Why bother using Crack
Karel.DeBruyne
[ Article crossposted from comp.os.linux.admin ]
[ Author was Karel.DeBruyne ]
[ Posted on Tue, 14 Jan 1997 08:46:57 GMT ]
Hi,
I have the following question :
Does it make sense to run Crack on your own password file ?
I have a password file of almost 2200 accounts.
If I want to run Crack on these accounts, it takes more than a
week to complete (on a Sun with 2 hypersparcs@150MHz).
I can't use bigger dictionaries, because then, I should wait
for several weeks.
It isn't difficult for a cracker to do a better job than me :
Just take 100 accounts instead of the 2200, and use a much bigger
dictionary, and probably some additional rules.
So, why should I continue to Crack my own password.
Karel
--
Karel De Bruyne
=======================================================================
Karel De Bruyne
System/Network Manager phone + 32 3 820 22 04
--
Karel De Bruyne
=======================================================================
Karel De Bruyne
System/Network Manager phone + 32 3 820 22 04
peter hakanson
I know. It took 9 days for > 3000 users on a p-60
(some hw runs faster :-)
But whats nice is that crack keeps track of what has been
done, the next time you run it it will only try
the changed passwords. Typically a much smaller number.
But keep this logs locked in, they containg all
cracked passwords in clear !!!!
And adding to your dictionary might be of great value.
I added some swedish words, some brand names (guess what)
and found a computer supplier using a support account !!
(Don't trust them just becouse they are Big)
Drive Carefully!
Karel.DeBruyne (dbr...@uia.ua.ac.be) wrote:
: [ Article crossposted from comp.os.linux.admin ]
: Hi,
--
--
<peter....@cyklop.volvo.se> (remove ".devnull" before use!)
Peter Hakanson VolvoData Dep 2580 phone +46 31 66 74 27
Giovanni Militano
>Does it make sense to run Crack on your own password file ?
Of course not! Use John the Ripper, it runs 3-5 times faster than crack,
and chances are if someone does attempt to crack your passwd file, they
will do it using John on their home PC.
>It isn't difficult for a cracker to do a better job than me :
>Just take 100 accounts instead of the 2200, and use a much bigger
>dictionary, and probably some additional rules.
No, its not. I'll bet john would nail about 20 passwds in about 10
minutes using its single mode.
Good crackers will not take 100 accounts instead of 2200. What they will
do, is tell the passwd cracker to attempt to crack only accounts with say
4 or more salts. This will yeild some accounts faster, then when time
permits, they will finish up cracking accounts with 4 or less salts. But
remeber, it only take one account to get unauthorized access, and then
perhaps only 10 minutes to find an exploit!
>So, why should I continue to Crack my own password.
You shouldn't!
--
| Giovanni Militano | Avid reader of the unmoderated newsgroup |
| ummi...@cc.umanitoba.ca | wpg.general but be forewarned, a Jimp or a |
| Winnipeg, Manitoba | Coo Coo Clock may be present! :( |
| http://home.cc.umanitoba.ca/~ummilit2 |
Vincent Musolino
Giovanni Militano wrote:
>
> In <E3zqs...@uia.ua.ac.be> dbr...@uia.ua.ac.be (Karel.DeBruyne)
> writes:
>
> >Does it make sense to run Crack on your own password file ?
>
> Of course not! Use John the Ripper, it runs 3-5 times faster than
> crack,
But it misses passwords, and pretty obvious ones, as a study posted
here showed.
Giovanni, be objective when posting, or at least put a smiley
somewhere when you're not :-P
--
Vincent Musolino, http://irrmawww.epfl.ch/vm/vm.html, at IRRMA, aka
Institut Romand de Recherches Numeriques en Physique des Materiaux,
aka Swiss French Institute of Numerical Research in Material Physics,
Lausanne, Switzerland. * <---- Switzerland "Yes." Anonymous
Giovanni Militano
>But it misses passwords, and pretty obvious ones, as a study posted
>here showed.
The only reason it missed those passwds was due to the fact that the
program was *only* run for 4 hours, and it was invoked without the
-single option.
Had the -single option been invoked, he would have nailed a minimum of 30
passwds in 5 hours.
Crack took 48 hours to get 39 passwds.
Do you think I would be able to get 9 more 43 hours? I'd bet money
saying I could get 90!
Giovanni Militano
On 15 Jan 1997, Don Kitchen wrote:
> Please refresh our collective memories of how big the password file was to
> begin with. Saying you can get 90 in 43 hours doesn't mean much because I
> can say that I got 150 with crack in 48 hours. The real info is it was run
> on a C-class HP workstation on a passwd file of ~2000.
