Finding Passwords in Clear Text

There are a number of places on a system where a hacker is likely to find passwords unencrypted, thereby not needing to utilize intense password cracking. There are also a number of ways that he can electronically look over a user's shoulder as the user types in his password. A hacker may also use social engineering to convince a user to give him his password.

FTP Configuration File

There are configuration files for FTP that are often overlooked or misconfigured. The . netrc file in each user's home directory is used by FTP to allow a user to connect to another machine without entering the user name and password for that machine. It accomplishes this by keeping a copy of the user name and password in this file.

The .netrc file in each user's home directory is the first place a hacker will look for unencrypted passwords. This file contains system names, user names , and passwords of other systems in clear text. It is a convenience file which allows users to FTP to other systems and not enter their login or password. This information is gotten directly from the file.

The following command will list the contents of all the .netrc files in the user's home directories:

 cut -d: -f6  /etc/passwd  xargs -i cat {}/ .netrc 2>/dev/null 

Since the .netrc file is a convenience file and a major security risk, not directly for your system but for other systems, it should not be allowed. If you must allow it, it must be read-only only for its owner and no permissions for anyone else.

Disable or remove the FTP daemon if FTP services are not needed.

UUCP Configuration File

The systems file for UUCP, either Systems or L.sys , contains the name of remote systems, their UUCP login name and password, and their phone number. This is enough to enable an attack against these systems.

Permissions on the UUCP systems file should be read-only for its owner, which should be the account "uucp," and there should be no permissions for anyone else.

If the debug option is available on the cu or the uucico command, it can be used to retrieve the information that is contained in these files, even if the permissions are correct.

The debug option should not be allowed on these commands except for the superuser. UUCP should be removed from the system if not required.

Bad Login Attempts

A hacker will check the /etc/btmp file for passwords that users have inadvertently entered instead of their login name. It is not that uncommon for users to type in their password instead of their login name. This is usually because that they are not paying attention and are out of sync with the login program. The hacker can find out whose password it is by looking at the times of other bad login attempts and good login attempts from the same terminal. The user will generally get logged in once he sees what he did.

The /etc/btmp file should be owned by root and should have read and write permissions for root only. This file should be monitored for those who are trying to guess passwords and reset on a regular basis.

Game Passwords

There are a number of very common multiplayer games on UNIX systems that will let you suspend your session and return to it at a later time. These games will ask for a password so you can be authenticated upon your return. Many people will use their login password as the pass-word for the game because it's easy to remember. Many of these games store these passwords as clear text.

You must be aware of all the programs utilized on your system. There may be more than just games that want a password, such as databases, for example. These passwords must be encrypted. UNIX systems have the password encryption function, crypt, available. Users should be reminded that they should not use their login password for any other password. It would be best if these programs checked to make sure that the password that was entered was not the login password. This can be accomplished on some systems by using the getpwent function.