Hackers Beware

typically the data is shared between the systems by using NFS. Because NFS has a large number of vulnerabilities, this can create other security problems.

Slurpie Requirements

The following requirements for Slurpie are similar to the other programs covered in this chapter:

•UNIX-like operating system

•C compiler

•Moderate amount of disk space (10 MB)

•Permission from the system administrator

•A copy of passwd that contains the encrypted passwords

•A dictionary file

•Uncompression program like gunzip and tar

Slurpie assumes that you have a passwd file that contains the encrypted passwords. If you are using shadow files, you either have to write your own utility to merge them together or use the utility that comes with John the Ripper or Crack. Also, because the main benefit of using Slurpie is its distributed functionality, having a network connection with other UNIX boxes available is a plus.

Configuring Slurpie

Installation and configuration are very straightforward. After you uncompress and untar the files, you cd to the directory and issue the make all command. The following are the main steps:

1.Uncompress the file using gunzip slurpie.tar.gz

2.Extract the tar archive by typing tar –xvf slurpie.tar

3.Change to the correct directory by issuing the command cd slurpie

4.Compile the program by typing make all

5.If there is a problem and Slurpie doesn’t compile the file, cd to src and modify the source code.

6.Run ./slurpie –h to get a listing of the features.

Running Slurpie

Before you run Slurpie, you have to tell the program where the distributed hosts are located. You do this by editing the hosts.dat file. The file contains one line for each entry, and each entry contains the IP address of the machine followed by the port number that Slurpie is going to connect on. To run this on a single machine, you just use the loopback address as the IP address. The following is the contents of the hosts.dat file:

127.0.0.1 15001

After you know which machines you are going to run this program on, you have to go to each machine and start the slurp daemon, which causes the program to listen on the port you specified. To start up the daemon, type the command./slurp 15001, where 15001 is the same port number that is specified in your hosts.dat file.

Now that this is set up, you are ready to start Slurpie. Remember that to run this program, you need a copy of the passwd file, and if you are using shadow files, you should have already merged the two files together.

Slurpie does not have a utility to do this. You also need a dictionary file. There are two main modes that Slurpie can run in, as follows:

•-p . Uses a dictionary to try and crack the passwords.

•-g . Uses a brute force attack where you can specify the parameters that it uses. For example, –g a? 5 8 tries every possible word ranging in length from five to eight characters and contains lowercase letters and punctuation.

Because brute force attacks can take several weeks to run, we will concentrate on a dictionary attack. After the daemons have been started, you type the following command to start Slurpie:

./slurpie –p words.txt passwd.txt

Slurpie runs and the results appear in a file that is the same as the password filename with .log appended to the end. In this case, the results appear in passwd.txt.log.

Results from Running Slurpie

After Slurpie runs, no results are displayed on the screen. All of the results are saved to a file. To compare the accuracy of the results, let’s use the same password file we used for Crack. These results are based on running Slurpie on a 500Mhz Pentium with 128MB of RAM.

When I ran Slurpie on this password file, it ran in 50 seconds and cracked 5 passwords. The following is the status file:

connecting to: 127.0.0.1 15001: successful. 1 nodes connected.

cracking: root 6T1E6qZ2Q3QQ2 cracking: daemon NP cracking: bin NP

cracking: sys NP

Dictionary Attacks

I am sure you have noticed that all of the programs are finding the same passwords when they perform a dictionary attack. This is because they are using the same dictionary. When you run a dictionary attack, remember that the results are only as good as the dictionary being used. If you run a password-cracking program with a dictionary of one word, the only password it can crack is that one word. In most cases, the larger the dictionary that is used, the higher the chances that a particular password will be cracked. Therefore, if each of the programs is run with a different dictionary, some programs might find more words than others, not because the program is better but because the third-party dictionary that is used is more thorough. I ran all of these programs with the same dictionary so you could compare the programs and see how well they performed.

Comparison

As we have covered in this chapter, there are several different tools that can be used to crack UNIX passwords. Table 10.1 is a summary chart to help you pick the one that is right for your environment.

Table 10.1. Comparison of the Effectiveness of UNIX Password Cracking Tools

As you can see, there is a direct relationship between ease of use and functionality. The easier a program is to use, the less features it has. If you are going to work in the UNIX environment, you should invest the

time to learn a password-cracking tool extremely well so that you can properly use it to secure your system.

Table 10.2 shows a comparison of which passwords each program cracked and the accuracy.

Table 10.2. Comparison of Passwords Cracked Using a Dictionary Attack

This table points out that the password-cracking programs that do a straight dictionary attack only crack passwords that are in the dictionary. So, the cracking is only as good as the dictionary that is used. Note that because the dictionary I used does not have a blank line, three of the four programs did not crack the account that had no password. This also shows that just because a password cracker does not crack a password does not mean that it is secure. In my opinion, all of the passwords except 5639421 and #57adm7# are trivial, which means 83 percent of the passwords are extremely weak, yet three of the four programs cracked less than 50 percent of them.