Acctually, I don't know how large the passwd file was. The only info I
had was that john cracked 18 in 4 hours without using the single mode
option. Had the single mode been invoked, at the minium it would got the
additional 12 passwds which were reverse logins for a total of 30 passwd
in likely less than 5 hours.
Crack on the other hand took 48hours to get 39 passwds. I assume john
could get more than 9 passwds in 43 additional hours ... The 90 bit was a
joke! :(
Giovanni Militano | U of Manitoba | If the Prime Minister doesn't
ummi...@cc.umanitoba.ca | Graduate Studies | do it to his wife, he'll do
| Civil Engineering | it to his country.
URL: http://home.cc.umanitoba.ca/~ummilit2
Peter Van Epp
an...@intasys.com (Gus) writes:
>Karel.DeBruyne (dbr...@uia.ua.ac.be) wrote:
>: I have the following question :
>: Does it make sense to run Crack on your own password file ?
>: I have a password file of almost 2200 accounts.
>: If I want to run Crack on these accounts, it takes more than a
>: week to complete (on a Sun with 2 hypersparcs@150MHz).
>: I can't use bigger dictionaries, because then, I should wait
>: for several weeks.
>It makes very good sense to run Crack, simply because other people will
>be running it on your password file too, and there may be crackable
>passwords in there.
>The first time you run Crack it will take forever, but it is smart enough to
>keep a record of it's work, so the next time it will be much faster.
Something I haven't seen mentioned in this thread, is that you should
also install one of npasswd, passwd+ or anlpasswd (to name three) proactive
password checkers on your system to prevent your users setting bad passwords
in the first place. Then you let Crack run for its weeks (or months in our
case) the first time to clean out bad passwords and to check that the password
cleaner is in fact working (and users haven't found a back door). Attempting
to keep ahead of users setting bad passwords with Crack on an ongoing basis
is doomed to failure. One version of npasswd uses cracklib to apply the
Crack rules to the candidate password. Archie or a web search (or ftp.cert.org)
should find copies of all of these programs.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
Roger Books
Giovanni Militano (ummi...@CC.UManitoba.CA) wrote:
:
: Acctually, I don't know how large the passwd file was. The only info I
: option. Had the single mode been invoked, at the minium it would got the
: additional 12 passwds which were reverse logins for a total of 30 passwd
: in likely less than 5 hours.
So what does the single option do? Does it mean it is the only user on
the system and consumes resources appropriately, again making the test
unbalanced?
Roger
William Unruh
In <5blnv4$o...@morgoth.sfu.ca> van...@sfu.ca (Peter Van Epp) writes:
*>
*> Something I haven't seen mentioned in this thread, is that you should
*>also install one of npasswd, passwd+ or anlpasswd (to name three) proactive
*>password checkers on your system to prevent your users setting bad passwords
*>in the first place. Then you let Crack run for its weeks (or months in our
*>case) the first time to clean out bad passwords and to check that the password
*>cleaner is in fact working (and users haven't found a back door). Attempting
*>to keep ahead of users setting bad passwords with Crack on an ongoing basis
*>is doomed to failure. One version of npasswd uses cracklib to apply the
*>Crack rules to the candidate password. Archie or a web search (or ftp.cert.org)
Actually, you can also replace crypt(3) so as to run cracklib with a set
of rules stronger than you expect any cracker to be able to apply, and
notify you whenever a user's password fails. This of course has the one
danger that you are having the system point out to you whose passwords
are weak. If a cracker gets that info, it is useful.
Also, you are complicating crypt(3) and having the real password be held
in the computer for a longer time, increasing the danger of someone
being able to discover that password. But it is a very efficient way of
finding weak passwords, without huge long runs of crack.
--
Bill Unruh
un...@physics.ubc.ca
Anders Thulin
In article <E3zqs...@uia.ua.ac.be>,
Karel.DeBruyne <dbr...@uia.ua.ac.be> wrote:
>I have a password file of almost 2200 accounts.
>If I want to run Crack on these accounts, it takes more than a
>week to complete (on a Sun with 2 hypersparcs@150MHz).
>I can't use bigger dictionaries, because then, I should wait
>for several weeks.
So? After one week, you'll know. You'll know even earlier if the
obvious rewriting rules are first in the rule list, and you check the
log file for guessed passwords while the crack runs.
>It isn't difficult for a cracker to do a better job than me :
>Just take 100 accounts instead of the 2200, and use a much bigger
>dictionary, and probably some additional rules.
True. But it is only true if you assume that that cracker starts
now. If the cracker starts, well, let's say in a month, he won't find
the accounts then that you will have found in a week, so by then
you'll be ahead.
>So, why should I continue to Crack my own password.
If noone can access your password file, there's really no sense to
it, true.
Or if noone can force a core dump of a program that *does* access
the password file, and then just inspect the core dump for
passwords. FTP can be dangerous that way, for instance.
