Cracking Passwords

Enforcing password security with a multiple-user system can be a hassle — users all too often use inadequate passwords. john-the-ripper (also available via most distros) is a password-cracking tool that enables the identification of vulnerable passwords before someone with nefarious intentions finds the weakness.

The first step is to extract the username/password information from the relevant files, using the provided unshadow tool: 

unshadow /etc/passwd /etc/shadow > /tmp/password.db

After that, john has three cracking modes:
  1. Dictionary mode, which tests passwords based on dictionary words. You can use the provided dictionary or provide your own, and there's an option to enable "word mangling" rules.
  2. "Single crack" mode, which uses login names and various /etc/passwd values as password candidates, as well as applying word mangling rules.

    3. Incremental mode, which tries all possible character combinations and will obviously take a very, very long time to run. You can change the parameters for this via the config file.

You can run one at a time (in which case, try "single crack" mode first), or run all of them consecutively with

john /tmp/password.db

To show results, use

john --show /tmp/password.db

unshadow will produce a password database only on systems that use /etc/passwd and /etc/shadow for login. For centralized systems, there's a Kerberos5 module available, or the supplied unafs utility extracts Kerberos AFS passwords. There's also a LDAP module.

Also remember that you can limit cracking attempts through measures such as locking out specific IP addresses after multiple failed ssh attempts or limiting the number of times a user can get a password wrong when logging on.


Comments

Post a Comment

Popular posts from this blog

Manage your Active Directory from Linux with adtool

Active Directory is one of those Microsoft tools that so many have no choice but to use. Although I much prefer LDAP because it is so much easier to set up and manage. But for much of the enterprise world Active Directory is the tool used. Does this mean you are locked into managing Active Directory from a Windows machine? No. If you are a creature of the command line you can manage your AD from the Linux command line. It’s not that difficult and, in the end, will give you many more options to keep your AD server managed. Of course it is not just a matter of working on the Linux end of things. There is one issue to settle on the MS end. You have to activate Secure LDAP on your AD Server. This process goes beyond the scope of this article, but the steps are pretty clear. Enable SLDAP Here are the steps to enable Secure LDAP on your Windows 2003 AD server (I will leave out the details): Create an Active Directory domain controller certificate request. Create a Certification Authorit
Read more

Microsoft Becomes a Linux Kernel Contributor

You read that right — Microsoft has become a contributor to the Linux kernel. Microsoft and Greg Kroah-Hartman have posted about this in more detail, so I’d encourage you to go read those posts for the full details. The long and short of it, though, is that Microsoft has contributed roughly 20,000 lines of code to the Linux kernel related to their Hyper-V drivers. As Greg says, this is no different from any other company contributing to the Linux kernel — lots of companies are becoming contributors to the kernel, so why not Microsoft? On the other hand, it’s Microsoft , so it is a kind of big deal that they have come 180 degrees to become a kernel contributor. This really underscores the importance of the Linux Driver Project that Greg has been working on. It also underscores the importance of having an open dialog with companies. This week, I’m in San Jose for OSCON. A little more than 10 years ago, I was in San Jose for LinuxWorld Expo, and the idea of Microsoft contributing a k
Read more

Top 3 Linux Burning Apps

Image
1. K3b Not many can argue against this one. K3b is the most popular burning application for Linux, and although it uses KDE3 libraries, many GNOME users prefer it too over native GTK burners. K3b 1.0.5 running in Debian Lenny The version I'm going to talk about is 1.0.5 for KDE3, but K3b 2.0 for KDE4 is in the works, and the second alpha was made available for testing purposes earlier this year. You can read my review of K3b 2.0 Alpha 1 here . K3b can burn anything, from audio CDs to DVDs or ISO images. It allows you to save the projects, it includes a powerful file explorer and an easy to use interface. You can also use K3b to create CD/DVD ISO images, it supports projects, multisession mode and ripping video DVDs. 2. Brasero Brasero is the default GNOME burning application. As usual, it features a simple interface which integrates very well in GNOME, with five large buttons for fast access to the most common actions: - Audio project, to create an audio CD - Data project, to cre
Read more