Monday, 19 August 2013

Server Testing And Monitoring


Logins and Passwords: Testing password strength, 
 locating accounts with no passwords, tracking suspicious login activity.

FileSystems: Searching them for weak security, 

 and looking for rootkits.

Networking: Looking for open ports, Observing local 

 network use, packet-sniffing, tracing network processes,
and Detecting intrusions.

Logging: Reading your system logs, configure syslog, 

rotating log files.
   

 Testing Login Passwords(John the Ripper)

Problem: You want to check that all login passwords in your system password databases are strong


Solution: Use the John the Ripper, a password-cracking utility. After the software installed run,

###export PATH=/opt/john/run/ ----- export to the path
### cd /var/lib/john  --- depends on installation

un-tar the package
# cd /opt/john
# umask 077
# cd /run/
# unshadow /etc/passwd /etc/shadow > mypasswords
# john mypasswords

Cracked passwords will be written into the file john.pot, Cracked username/password pairs can be shown after the fact with the -show option

# john -show mypasswords

You can instruct john to crack the passwords of only only certain users or groups with the option -users:u1,u2... or -groups:g1,g2.....

# john -users:smith,jones,jeff mypasswords

Running John with no options will print usage information.

By Default, Redhat 8 uses MD5-hashed passwords stored in /etc/shadow, rather than the traditional DES-based crypt() hashes stored in /etc/passwd, this is effected by the md5 and shadow directives in /etc/pam.d/system-auth:

The unshadow command gathers the account and hash information together again for cracking. If your passwords change you will have to re-run the unshadow command to build an up-to-date password file for cracking.

In general cracking pgms use dictionaries of common words when attempting to crack a password, trying not only the words but also permutations, misspellings, caps etc. The default dic(/var/lib/john/password.lst) is small, so obtain larger once for effective cracking. Also add words appropriate to your environment etc

Some available dictionaries are:
ftp://ftp.cerias.purdue.edu/pub/dict/wordlists
ftp://ftp.ox.ac.uk/pub/wordlists/
 


concatenate your desired word lists into a single file, and point to it with the wordlist directive in /var/lib/john/john.ini

The supported options are as follows, square brackets denote optional arguments:

--single              "single crack" mode
Enables the "single crack" mode, using rules from the configuration file section [List.Rules:Single].

--wordlist=FILE      wordlist mode, read words from FILE,
--stdin              or from stdin

These are used to enable the wordlist mode.

No comments:

Post a Comment