And as long as you make sure that your users don't select crackable
passwords, you're also safe.
Or if you check the passwords before they're set, so that you have
pre-cracked then. Or if your users must choose from a set of
more-or-less random passwords.
If you don't, Crack will at least help you find weak passwords to
change.
I'm running Crack on a much slower system that can't be used for
Crack alone (full set of rewriting rules and full dictionary checks 5
passwords in 10 night hours). Extracting the next 5 unchecked
passwords is easy, using the Runtime/F.merged files to check
against. Thus, each morning I know that another five passwords have
been tested, which is an improvement, albeit small, from
yesterday. It's still faster than the rate new users/passwords arrive,
so I'm catching up.
Another, possibly better, approach could be to make some kind of
iterative deepening. First run checks for the simplest rules, (word,
WORD, drow, word+<number>, <number>+word, and perhaps one or two
more.) That will catch more than half of your crackable passwords
pretty quickly, unless your users know how to select good passwords.
Then, do a new run with a different rule set. And so on. In little
more than a week, one password will have passed through all rules. If
you want to run crack only at night, say two weeks time. If your
cracker starts in a month, you'll still be ahead.
This method requires some tinkering, though.
--
Anders Thulin Anders...@lejonet.se 013 - 23 55 32
Telia Research AB, Teknikringen 2B, S-583 30 Linkoping, Sweden
Gus
Karel.DeBruyne (dbr...@uia.ua.ac.be) wrote:
: I have the following question :
: Does it make sense to run Crack on your own password file ?
: I have a password file of almost 2200 accounts.
: If I want to run Crack on these accounts, it takes more than a
: week to complete (on a Sun with 2 hypersparcs@150MHz).
: I can't use bigger dictionaries, because then, I should wait
: for several weeks.
It makes very good sense to run Crack, simply because other people will
be running it on your password file too, and there may be crackable
passwords in there.
The first time you run Crack it will take forever, but it is smart enough to
keep a record of it's work, so the next time it will be much faster.
: It isn't difficult for a cracker to do a better job than me :
: Just take 100 accounts instead of the 2200, and use a much bigger
: dictionary, and probably some additional rules.
Indeed, but thats missing the point. You are aiming to uncover _all_ the weak
passwords in your password file, in order to change them, making your site
more secure.
Use large (relevant) dictionaries, let it run for as long as it takes, and
you'll sleep better knowing your site is safer.
You may also want to try network cracking.
: So, why should I continue to Crack my own password.
Because you don't want intruders buggering around on your box.
--
- an...@intasys.com -
= http://www.thepulse.co.uk/angus =
-= 82 AA 4D 7F D8 45 58 05 6D 1B 1A 72 1E DB 31 B5 =-
lam...@nospam.washington.edu
ummi...@cc.umanitoba.ca (Giovanni Militano) writes:
>Had the -single option been invoked, he would have nailed a minimum of 30
>passwds in 5 hours.
Not necessarily. I ran crack and found the response to be highly non-linear
(several p/w'd reasonably quickly and then much, much slower response with
the more time-intensive rules...) If a password cracking program finds X
number of passwords in 4 hours, there's no reason to necessarily assume it
isn't going to still only have X number of passwords in 40 hours.
--
Lamont Granquist (lamontg at u dot washington dot edu) ->note spamfilter<-
"First consider a spherical chicken..." ICBM: 47 39'23"N 122 18'19"W
unsolicited commercial e-mail->contacting your ISP to remove your net.access
Giovanni Militano
>It makes very good sense to run Crack, simply because other people will
>be running it on your password file too, and there may be crackable
>passwords in there.
I dissagree with your point. I feel that most people will not be using
crack. First off crack is ONLY available for UNiX (which most people
don't have access too). Secondly, crack (compared to John) is slow.
John the Ripper flys on PCs, and since thats what most people have at
home, *I* feel thats what they will use to attempt to crack passwds!
--
| Giovanni Militano | U of Manitoba | Life is like a yo-yo, |
| ummi...@cc.umanitoba.ca | Graduate Studies | and mankind ties |
| Winnipeg, Manitoba | Civil Engineering | knots in the string. |
| URL http://home.cc.umanitoba.ca/~ummilit2
Giovanni Militano
In <5blgmq$7...@nntp1.u.washington.edu> lam...@nospam.washington.edu writes:
>Not necessarily. I ran crack and found the response to be highly non-linear
>(several p/w'd reasonably quickly and then much, much slower response with
>the more time-intensive rules...) If a password cracking program finds X
>number of passwords in 4 hours, there's no reason to necessarily assume it
>isn't going to still only have X number of passwords in 40 hours.
Yes, I agree totally.
Just for clarification, the person who conducted the tests emailed me the
info on an updated test that he conducted.
