne shell script contained within this directory, so you'll have to run it with the command ./Crack. Use the -fmt switch to indicate the type of system; in my case, it is bsd. Finally, pass the path of the database containing the actual password hashes. On my system, this is the BSD shadow password database at /etc/master.passwd. The command and output on my test system is:

# ./Crack -fmt bsd /etc/master.passwd Crack 5.0a: The Password Cracker. (c) Alec Muffett, 1991, 1992, 1993, 1994, 1995, 1996 System: FreeBSD genisis 5.1-RELEASE FreeBSD 5.1-RELEASE #7: \     Tue Jul 29 09:54:11 EDT 2003 dru@genisis:/usr/obj/usr/src/sys/NEW i386 Home: /usr/local/crack Invoked: ./Crack -fmt bsd /etc/master.passwd Stamp: freebsd-5-i386_ Crack: making utilities in run/bin/freebsd-5-i386_ find . -name "*~" -print | xargs -n50 rm -f ( cd src; for dir in * ; do ( cd $dir ; make clean ) ; done ) rm -f dawglib.o debug.o rules.o stringlib.o *~ /bin/rm -f *.o tags core rpw destest des speed libdes.a .nfs* *.old \     *.bak destest rpw des speed rm -f *.o *~ `../../run/bin/freebsd-5-i386_/libc5.a' is up to date. all made in util Crack: The dictionaries seem up to date... Crack: Sorting out and merging feedback, please be patient... Crack: Merging password files... Crack: Creating gecos-derived dictionaries mkgecosd: making non-permuted words dictionary mkgecosd: making permuted words dictionary Crack: launching: cracker -kill run/Kgenisis.27478    Done

Note that the word Done is a bit of a misnomer. The gecos test is finished, but the actual dictionary attack has just begun and is quietly perking along in the background:

# ps -acux | grep cracker root      14013 97.0  2.8  9448 8916  v5  R    10:32AM   4:17.68 cracker

3.8.1.1 Monitoring the results

Let's take a look at my current results, then analyze what is happening here:

# ./Reporter -quiet ---- passwords cracked as of Mon Nov 17 10:33:18 EST 2003 ---- 1069099872:Guessed test [test]  User & [/etc/master.passwd /bin/csh] ---- done ----

The Reporter script, which is also found in the /usr/local/crack/ directory, sends the current results of the dictionary crack to standard output. I ran Reporter shortly after Crack had returned my prompt. Notice that it found that the password for the test account was test.

The reason why it found this password so quickly is because of the gecos field in /etc/master.passwd. If you're familiar with man master.passwd, you know that the gecos field contains the user's full name, possibly followed by her extension, office phone number, and home phone number. This means that if a user uses any of those values for a password, her password can be cracked within a second or two.

The actual dictionary attack will take a while to run. How long will depend upon the speed of your CPU. However, you should expect crack to run for a good portion of a business day.

Why so long? If you've ever had the opportunity to run a dictionary cracker on a non-Unix system, you may have had your results back in well under an hour. The answer is that BSD password hashes are protected by a salt. In simple terms, the salt adds random characters to a user's password before the encryption algorithm creates the hash. Those are encrypted hashes, not the actual passwords, stored in /etc/master.passwd. In order for the password cracker to bypass the salt, it has to try many variations of the same word before it can determine if that word is indeed the user's password.

You may want to write a script that will tell you when Crack is finished. Here is a simple example:

#!/bin/sh #script to see if Crack is still running #and to display current report while ps -acux | grep -l "cracker" > /dev/null do sleep 600     echo "Still running. Here's the latest report:"     cd /usr/local/crack && ./Reporter -quiet done echo "Execution is complete."

This script uses a simple while loop that runs every ten minutes (600 seconds). If cracker still shows up as a running process in the ps output, the ./Reporter -quiet script will run. Otherwise, the script ends, printing Execution is complete.

If you'd like to receive a pop-up message showing the results of the script, see [Hack #100] .


3.8.1.2 Cleanup

Your security policy should also provide guidelines on how to clean up after crack finishes. The program stores several working files in the run subdirectory. They will all have a numeric extension:

# ls run D.boot.69783      Egenisis.69783    bin/ Dgenisis.69783    Kgenisis.69783    dict/

When you remove those files, ensure you leave the subdirectories intact:

# cd run # rm *.69783 # ls bin/    dict/

3.8.2 Customizing Password Dictionaries

Once you implement regular dictionary cracks, you'll find that after a few months, your users will start to consistently choose strong passwords. However, bear in mind that a dictionary cracker is only as good as its dictionaries. The dictionaries that come with crack are a good start if your users speak English.

Let's start by seeing what dictionaries crack included:

# ls dict/1/ abbr.dwg                        list.dwg assurnames.dwg                  male-names.dwg asteroids.dwg                   movies.dwg bad_pws.dat.dwg                 myths-legends.dwg biology.dwg                     names.french.dwg cartoon.dwg                     numbers.dwg chars.dwg                       other-names.dwg common-passwords.txt.dwg        paradise.lost.dwg crl.words.dwg                   phrases.dwg dosref.dwg                      places.dwg family-names.dwg                python.dwg famous.dwg                      roget.words.dwg fast-names.dwg                  sf.dwg female-names.dwg                sports.dwg given-names.dwg                 trek.dwg jargon.dwg                      unix.dict.dwg junk.dwg                        yiddish.dwg lcarrol.dwg

Notice that each built-in dictionary ends with a dwg extension. However, crack understands any dictionary or word list, even if it is compressed (i.e., its filename ends in either .Z or .gz).