This is why it is so important to familiarize yourself with a tool and learn how to customize it, because the default install does not do the best job.

Protecting Against UNIX Password Crackers

Just as was stated in Chapter 9, “Microsoft NT Password Crackers,” there is no silver bullet for protecting against password cracking, although there are ways to minimize the chances of a successful crack. The following are some key aspects to strong password protection:

•Have a strong password policy

•Use shadow files

•Use one-time passwords

•Use biometric authentication

•Use Passwd+ to enforce strong passwords

•Audit access to key files

•Scan for cracking tools

•Keep inventory of active accounts

•Limit who has access to root

Have a Strong Password Policy

Because password policies have already been covered in Chapter 9, they will only be briefly covered here. Password policies, or any security policy for that matter, play a key role in the strength of a company’s security program. If users do not know what is expected of them, there is no way that they can be held responsible for having weak passwords.

Also, a password policy helps get management buy-in, ensuring that it is behind you and supports security. Some key things to strive for in a password policy are the policy should be uniformly enforced across the company, and reasonable so that most users will read and follow it. A oneto two-page password policy that clearly outlines what is expected of users is a good start.

The following is my recommendation for a password policy:

•Passwords change every 45 days.

•After three failed logon attempts in five hours, accounts are locked for three hours.

•All passwords must contain at least one alpha, one number, and one special character.

•Users cannot reuse their previous five passwords.

•Passwords should not contain birthdays, childrens’ names, sports teams, or other personal information.

•Passwords should not be dictionary words.

The following is a tip for picking good password:

•Use a phrase, not a word, and then use the first letter of each word in the phrase.

•Example—When I stub my toe I say !@#$% 5 times

•Password—WismtIS !@#$%5t.

The key to remember is that a password policy is company and environment dependent. There are some cases where I would tighten it, but the preceding policy is a good starting point. You just have to assess the security at your company to make sure you pick an appropriate policy.

Use Shadow Files

As discussed in the beginning of this chapter, shadow files make it difficult for users to gain access to the encrypted passwords. If your UNIX system is not using shadow files, you should either upgrade the operating system or use a program that will convert your passwd file to a shadow file. After shadow files are used in most cases, an attacker needs root access to extract the encrypted passwords. In other words, shadow files do not eliminate the threat, they just reduce the threat by increasing the chances that only legitimate users can access the passwords and run Crack. If an attacker has root access on your system, the fact that he can run Crack is the least of your worries. Why would an unauthorized user with root access worry about running Crack, when he can create whatever accounts he wants?

It is important to note that Crack can still be used on a system with shadow files; it just requires an extra step and extra access for the user. To run Crack on such a system, an attacker must have root access to read the shadow file or some way to acquire a copy of the file.

After you have a copy of the shadow file, you must merge it with the passwd file. Crack cannot be run directly against the shadow file; you must merge the files together. To merge the files, if you are very careful and good with a text editor, you can do it manually. Or for the less insane, Crack comes with a shadmrg.sv script that enables the user to combine the two files. The shadmrg script does not use arguments and must be edited for it to work properly. For example, you would go into the file and find the first non-commented lines that contain the words SHADOW = and PASSWD =, edit the file, and put the path of the location of the two files. The output file that is produced can then be run through Crack.

USE One-Time Passwords

One-time passwords are very effective against password guessing because the passwords change each time the user logs on. In other words, there are really no passwords to guess. If you want to overcome the passwordguessing problem, the ideal way is to use one-time passwords. The drawbacks are implementation costs, complexities, and ongoing operating costs. The most common form of one-time passwords is smart cards. This is a device that the user must carry around with her whenever she wants to log on to the system. The device is triggered by time, so the password changes every minute. When the user wants to log on, she reads the current password off of the display and types it in as the password.

A huge liability with smart cards is replacement of the cards when they are lost or stolen. Think of how often employees lose or forget their badge or the keys to their office. Because smart cards are a lot more expensive,

a company can have considerable, increased costs based on the number of cards it has to replace. I know several companies that implemented smart cards and stopped using them because they forgot to account for lost cards, and based on that they severely ran over their budget.

Many companies implement one-time passwords in addition to regular passwords. For example, while an employee is at a company facility, she would use her regular password to authenticate. Only when she is out of the office and dialing in remotely does she use the one-time password. This helps keep initial costs down and lets you dole out one-time passwords in an incremental manner. Also, using regular passwords in conjunction with one-time passwords helps increase a company’s security, because now authentication is based on something you have and something that you know.

Instead of time, some devices use what is known as a challenge response. The user presents his user ID to the system and the system responds with a challenge. The user then types the challenge into the device and the device displays a response, which the user then types as the password.