Results:
330 passwds
Crack got 39 passwds in 48 hours
John got 34 passwds in 4h40min
Pascal Gienger
Gus <an...@intasys.com> wrote:
: It makes very good sense to run Crack, simply because other people will
: be running it on your password file too, and there may be crackable
: passwords in there.
Who whill do that? People wanting to do that need /etc/shadow or
/etc/spwd.db, depending which architecture you are using. How to get
them as normal user?
So you have to begin some quite hacking bevor you can use Crack...
Pascal
--
Pascal....@uni-konstanz.de |Prefix +49 7531|Fon 16074|Fax 20370
-------------| http://www.geocities.com/WestHollywood/1381/ |----+---------
Rechenzentrum| Tolles Internet, Teil I: Gestern lauerte an jeder Ecke
Uni Konstanz | im Usenet ein Flame. Heute eine Beleidigungsklage.
William Unruh
In <32df1...@finesse.isdn.uni-konstanz.de> Pascal....@uni-konstanz.de (Pascal Gienger) writes:
*>: It makes very good sense to run Crack, simply because other people will
*>: be running it on your password file too, and there may be crackable
*>: passwords in there.
*>Who whill do that? People wanting to do that need /etc/shadow or
*>/etc/spwd.db, depending which architecture you are using. How to get
*>them as normal user?
*>So you have to begin some quite hacking bevor you can use Crack...
So someone drops by your place and casually picks up one of your old
backup tapes, and there he has the shadow password file.
Or they use one of the holes in ftp, sendmail, httpd, or whatever to get
it. Or... . The maxim I have heard is never trust your secrets just to
file permissions.
--
Bill Unruh
un...@physics.ubc.ca
Giovanni Militano
In <32ddf...@nomad2.HCSys.com> bo...@no.spam.here (Roger Books) writes:
>So what does the single option do? Does it mean it is the only user on
>the system and consumes resources appropriately, again making the test
>unbalanced?
Single mode applies the login/gecos information from the passwd file to
rules which are then encrypted and checked against the passwd entry. Why
it is called single mode, I dunno? :)
Pascal Gienger
William Unruh <un...@physics.ubc.ca> wrote:
: *>: It makes very good sense to run Crack, simply because other people will
: *>: be running it on your password file too, and there may be crackable
: *>: passwords in there.
: *>Who whill do that? People wanting to do that need /etc/shadow or
: *>/etc/spwd.db, depending which architecture you are using. How to get
: *>them as normal user?
: *>So you have to begin some quite hacking bevor you can use Crack...
: So someone drops by your place and casually picks up one of your old
: backup tapes, and there he has the shadow password file.
: Or they use one of the holes in ftp, sendmail, httpd, or whatever to get
: it
If a hacker gains access at this point it is completely useless to crack
passwords for him or her.... Why should he or she crack passwords?
He or she could just add a user, in a 2000+ user database, nobody would care,
even if tripwire would see "there is a new line in /etc/passwd and
/etc/shadow", nobody would care about that because everybody would think
that "This is a new user created by our helpdesk service".
Alec Muffett
ummi...@cc.umanitoba.ca (Giovanni Militano) writes:
> I dissagree with your point. I feel that most people will not be using
> crack. First off crack is ONLY available for UNiX (which most people
> don't have access too).
...except the respective sysadmins of the machines who are trying to
secure them, and in my book that's all which really matters.
> Secondly, crack (compared to John) is slow.
> John the Ripper flys on PCs, and since thats what most people have at
> home, *I* feel thats what they will use to attempt to crack passwds!
If you're really *so* worried that John has a faster crypt() algorithm
than Crack (which may or may not be the case, depending on CPU,
architecture, etc) then why not just take the fcrypt() out of John and
plug it into Crack5, like you're supposed to be able to do?
- alec
--
# If you e-mail a reply to this message, please modify the "To:" address.
# alec muffett, oxford, uk - http://www.users.dircon.co.uk/~crypto/
# below: password cracker in one line of perl; echo guess | perl [args]
perl -nle 'setpwent;crypt($_,$c)eq$c&&print"$u=$_"while($u,$c)=getpwent'
Alec Muffett
Here's an interesting experiment:
1) Take the following 1-line password file:
test1:..11111111111:0:0:Test User:/:/bin/sh
2) Run "john" on it (output edited for brevity)
$ ./john -pwfile:1 -wordfile:/usr/dict/words
John the Ripper Version 1.2 BETA 7 Copyright (c) 1996 by Solar Designer
Loaded 1 account
v: 0 c: 36096 t: 0:00:00:15 99% c/s: 2406 w: *****DONE*****
NB --------------------------------------------^^^^^^
...and it does 2400 crypts/second.
