Software to "crack" aix passwords
j&b
would decrypt user passwords. I'm trying to get them to use better
passwords other than their first names and numbers.
tks in advance
j.
SimonM
Go to google; http://www.google.com/ - try; AIX crack passwords, I know
this will come back with more than sufficient...
regards
SimonM.
*M*
You cannot decrypt the passwords ... you may be able to find out pws
by using password-lists.
Better way: There are tools to define the structure of passwords
(numbers, special characters,...) ... so the user won't have the
possibilty to use "simple" passwords.
Marcus
Koucha, Rachid [CTF:4927:EXCH]
to "crack" the passwords : you have just to specify some rules such as
"minalpha",
"mindiff"... to make users choose secured passwords.
Matthew Landt
>
> If you look for "passwd command" in AIX documentation, may you won't need
>
> to "crack" the passwords : you have just to specify some rules such as
> "minalpha",
> "mindiff"... to make users choose secured passwords.
>
Agreed. Cracking passwords is VERY bad practice and could get you into
big trouble. Be sure you have explicit permission to do so. Most users
may use simple passwords that can be cracked. But these are usually the
same passwords they use for just about every account, internet site, etc.
If you crack their AIX password, you have the BIG potential to wreak
havoc. Again it is GREATLY frowned upon by most companies, even if you
have nothing but good intentions.
A better solution is to enforce password restrictions. Enforce a password
length of at least 6 chars. Enforce the use of at least one alpha and at
least one numeric. Enforce that no more than 2 repeat chars in a row.
Enforce a change at least every 180 days or so. Enforce that the new
passwords are different enough from the old ones.
Once you have setup these rules.... Set the ADMCHG flag on all their
ID's so when they login they MUST change their passwords and they must
now adhere to your new enforced rules.
Force the users to use better passwords instead of trying to scare them
into it. Most won't even be scared if you do crack their passwords, so
won't change them to anyting much harder.
- Matt
--
_______________________________________________________________________
Matthew Landt - AIX and HACMP Cert. Specialist - la...@austin.ibm.com
IBM High Speed Interconnect - Fibre Channel I/O Dev/Test/Support
<< Comments, views, and opinions are mine alone, not IBM's. >>
Joachim Ring
enforce too much and you'll get post-it with password under keyboard
syndrome...
you'll have to educate your users, and if habituary cracking is not an
option, maybe a little demonstration will help.
joachim
Aamir Khan
but here is an example if you are not sure:
Set up an agreed User Account Security Policy (this is just an example
- but workable)
1. Each user account must have a password assigned conforming to
minimum
standards outlined below.
2. Passwords must not be based on :-
· Months of year, days of week or any other date aspect.
· Users name, initials or family members.
· Company names, reference indicators.
· Username or ID
· Telephone or car registration numbers.
· Passwords should include one numeric or special character and
this should not be the last one.
3. Administrators must create accounts and assign a password.
4. Password must be set to expire immediately so that the user has
reset it
5. Users must be able to change their own passwords where necessary.
6. Monthly review of account setup to ensure conformance to min
standards.
Maximum Password Age
30 days or less Encrypted passwords are vulnerable so change period is
necessary to reduce exposure.Set as maxage = 4 (weeks)
Minimum Password Age
14 or more days 14 days is default setting and recommended to prevent
re-use of expired passwords.Set as minage = 2 (weeks)
Minimum password length
8 or more characters Normal standard is 6.Set as minlen = 8
(characters)
Password History
12 or more May not be achievable but where available this should be
used.Set as histsize = 12
Account lockout
– number of bad logon attempts. 3 Set as loginretries = 3
Lockout duration
Forever Require administrator to re-enable the account.
Workstation lockout 15 minutes
Time restriction
Adjust according to local needs For normal users one hour before
starting and two hours after office hours, not to be left as 24 X 7
unless necessary.
Workstation ip address restriction
Enable for all operators, administrators and equivalent users. May not
be available.
thus:
in /etc/security/user
default:
admin = false
login = true
su = true
daemon = true
rlogin = true
sugroups = ALL
admgroups =
ttys = ALL
auth1 = SYSTEM
auth2 = NONE
tpath = nosak
umask = 077
expires = 0
SYSTEM = "compat"
logintimes =
pwdwarntime = 0
account_locked = false
loginretries = 3
histexpire = 0
histsize = 12
minage = 2
maxage = 4
maxexpired = -1
minalpha = 1
minother = 1
minlen = 8
mindiff = 1
maxrepeats = 2
dictionlist =
pwdchecks =
dce_export = false
SYSTEM = "compat"
logintimes =
pwdwarntime = 0
account_locked = false
loginretries = 0
histexpire = 0
histsize = 0
minage = 0
maxage = 0
maxexpired = -1
minalpha = 0
minother = 0
minlen = 0
mindiff = 0
maxrepeats = 8
dictionlist =
pwdchecks =
Also maybe worthwhile not allowing root to directly login (agree to
disagree etc on this)
kind regards Aamir
Dudeman
tools.
Try this:
But remember, check with your company policy before you attempt anything
like this....
-D.
"*M*" <behn...@hotmail.com> wrote in message
news:4acb3ae5.02030...@posting.google.com...
Matthew Landt
>
> That is not correct - it is trivial to decrypt the passwords with the proper
> tools.
>
> Try this:
>
> http://www.openwall.com/john/
No. This is NOT decrypting. This is cracking. And it isn't easy if the
password is significantly difficult. Decrypting means to take the encrypted
password and output the real password in ONE attempt, EVERY
attempt. This is not possible. You can try it yourself. Encrypt
a password like "F1.#3aDv" and try to use John to find it.