Another form, which is less expensive, is software-based, one-time passwords. A common implementation of this is called SKEY. SKEY uses one-time passwords that are pre-computed when the system is set up. Each user gets a pre-computed list of passwords and uses a different password each time they log on.

The weakness of software-based, one-time passwords is that the password list resides on the user’s computer, so it is easier for an attacker to access. Also, if the computer’s hard drive gets damaged, the keys are also lost. On the other hand, because the passwords are on the computer, they are harder for the user to lose, as compared to smart cards or other devices the user carries around. The following web site provides additional information on SKEY: http://lheawww.gsfc.nasa.gov/~srr/skey_info.html.

Use Biometrics

Passwords are getting easier to crack because machines are getting so fast. As a result, more companies are turning to biometrics as the solution. Biometrics authenticates a user based on human factors such as fingerprint, handprint, retinal scan, and voice scan. These methods are highly reliable and are with a user at all times, so you do not need to worry about someone losing or misplacing a token like you do with onetime passwords. Because they are very difficult for the user to lose and there is nothing for an attacker to steal, biometrics are much more reliable.

There are several biometric solutions that are available for computers today. Some of the issues are cost, because every machine that a user could possibly log on to must have an authentication device. Even though they have been proven to be safe, some users are concerned about having their eyes scanned with a retinal scanner. Lastly, many people feel uncomfortable having “big brother” taking their personal information and being able to track them wherever they go.

The following site is a great reference for additional information on biometrics: http://www.biometricgroup.com/. It contains links to more than 100 vendors that provide biometric solutions. It also contains detailed information on the following types of biometrics: finger, facial, iris, retina, hand, voice and signature.

Use Passwd+

Passwd+ is a program that runs checks against the user’s password whenever he changes it, to make sure it follows some basic rules. There are other variations such as anlpasswd and npasswd that have similar features. Following are some of the checks that Passwd+ performs:

•The user must enter the password twice.

•Verifies the password is a minimum length.

•Verifies passwords must be a mixture of letters, numbers, and special characters.

•Verifies the password is not the user’s name.

•Verifies that the new password differs from a previous password.

Again, it is not a silver bullet; however, it is a good start. There are various versions of Passwd+ available on the Internet. The following are the URLs where you can find additional information:

•Passwd+: ftp://ftp.dartmouth.edu/pub/security

•Anlpasswd: ftp://cerias.cs.purdue.edu/pub/tools/unix/pwdutils/anlpasswd

•Npasswd: http://www.utexas.edu/cc/unix/software/npasswd

Audit Access to Key Files

Because in most cases password cracking is performed offline, the only way you can detect that someone is performing such an attack is to catch him when he is accessing the passwd or shadow file. Even if you do not check the audit logs on a regular basis, you must have scripts that scan the audit log looking for someone accessing key files. If you detect that someone has accessed these files, you might have to take action, because it probably means that an attacker has compromised or is compromising your passwords. Programs like tripwire are a good start and should be

part of your security plan. The problem is that these programs only catch files that have been modified. With password cracking, an attacker only has to access or read the file; he does not have to make any changes.

Scan for Cracking Tools

In some cases, you might get lucky and an employee or attacker might actually run the program on your system. This is not nearly as covert as downloading the password file and cracking it offline, but attackers might do it to use the computing power of the system. In these cases, running a periodic scan for known hacker tools such as Crack is fairly easy to do, and it can have a huge payoff if an attacker is using the program against your company. When performing security assessments, you cannot imagine how many times I find large numbers of hacker tools that the administrator did not know about because he never looked for them. To secure your systems, you have to know what is running on them. Do your homework and check for these tools before they do a lot of damage.

Keep Inventory of Active Accounts

Active accounts that belong to people that are on leave or are no longer at a company present a huge vulnerability. These accounts are easy for an attacker to compromise. Because no one is using the account, there is no way an unauthorized person can be detected. Therefore, there is no one to verify that the last logon date is incorrect, which would indicate that someone other than the user has been accessing the account.

A company must have a policy for checking active accounts and removing accounts that no longer should be active. If you do not periodically check your accounts, an attacker can create a backdoor account on your system and give it root access, and you would never know about it. Only by checking the system and being able to detect new or suspicious accounts can you prevent this type of behavior.

Limit Who Has Root Access

Only a small percentage of users should have root access. I have found that having root access tends to be an ego thing in many companies where everyone has to have root access. (“Well, I am certified.” Or, “I am a senior administrator.”) Therefore, the individual feels he must have root access. This type of thinking is a huge security risk and must be changed. If a large number of people have root access and log on as root, it is very hard to tell what is authorized and what is not authorized activity.

Also, the potential for damage increases because, by a slip of the hand, a user can accidentally delete the entire system if she is logged on as root.