3) Now take the following 2-line password file:
test1:..11111111111:0:0:Test User:/:/bin/sh
test2:..22222222222:0:0:Test User:/:/bin/sh
4) Run "john" on it (output edited for brevity)
$ ./john -pwfile:2 -wordfile:/usr/dict/words
John the Ripper Version 1.2 BETA 7 Copyright (c) 1996 by Solar Designer
Loaded 2 accounts with no different salts
v: 0 c: 72192 t: 0:00:00:14 99% c/s: 5156 w: *****DONE*****
NB --------------------------------------------^^^^^^
...et voila! A magical effect! A whole *5100* crypts per second!!!
The more work you give it, the faster it gets!
Of course this is bogus; what John is doing is factoring the amount of
speed it (like Crack) picks up from not having to recrypt guesses
which are made with the same salt value, thereby producing a
meaningless but sexy-sounding statistic.
No wonder the wannabee crackers are all going around citing speeds of
50,000c/s for their Pentii; for instance on one particular 67,000 user
test file that I hacked up, with 4000 different salts, I could
therefore quote a speed of 40,200c/s for my poor old dx2/66, where the
real speed *is* 2400c/s.
That said, I must admit that I am quite impressed - whomever this guy
is, he certainly knows his assembler-bumming, since "libdes" on this
particular '486 can only be made to go at ~1700c/s (although that is
without resorting to assembler)
So, 2400c/s (the real figure, we hope, modulo timer granularity in the
"john" code) - really *is* quite an improvement, for my 486 at least.
I look forward to the day that I can convince a copy of his source to
compile, and then can wire his fcrypt() routine into Crack v5.1. 8-)
Roger Books
William Unruh (un...@physics.ubc.ca) wrote:
: In <32df1...@finesse.isdn.uni-konstanz.de> Pascal....@uni-konstanz.de (Pascal Gienger) writes:
:
: *>: It makes very good sense to run Crack, simply because other people will
: *>: be running it on your password file too, and there may be crackable
: *>: passwords in there.
:
: *>Who whill do that? People wanting to do that need /etc/shadow or
: *>/etc/spwd.db, depending which architecture you are using. How to get
: *>them as normal user?
: *>So you have to begin some quite hacking bevor you can use Crack...
:
: So someone drops by your place and casually picks up one of your old
: backup tapes, and there he has the shadow password file.
: Or they use one of the holes in ftp, sendmail, httpd, or whatever to get
: file permissions.
It is one of the rules I live by, if someone can physically get at the
machine they can break into the OS.
Hmmm, goes like this, I have a machine identical to yours, you are the
ultra-secure sysadmin. I wait till 3AM, turn your machine off, open the
case, change the SCSI ID of your drive. Put my drive in as the boot
drive, and I have all your files. Now, if all your users have good passwords
when I back out with these files they do me no go and I have to do the 3AM
risk again. If you are running tripwire (and keeping the media secure)
you should immediately notice something odd about the new program I installed
as a covert channel. Cops should also notice that there is a new UID 0
entry in the passwd file.
Roger
Giovanni Militano
On Fri, 17 Jan 1997, Bennett Todd wrote:
> >First off crack is ONLY available for UNiX (which most people
> >don't have access too).
>
> Most computer professionals have access to nothing less. Some unfortunate
> children, and non-computer-users, have nothing around but junk without a
> decent operating system. Such creatures don't need to be running crack or
> anything like it.
Professionals yes, your typical hacker/cracker no! My point was that
*most* people attempting to crack a passwd file will do it at home using
John, and NOT on a UNiX system using crack.
Bennett Todd
On 17 Jan 97 00:35:39 GMT, Giovanni Militano <ummi...@cc.umanitoba.ca> wrote:
>First off crack is ONLY available for UNiX (which most people
>don't have access too).
Most computer professionals have access to nothing less. Some unfortunate
children, and non-computer-users, have nothing around but junk without a
decent operating system. Such creatures don't need to be running crack or
anything like it.
Anybody who cares about using computers will take a PC and upgrade it --- for
free --- by transplanting in a nice operating system.
-Bennett
Deus Ex Machina
Giovanni Militano (ummi...@cc.umanitoba.ca) wrote:
: I dissagree with your point. I feel that most people will not be using
: crack. First off crack is ONLY available for UNiX (which most people
: don't have access too). Secondly, crack (compared to John) is slow.
Hacking/Cracking must be in a sad state if your average cracker is
using poor man's tech. Any real computer user is going to be using
some sort of UNIX variant - and those who don't are just lamer wannabes
who download scripts and call it hacking. :)
--
Jeff Gentry jes...@rpi.edu
RPI CompSci Senior http://www.rpi.edu/~gentrj
"Fifty years of programming language research, and we end up with C++."
lam...@nospam.washington.edu
Giovanni Militano <ummi...@CC.UManitoba.CA> writes:
>Professionals yes, your typical hacker/cracker no! My point was that
>*most* people attempting to crack a passwd file will do it at home using
>John, and NOT on a UNiX system using crack.
