Logins and Passwords: Testing password strength,
locating accounts with no passwords, tracking suspicious login activity.
FileSystems: Searching them for weak security,
and looking for rootkits.
Networking: Looking for open ports, Observing local
network use, packet-sniffing, tracing network processes,
and Detecting intrusions.
Logging: Reading your system logs, configure syslog,
rotating log files.
Testing Login Passwords(John the Ripper)
Problem: You want to check that all login passwords in your system password databases are strong
Solution: Use the John the Ripper, a password-cracking utility. After the software installed run,
###export PATH=/opt/john/run/ ----- export to the path
### cd /var/lib/john --- depends on installation
un-tar the package
# cd /opt/john
# umask 077
# cd /run/
# unshadow /etc/passwd /etc/shadow > mypasswords
# john mypasswords
Cracked passwords will be written into the file john.pot, Cracked username/password pairs can be shown after the fact with the -show option
# john -show mypasswords
You can instruct john to crack the passwords of only only certain users or groups with the option -users:u1,u2... or -groups:g1,g2.....
# john -users:smith,jones,jeff mypasswords
Running John with no options will print usage information.
By Default, Redhat 8 uses MD5-hashed passwords stored in /etc/shadow, rather than the traditional DES-based crypt() hashes stored in /etc/passwd, this is effected by the md5 and shadow directives in /etc/pam.d/system-auth:
The unshadow command gathers the account and hash information together again for cracking. If your passwords change you will have to re-run the unshadow command to build an up-to-date password file for cracking.
In general cracking pgms use dictionaries of common words when attempting to crack a password, trying not only the words but also permutations, misspellings, caps etc. The default dic(/var/lib/john/password.lst) is small, so obtain larger once for effective cracking. Also add words appropriate to your environment etc
Some available dictionaries are:
ftp://ftp.cerias.purdue.edu/pub/dict/wordlists
ftp://ftp.ox.ac.uk/pub/wordlists/
concatenate your desired word lists into a single file, and point to it with the wordlist directive in /var/lib/john/john.ini
The supported options are as follows, square brackets denote optional arguments:
--single "single crack" mode
Enables the "single crack" mode, using rules from the configuration file section [List.Rules:Single].
--wordlist=FILE wordlist mode, read words from FILE,
--stdin or from stdin
These are used to enable the wordlist mode.
No comments:
Post a Comment