Passwords are often called the weakest link in a security program, because it is human nature to seek out the easiest solution to a problem. If a user must create a password, they will not create a password that long and complex and therefore difficult to remember. Instead they will often create a password with something in their environment as a password hint. Unfortunately, it s also easy for an intruder to deduce the password, or easy for a password cracker to determine these easy-to-remember passwords. It is therefore the responsibility of the security staff to ensure that passwords meet a minimum requirement of security.
Since most organizations still rely on passwords as a single factor, or one form of authentication mechanism to access system resources, passwords are one of the most significant weaknesses facing an organization. Using free password checkers or auditing tools to enforce password policies will help you reduce the risk that poor passwords pose.
Both SUSE and Red Hat server products have sanity checking for user inputted passwords, but users are crafty and will find ways around these preventative measures. In any case, you should set up your system to check password length and complexity via the pluggable authentication modules (PAM) administration tools that come with the distribution as discussed in Chapter 8.
John the Ripper is an alternative to the venerable Crack program and is seen as far more sophisticated and faster than Crack. Since most systems use the MD5 version of crypt() instead of the original DES version, John the Ripper is the preferred method of password auditing due to its increased speed and functionality. It allows you to restore previous cracking sessions, can be configured to use idle processor time for cracking sessions, and has a multitude of configurable rule sets. One special note on this program as well as any other type of security vulnerability software is that you should only install it on nonproduction, nonessential machines, as this software gives you (and any users who may access it) the ability to break system passwords. There is also the possibility that the output files you create could fall into the wrong hands, giving an attacker a major head start for breaking into your system. Don t give the attacker an upper hand in compromising your system by providing all the answers to them. If you absolutely must run it on a production machine, at least make the output files and the file you use to audit with have very strict permissions (owned by root with 700 permissions, for example).
To use John the Ripper, download it from http://www.openwall.com/john/. First download the source package for compiling. You will need to ensure that you have make and gcc packages installed (included on most distribution CDs or available at http://www. rpmfind .net/) if you are compiling from the source files.
|Heads Up|| |
Make sure to remove gcc if it is no longer required after compilation as these types of tools can be used by attackers to compile malicious programs. A better option is to compile any programs on another nonproduction or test system and transfer the program to the production server without installing the extra program (such as gcc). This is discussed more in depth in Chapter 4.
To compile John the Ripper, use the following commands on the file you downloaded from Openwall.com:
tar -xzf john-1.6.tar cd john-1.6/src make generic
After a large group of compile feedback scrolls by your screen, you will be put back at the command line. In an ideal situation, you would not try to crack the shadow file (file containing the password in an encrypted form) of a machine on the same machine where the shadow file exists. If you have to run John the Ripper on the same machine, ensure that you pay special attention to the john.pot file in the install directory /john-1.6/run/ directory, as that is where all the cracked passwords are stored. It is set with restrictive permissions, so do not change them or you have made an attacker s job a little easier by cracking the passwords for them!
John the Ripper includes a dictionary in install directory /john-1.6/run/password.lst. This is a list of 2,290 words that are typically used as passwords. You will probably find a great number of your users use even this rudimentary list of words as passwords. For ease of use and in the interest of time, you will want to acquire a larger dictionary list to allow John the Ripper to use a greater set of words for cracking passwords. A simple search of any online search engine will produce many types of dictionaries in many languages. Download a dictionary that fits your needs, concatenate the default.lst to your downloaded file, and use that dictionary as your default. You will also want to add words that are meaningful to your company, such as your company name , what street you are on, the default passwords for new accounts, and so on. If you want to use a different word list than the default one, you can tell John the Ripper to use an alternate one, like this:
john -wordfile:/tmp/dictionary_file.txt /etc/shadow
If you want to just use the small dictionary included with John the Ripper against your shadow file, type the following ( assuming you are just running it against /etc/shadow):
John will immediately begin working on your passwords to see if they are crackable. When John is running, you will notice that it takes up a very large amount of CPU time (as indicated by the command top ). This is normal behavior as John only utilizes unused CPU time for processing. If you want to see the status of John at any time, you can press any key and you will get output similar to Figure 14-3.
There are times when you will need to interrupt John in order to complete another processor intensive process. To interrupt John s processing of your password file, press CTRL-C . To resume your previous John the Ripper session, you only need to type
This resumes your previous John session (you can also specify the file to restore by putting the filename after the -restore switch. You will also want to review which passwords were cracked so you can notify the user to choose an appropriate password and educate them on proper password selection. Use the -show filename option to show all cracked passwords and users associated with the password, as shown in Figure 14-4.
Besides using standard dictionary cracking mechanisms, John uses a rule set to check passwords in a focused manner. By configuring the john.ini file located in the same directory as the John binary ( install directory /run), you can set up unique rule sets depending on your needs. Extensive documentation on creating rules is part of the John the Ripper package and is located in install directory /docs/RULES. You can also configure John the Ripper to run in idle mode, where John utilizes idle CPU cycles for password cracking. This is a good feature if you are running John on a machine that runs other important processes, although you should reserve this program for nonproduction, nonessential machines.
You need to notify your users that their passwords have been compromised. You can set John the Ripper to e-mail automatically, although this is not always the best route to take because of e-mail issues that can occur. Try monitoring your files and when you see a user s password has been cracked, send them an e-mail letting them know what happened (in a nonconfrontational manner) and tell them what constitutes a good password. Don t send the user the password you cracked in plaintext, as the e-mail could be intercepted, leading to an account break-in. You must also have management support for this whole process, and you absolutely must have management and or data owner approval before running any type of password-auditing programs. This is your chance to get a user on your side and show them the value of security, so treat it as an educational experience and take the time to help the user. Word gets around when things like this happen, so keeping it friendly the first time it occurs helps the security program.