If you could guess 1Trillion a second it could take you about 6 times the
age of the universe. :)
- matt
Jose Pina Coelho
>
> Dudeman wrote:
> >
> > That is not correct - it is trivial to decrypt the passwords with the proper
> > tools.
> >
> > Try this:
> >
> > http://www.openwall.com/john/
>
> No. This is NOT decrypting. This is cracking. And it isn't easy if the
> password is significantly difficult. Decrypting means to take the encrypted
> password and output the real password in ONE attempt, EVERY
> attempt. This is not possible. You can try it yourself. Encrypt
Can we still say that ? When DES came out it was unbreakable.
In '99 a "cheap" machine broke the 56 bit key in less than 24 hours.
It costed $250.000
See http://n0cgi.distributed.net/statistics/des3/
and http://www.eff.org/Privacy/Crypto_misc/DESCracker/HTML/19980716_eff_des_faq.html
The first time I ran crack on /etc/passwd (uni) was in 89. It wasn't distributed
on a decstation 3000 and took 10 minutes to find permutations of user & gecos fields
(30% of the passwords) and 6 hours to crack another 30% based on the out-of-the-box
dictionary permutations.
The jump in performance has been staggering, more and more machines are available on
the LAN. Anyone cares to do the math ?
> a password like "F1.#3aDv" and try to use John to find it.
1 - Let any user try to remmember that one.
2 - The hash of that password could even match the hash of a dictionary entry.
> If you could guess 1Trillion a second it could take you about 6 times the
> age of the universe. :)
If you know the password rules it could flatten the search space a lot.
These days, some of the password rules are positively noxious.
min 7 char
min 3 alfa <- reduce search space by 52^3/101^3
min 3 digit <- reduce search space by 10^3/101^3
max 3 repeats <- not much reduction and keeps aaaaaaaa from being a password.
It takes no wizzard to see the password will be something like parvo666
symbol space: 39 signs, 10 digits, 26 alpha (lc) + 26 alpha (uc)
Total: 101
Total possible passwords with 7 & 8 characters: 101^8+101^7 = 10935780591491502
about 10^16 a bit above 2^53. If you want all passwords between 1 and 8 characters,
that's sum(101^n, n=1..8)=101^9-1=1093685272684360900 (as you can see it's marginaly
higher that the previous).
As the distributed.net demonstrated, a 56 bit key isn't secure enough, and that
was encription. Here you don't need to get the original password, just one that
matches the salt.
--
Doing AIX support was the most monty-pythonesque
activity available at the time.
Dudeman
Are you saying that you dont think that John should be able to find
passwords?
How many organizations force 8 character passwords - in upper and lower,
with special characters and numbers.
I bet that you yourself would not use the password you submit for cracking -
please tell me you like to be annoyed with that.
Because with a good dictionary (search for Argon Silver - its a nice 240MB
dict.), and sufficiently weak (read: normal, un-annoying) passwords, you
*will* crack *every* password given sufficient time.
And given the speed of todays systems - I dont care if its a Wintel box, or
an RS/6000, a single threaded john session is going to reveal a ton of
passwords in a short time.
Not to mention the fact that there is multi-node support for john, and that
it can be used on the same system with multiple cpu's.
How many john sessions on an 18-way S85 system do you think it would take to
crack all the passwords on a typical system with loose p/w rules?
- Or - How many local exploits does it take with an unpriviliged account
does it take to get root on AIX? - All it takes is access to one account.
But, then again, wouldn't you have to be root to get /etc/security/passwd
anyway?
The point is, please dont crap on a valid means to "crack" passwords, when
the subject of this thread is exactly that. I think the jist of his
question is how to get the plaintext passwords from the hashes stored in
/etc/security/passwd.
-D.
"Matthew Landt" <la...@austin.ibm.com> wrote in message
news:3C83D97E...@austin.ibm.com...
ste...@invera.nospam.com
writes:
Review the features in the AIX file /etc/security/user and see what options
you have for adding more password security. This will prevent users from
coming up with short common passwords that are easy to guess. I personally
like minlen and mindiff. Just be careful if you have special users that you
do not want affected in the same manner as the defaults for all other users
(such as root, uucp, oracle, etc.)
----- Posted via NewsOne.Net: Free (anonymous) Usenet News via the Web -----
http://newsone.net/ -- Free reading and anonymous posting to 60,000+ groups
NewsOne.Net prohibits users from posting spam. If this or other posts
made through NewsOne.Net violate posting guidelines, email ab...@newsone.net
frhu
Download the sources from www.sunfreeware.com and compile it on your AIX box
ste...@invera.nospam.com a écrit dans le message ...
>In article <3C7EEFD3...@verizon.net>, j&b <jay....@verizon.net>
>writes:
>>I am looking for a software program that I could run on aix 4.3.2 that
>>would decrypt user passwords. I'm trying to get them to use better
>>passwords other than their first names and numbers.
>>
>>tks in advance
>>j.
>>
>
>Review the features in the AIX file /etc/security/user and see what options
>you have for adding more password security. This will prevent users from
>coming up with short common passwords that are easy to guess. I personally
>like minlen and mindiff. Just be careful if you have special users that you
>do not want affected in the same manner as the defaults for all other users
>(such as root, uucp, oracle, etc.)
>
>
>
>
>
>
> ----- Posted via NewsOne.Net: Free (anonymous) Usenet News via the