Hopefully they will have cracked a few nice *nix boxes via easier methods
first before trying to tackle your more secure system, and hence will be
using those accounts to run crack...
Alec Muffett
ummi...@cc.umanitoba.ca (Giovanni Militano) writes:
> Crack got 39 passwds in 48 hours
> John got 34 passwds in 4h40min
Was this Crack4.1 or Crack5.0? Perversely, 5.0 is slower (but more
complete) than 4.1, so this is to be expected if it is 5.0 which you
did the tests against.
I am addressing these issues in 5.1.
Giovanni Militano
>Hacking/Cracking must be in a sad state if your average cracker is
>using poor man's tech. Any real computer user is going to be using
>some sort of UNIX variant - and those who don't are just lamer wannabes
>who download scripts and call it hacking. :)
Well, finally. About one week later, it seems that my point it getting
through. Most people who will be attempting to crack your passwd files
are "lamer wannabes who download scripts and call it hacking" These
lamers will mostly *not* have unix. They do *not* know enough about UNiX to
install crack. They will *not* take the time to install crack. However
they *will* download john. They *will* read the john documentation for 5
min. They w*ill* use the defualt john rule set. Now if you also use
john, you will stop all these lame cracker who outnumber the real
crackers.
--
David Hopwood
In message <32df7...@nomad2.HCSys.com>
bo...@no.spam.here (Roger Books) writes:
> It is one of the rules I live by, if someone can physically get at the
> machine they can break into the OS.
> Hmmm, goes like this, I have a machine identical to yours, you are the
> ultra-secure sysadmin. I wait till 3AM, turn your machine off, open the
> case, change the SCSI ID of your drive. Put my drive in as the boot
> drive, and I have all your files. Now, if all your users have good passwords
> when I back out with these files they do me no go and I have to do the 3AM
> risk again. If you are running tripwire (and keeping the media secure)
> you should immediately notice something odd about the new program I installed
> as a covert channel.
Unless you replaced tripwire with a trojan that never reports that change.
(Or alternatively, replace the shell so that it it runs a different program
when asked to run tripwire.)
> Cops should also notice that there is a new UID 0
> entry in the passwd file.
Same here for COPS.
David Hopwood
david....@lmh.ox.ac.uk, hop...@zetnet.co.uk
lam...@nospam.washington.edu
ummi...@cc.umanitoba.ca (Giovanni Militano) writes:
>Well, finally. About one week later, it seems that my point it getting
>through. Most people who will be attempting to crack your passwd files
>are "lamer wannabes who download scripts and call it hacking" These
>lamers will mostly *not* have unix. They do *not* know enough about UNiX to
>install crack. They will *not* take the time to install crack. However
>they *will* download john. They *will* read the john documentation for 5
>min. They w*ill* use the defualt john rule set.
Yeah, but then they *won't* have your /etc/[passwd,shadow] file because they're
too lame to figure out how to retrieve it in the first place.
Roger Books
David Hopwood (hop...@zetnet.co.uk) wrote:
: Unless you replaced tripwire with a trojan that never reports that change.
: (Or alternatively, replace the shell so that it it runs a different program
: when asked to run tripwire.)
:
Arrgh, and I felt safe. :) I guess I can only run linux, have my tripwire
disk as part of a bootable set which I wear around my neck. That is unless
someone knows of a commercial *nix which can boot off of a floppy?
Roger (Paranoia will Destroy Ya) Books
Crispin Cowan
In article <32e49...@nomad2.hcsys.com>,
Linux will boot off a CD ROM. Real hard to corrupt programs on that
platter :-)
Crispin
-----
Crispin Cowan, Research Assistant Professor of Computer Science
Oregon Graduate Institute | Electronically:
Department of Computer Science | analog: 503-690-1265
PO Box 91000 | digital: cri...@cse.ogi.edu
Portland, OR 97291-1000 | URL: http://www.cse.ogi.edu/~crispin/
********** RESEARCH PROGRAMMER JOB OPPORTUNITY ********
---- write for details ----
Frederick D. Kass
Crispin Cowan (cri...@helix.cse.ogi.edu) wrote:
> In article <32e49...@nomad2.hcsys.com>,
> Roger Books <970805022...@mail.state.fl.us> wrote:
> >David Hopwood (hop...@zetnet.co.uk) wrote:
> >: Unless you replaced tripwire with a trojan that never reports that change.
> >: (Or alternatively, replace the shell so that it it runs a different program
> >: when asked to run tripwire.)
