On Thu, 18 Nov 1999, you wrote:
-Stephen Carville wrote:
-
-> The MD5 hash is a much stronger method at least in the sense it is
-> more resistant to dictionary attacks. In some recent tests I did
-> using a PII-450 running Mandrake 6.0 and john the ripper, the MD5 hash
-> look about 10 times as long to yield as DES
-
-Can you give some information (or pointers to sites) for this one?
http://www.openwall.com/john/
-As far as I understand, you are 'breaking in into your own system' to check 'how
-strong it is'??
The story is a little involved so pull up a chair and relax.
A few months back, some PHB's collectively known as the
"Authentication Committee" got the bright idea to have a single
username and password for all users. Being mostly clueless and/or
winbigots, their idea was to use NT authentication as the basis for
all authentication in the company.
My boss came and asked me what I thought about the idea. I told him
they were nuts but it didn't affect me much since I am just a lowly
network administrator and my job is routers, switches, DNS, DHCP, and
a bit of perimeter security. Internal access is not on my job list
and I don't buck the fools in power, I just change jobs when the get
too insufferable. However, when the boss told me Committee wanted to
let users pick their own dialup and VPN passwords he got my
attention. We were issuing randomly generated passwords and
authenticating off our own radius server precisely because I don't
trust the average user to pick good passwords.
The boss asked how I could prove that our users pick really weak
passwords. Easy, I use this nifty new tool I discovered called John
the Ripper.
So -- with the bosses permission -- I snarfed the NIS password file
(ypcat passwd >passwd.txt). Then I leveraged my non-privileged
account (but physical access) to get me into one of the NT BDC's.
There I used pwdump to grab the entire worldwide NT password database
(only one domain!)
I proceeded to check the UNIX file for obvious passwords and then
against a fairly large dictionary. Not too many hours later I had a
about 65% of all the UNIX passwords. One really scary thing was that
over 400 employees had never changed their password from what they
were first issued!
Next I tried the same attack against the NT database. The first
thing I noticed was that NT passwords dropped out much faster. By a
factor of about a thousand. Now I know why it was so easy but at the
time I could scarcely believe my eyes. Out of curiosity I let the
program run in incremental mode (try ever possible combination) and
27 days 16 hours and some minute later I had every NT password in the
company.
Then I tried it against the MD5 passwords on my Linux the
dictionary search was 1/10 as fast as cracking the DES passwords.
Made a believer out of me.
>From my tests I estimate that incremental mode on DES passwords
would take about 2000 years to complete on my workstation. On MD5 I
estimate about 25,000 years. (of course if I had big Beowulf cluster
I could do it a lot faster :-)
Eventually, handing out a list of the passwords for every person on
the Authentication Committee convinced them they weren't as clever as
they thought they were and they let us continue to issue random
passwords.
All of the above was completely aboveboard. I did not hide what I
was doing and I kept my boss informed of everything I did. This was
to prove a point about users and security not break into my employers
systems. It was also a lot of fun...
-Any other methods to check the server.
-I have my (private) server online (+/- online all the time - through dialin
-:-( ), and want to check the security of it.
-(There is an internal network behind it)
-
-I know nmap scans the ports.....
http://www.linuxgazette.com/issue47/lukas.html
http://www.replay.com/redhat/locked.html
Get ssh
ftp://ftp.zedz.net/pub/crypto/redhat/SRPMS/
--
Stephen Carville
----------------------------------------------------
A well educated citizenry, being essential to the maintenance of a free
society, the right of the people, to keep and read books shall not be
infringed.