If you use the file command on the dwg files, you'll find that each file is ASCII text. Mind you, the contents don't look like the average dictionary file:

# head abbr.dwg #!xdawg 02bon2b 04sa7ya 0bbroyg 6bvgw 0egbdf 0fsasya 0gok 0oottfogvh 0roygbiv

Don't worry, those aren't the actual words. Instead, the numbers sort the words by likelihood. That is, the words don't appear in alphabetical order, but rather in the order they're likely to appear as a password. For example, the word password is much more likely to be used as a password than pasul.

If your users speak other languages, consider downloading additional dictionaries. Start at the Cerias site mentioned at the end of this hack. It's well worth your while to browse through the site's dictionaries, local, and wordlists subdirectories looking for dictionaries that suit your particular needs.

Let's go there now and check out the possible word lists:

# ftp ftp.cerias.purdue.edu Connected to ftp.cerias.purdue.edu. <snip long banner> Name (ftp.cerias.purdue.edu:dru): anonymous 331 Guest login ok, send your complete e-mail address as password. 230 Logged in anonymously. Remote system type is UNIX. Using binary mode to transfer files. ftp> cd pub/dict/wordlists 250 "/pub/dict/wordlists" is new cwd. ftp> ls 227 Entering Passive Mode (128,10,252,10,169,45) 150 Data connection accepted from 1.2.3.4:49460; transfer starting. -rw-rw-r--   1 ftpuser  ftpusers      1971 Jun 14  2000 README.gz drwxrwxr-x   2 ftpuser  ftpusers      4096 Jun 14  2000 aussie drwxrwxr-x   2 ftpuser  ftpusers      4096 Jun 14  2000 chinese drwxrwxr-x   2 ftpuser  ftpusers      4096 Jun 14  2000 computer drwxrwxr-x   2 ftpuser  ftpusers      4096 Jun 14  2000 danish drwxrwxr-x   2 ftpuser  ftpusers      4096 Jun 14  2000 dictionaries drwxrwxr-x   2 ftpuser  ftpusers      4096 Jun 14  2000 dutch drwxrwxr-x   2 ftpuser  ftpusers      4096 Jun 14  2000 french drwxrwxr-x   2 ftpuser  ftpusers      4096 Jun 14  2000 german drwxrwxr-x   2 ftpuser  ftpusers      4096 Jun 14  2000 italian drwxrwxr-x   2 ftpuser  ftpusers      4096 Jun 14  2000 japanese drwxrwxr-x   2 ftpuser  ftpusers      4096 Jun 14  2000 literature drwxrwxr-x   2 ftpuser  ftpusers      4096 Jun 14  2000 movieTV drwxrwxr-x   2 ftpuser  ftpusers      4096 Jun 14  2000 names drwxrwxr-x   2 ftpuser  ftpusers      4096 Jun 14  2000 norwegian drwxrwxr-x   2 ftpuser  ftpusers      4096 Jun 14  2000 places drwxrwxr-x   2 ftpuser  ftpusers      4096 Jun 14  2000 random drwxrwxr-x   2 ftpuser  ftpusers      4096 Jun 14  2000 religion drwxrwxr-x   2 ftpuser  ftpusers      4096 Jun 14  2000 science drwxrwxr-x   2 ftpuser  ftpusers      4096 Jun 14  2000 spanish drwxrwxr-x   2 ftpuser  ftpusers      4096 Jun 14  2000 swedish drwxrwxr-x   2 ftpuser  ftpusers      4096 Jun 14  2000 yiddish 226 Listing completed.

My network includes several French-speaking users, so I'll take a look at the French word list:

ftp> cd french  250 "/pub/dict/wordlists/french" is new cwd. ftp> ls  227 Entering Passive Mode (128,10,252,10,175,158) 150 Data connection accepted from 1.2.3.4:49530; transfer starting. -rw-rw-r--   1 ftpuser  ftpusers    332537 Jun 14  2000 dico.gz 226 Listing completed.

Before downloading the word list, I'll use the local change directory command to ensure I'm downloading the file to the correct directory on my system:

ftp> lcd /usr/local/crack/dict/1 Local directory now /usr/local/crack/dict/1 ftp> get dico.gz  local: dico.gz remote: dico.gz 227 Entering Passive Mode (128,10,252,10,175,160) 150 Data connection accepted from 1.2.3.4:49531;      transfer starting for dico.gz (332537 bytes). 226 Transfer completed. 332537 bytes received in 00:02 (142.24 KB/s) ftp> bye  221 Goodbye.

Now that I have a new word list in /usr/local/crack/dict/1/, I'll run the following command:

# cd /usr/local/crack # make rmdict  # rm -rf run/dict

That's it. The next time I run ./Crack, I'll see the following message appended to the usual Crack message:

Crack: making dictionary groups, please be patient... doing group 1... doing group 2... doing group 3... mkdictgrps: uniq'ing dictionary groups... group 1 and 2... group 1 and 3... group 2 and 3... mkdictgrps: compressing dictionary groups... Crack: Created new dictionaries... Crack: Sorting out and merging feedback, please be patient... Crack: Merging password files... Crack: Creating gecos-derived dictionaries mkgecosd: making non-permuted words dictionary mkgecosd: making permuted words dictionary Crack: launching: cracker -kill run/Kgenisis.55941    Done

This indicates that crack has found the new dictionary and is merging it into its logic.

3.8.3 See Also

  • The crack web site (http://www.crypticide.org/users/alecm)

  • The Cerias FTP site containing cracker dictionaries (ftp://ftp.cerias.purdue.edu/pub/dict/)



BSD Hacks
BSD Hacks
ISBN: 0596006799
EAN: 2147483647
Year: 2006
Pages: 160
Authors: Lavigne

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net