> >Arrgh, and I felt safe. :) I guess I can only run linux, have my tripwire
> >disk as part of a bootable set which I wear around my neck. That is unless
> >someone knows of a commercial *nix which can boot off of a floppy?
cd-rom... Actually I can't think of one that DOESN'T... Only problem is
who wants to reboot a server... (If it can't stay up for atleast 4
months at a time, it isn't a real server... :)
-Fred
Roger Books
Crispin Cowan (cri...@helix.cse.ogi.edu) wrote:
: In article <32e49...@nomad2.hcsys.com>,
: Roger Books <970805022...@mail.state.fl.us> wrote:
: >Arrgh, and I felt safe. :) I guess I can only run linux, have my tripwire
: >disk as part of a bootable set which I wear around my neck. That is unless
: >someone knows of a commercial *nix which can boot off of a floppy?
:
: Linux will boot off a CD ROM. Real hard to corrupt programs on that
: platter :-)
:
If you've figured out how to make it boot off of a CD-ROM you are a better
hacker (in the traditional sense) than I am.
Roger
Scott Norwood
In article <32e5e...@nomad2.HCSys.com>,
He never said that he was running Linux on a PC...may be an Alpha or
SPARC, both of which run variants of Linux, as well as their respective
vendor-supplied Unicies (sp?), and both of which (AFAIK...I don't have
either one, yet) are capable of booting off of CD's.
--
<html><head><title>Down with HTML news postings!</title></head><body>
<h1><blink>If this line blinks, then it's time to get a newsreader that
doesn't encourage HTML news posting! There are many that are better
than Netscape or IE; try trn!</blink></h1></body></html>
Mike Fischbein
Roger Books (bo...@no.spam.here) wrote:
: Crispin Cowan (cri...@helix.cse.ogi.edu) wrote:
: : In article <32e49...@nomad2.hcsys.com>,
: : Roger Books <970805022...@mail.state.fl.us> wrote:
: : >Arrgh, and I felt safe. :) I guess I can only run linux, have my tripwire
: : >disk as part of a bootable set which I wear around my neck. That is unless
: : >someone knows of a commercial *nix which can boot off of a floppy?
SunOS 4.0 through 4.0.3 were (optionally) distributed on
floppies. SPARCStations with floppies can still boot from
that device. (Well, maybe only sun4c backplanes).
mike
--
Mike Fischbein mfis...@fir.fbc.com CS First Boston
Any opinions expressed are mine only, and not necessarily
those of any other entity. They may not even be mine.
Tracy R. Reed
Roger Books (bo...@no.spam.here) wrote:
: : Linux will boot off a CD ROM. Real hard to corrupt programs on that
: : platter :-)
: If you've figured out how to make it boot off of a CD-ROM you are a better
: hacker (in the traditional sense) than I am.
I boot my Alpha running Linux from CD occasionally. Some of the newer PC
hardware can boot from CD I've heard. Linux can do it, crummy PC hardware
often cannot.
--
----------
Tracy Reed
http://ultraviolet.org
http://www.linux.org - Escape the Gates of Hell
lam...@nospam.washington.edu
fk...@mtholyoke.edu (Frederick D. Kass) writes:
>Actually a lot of commercial *nix's will boot off a floppy or a
>cd-rom...
SGIs can also boot off of tape (but who would want to?)
Trever Miller
Roger Books (bo...@no.spam.here) wrote:
> Arrgh, and I felt safe. :) I guess I can only run linux, have my tripwire
> disk as part of a bootable set which I wear around my neck. That is unless
> someone knows of a commercial *nix which can boot off of a floppy?
All of them probably. SCO Xenix, Unix, and OS5 for sure.
--
bug @ cyberdex.genie96.com |PGP fingerprint 5F 21 12 6B 99 AB 31 CE
Keeper of the Alberta B5 Mailing List|for 2048/0D2E3955 5F E1 D1 38 2A C9 46 53
babylon5-request @ passageway.com |
"The stupider it looks, the more important it probably is." -- J.R. 'Bob' Dobbs
Martin Hargreaves
un...@physics.ubc.ca (William Unruh) wrote:
>In <32df1...@finesse.isdn.uni-konstanz.de> Pascal....@uni-konstanz.de (Pascal Gienger) writes:
>*>So you have to begin some quite hacking bevor you can use Crack...
>So someone drops by your place and casually picks up one of your old
>backup tapes, and there he has the shadow password file.
>Or they use one of the holes in ftp, sendmail, httpd, or whatever to get
>it. Or... . The maxim I have heard is never trust your secrets just to
>file permissions.
Yep. Who needs crack and access to the box, when you can do a brute
force attack over the network against POP3, etc...
Permissions don't help in this case.
M.
###################################################################
# Martin Hargreaves (Director/Consultant) #
# Datamodel Ltd - Open Systems Management and Security #
# mar...@datamodl.demon.co.uk http://www.datamodl.demon.co.uk #
###################################################################
Trever Miller
lam...@nospam.washington.edu wrote:
> fk...@mtholyoke.edu (Frederick D. Kass) writes:
> >Actually a lot of commercial *nix's will boot off a floppy or a
> >cd-rom...
Hmm, I've seen IBM PC/RT's, RS/6000's, and various intel/SCO
boxes boot from floppy.
> SGIs can also boot off of tape (but who would want to?)
RS/6000's can boot from tape as well.
REAL handy when a customer has had the hard drive replaced.
Insert tape, turn key to service, boot. Answer a few questions.
Go have a coffee... come back, turn key to normal, reboot.
Viola, instant machine, exact duplicate of the old system
before the hard drive cratered.
"(remove.th...@europa.com
Giovanni Militano wrote:
> Well, finally. About one week later, it seems that my point it getting
> through. Most people who will be attempting to crack your passwd files
> are "lamer wannabes who download scripts and call it hacking" These
> lamers will mostly *not* have unix. They do *not* know enough about UNiX to
> install crack. They will *not* take the time to install crack. However
> they *will* download john. They *will* read the john documentation for 5
> min. They w*ill* use the defualt john rule set. Now if you also use
> john, you will stop all these lame cracker who outnumber the real
> crackers.
Giovanni,
Ok, so you've kept out the lamer wannabe's. These aren't the people you
should really be worrying about anyway. These people most likely
wouldnt know what to do even if they did manage to hack their way into
your system. It's the lesser number of true hackers that you should be
worried about. These people have a purpose and intention for breaking
into your system and will most likely do something you won't like once
they do. The tougher you can make it for these people the better off
you are. Granted, you may not be able to stop every one but you may be
able to dissuade the majority with good solid security practices.
Crack does take a long time to run. However, it's my understanding and
this is how it works on mine, that once it has tried to crack a password
and failed it will recognize this in future attempts and skip this
entry. Unless of course the password has changed or you have changed
the dictionary. Thus, it runs really slow the first time through, and
in successive runs it only checks new or changed passwords, greatly
reducing the run time.
Paul
--
"Any opinions expressed are solely my own and do not represent Intel,
Corp."
Richard Letts
Martin Hargreaves (mar...@datamodl.demon.co.uk) wrote:
> Yep. Who needs crack and access to the box, when you can do a brute
> force attack over the network against POP3, etc...
>
> Permissions don't help in this case.
disables the account if more than <N> attempts are made to guess the
password, though this does then leave one open for denial of service attacks.
Though you do get the first hop back into the network towards the cracker.
RjL
Gus
Richard Letts (ric...@illuin.demon.co.uk) wrote:
: Martin Hargreaves (mar...@datamodl.demon.co.uk) wrote:
: > Yep. Who needs crack and access to the box, when you can do a brute
: > force attack over the network against POP3, etc...
: >
: > Permissions don't help in this case.
:
: nope, but it doesn't take much effort to put into place some code which
: disables the account if more than <N> attempts are made to guess the
: password, though this does then leave one open for denial of service attacks
TCP Wrappers, a replacement POP3 daemon which only allows 1 attempt per
x seconds and a separate password file for POP3 could render the service
acceptably secure though.
On my slackware2 based box (ancient, I know) the pop3d quite happily allows
access attempts as fast as they are thrown, and will allow as many attempts
as it takes, Red Hat's, by contrast allows only one connection per 4ish
seconds, and disconnects after three failed attempts.
Without the delay, you can do 3000-4000 attempts/min on localhost, with it
thats cut to about 50.
--
- an...@intasys.com -
= http://www.thepulse.co.uk/angus =
-= 82 AA 4D 7F D8 45 58 05 6D 1B 1A 72 1E DB 31 B5 =-
Networking on the promised lan
Pascal Gienger
Gus <an...@intasys.com> wrote:
: TCP Wrappers, a replacement POP3 daemon which only allows 1 attempt per
: x seconds and a separate password file for POP3 could render the service
: acceptably secure though.
Why not use popper with APOP only? APOP has its only authorization
database (/etc/pop_auth.db on my FreeBSD 2.1.6-RELEASE-System) with its
own passwords. So if someone breaks such a mail password, it has not
broken the real account. POP is BAD (broken as designed) if it uses
the same passwords as the account.
Pascal
--
Pascal....@uni-konstanz.de |Prefix +49 7531|Fon 16074|Fax 20370
-------------| http://www.geocities.com/WestHollywood/1381/ |----+---------
Rechenzentrum| Tolles Internet, Teil IX: Gestern las man zuerst einen Monat
Uni Konstanz | Usenet bevor man zum 1. Mal postete. Heute: "Aaaah mee too!"