UNIX Password
On the UNIX platform, all user login IDs and passwords are stored in a central location -- /etc/passwd. The format of this file contains various fields:
account:coded password data:uid:gid:GCOS-field:homedir:shell<sample portion of /etc/passwd>
kimoh:lEqsEB4g0QrNM:165:102:Kyong-ock Kim:/user3/grad/kimoh:/bin/csh
hjmoon:jh0eFHV54ZAco:161:102:Moon Hyun Jeong:/user3/grad/hjmoon:/bin/csh
juliets:jg3Q2qjlYfx9U:167:102:Juliets:/user3/grad/juliets:/bin/csh
ijbyun:ayKWDaPpMLq32:169:102:Byun Im Joo:/user3/grad/ijbyun:/bin/csh
ghimsj:PyIN/caDgwiHw:171:102:Ghim Soo Joong:/user3/grad/ghimsj:/bin/cshTo find more details about /etc/passwd, type "man -s 4 passwd" in cs machine.
The /etc/passwd file is open to general public, which is often exploited by crackers. Many systems adopt the shadowfile: all coded password data is replaced with a `*' or 'x' in /etc/passwd, and a second file /etc/shadow (the shadowfile) is used to store the password data. This file can only be read with sufficient privileges so that normal users cannot get the crypted passwords. Its format is:
username:password:lastchg:min:max:warn:inactive:expire:flagTo find more details about /etc/shadow, type "man shadow" in cs machine.<sample portion of /etc/passwd and /etc/shadow>kimoh:x:165:102:Kyong-ock Kim:/user3/grad/kimoh:/bin/csh
hjmoon:x:161:102:Moon Hyun Jeong:/user3/grad/hjmoon:/bin/csh
juliets:x:167:102:Juliets:/user3/grad/juliets:/bin/csh
ijbyun:x:169:102:Byun Im Joo:/user3/grad/ijbyun:/bin/csh
ghimsj:x:171:102:Ghim Soo Joong:/user3/grad/ghimsj:/bin/csh
kimoh:lEqsEB4g0QrNM:10424::::::
hjmoon:jh0eFHV54ZAco:9938::::::
juliets:jg3Q2qjlYfx9U:10032::::::
ijbyun:ayKWDaPpMLq32:9938::::::
ghimsj:PyIN/caDgwiHw:9938::::::
13 bytes of plain ASCII characters:
2 bytes for base 64 encoding of 12-bit salt
11 bytes for base 64 encoding of 64-bit DES output12-bit salt is randomly generated when a new password is submitted.
base 64 (or Radix-64) encoding:
one of the ASCII encoding methods of binary data, which converts each 6-bit in the binary data into one of the 64 printable characters [A-Za-z0-9+/]0~25: A-Z
26~51: a-z
52~61: 0-9
62,63 : +,/
padding symbol: =
(1) Generation of the encrypted passwordobtain a password from the user;
generate a 12-bit salt;
adjust E-table in DES using salt;
data <- 64 bits of 0s;
repeat the following 25 times
data <- modified-DES(data, password as key);
encoded-password-data <- base64encode(salt || data);
store login-id and encoded-password-data in /etc/passwd;
(2) Checking the password at user loginobtain the login-id and password from a user;(3) Why do they add salt? Why 25 times?
lookup login-id in /etc/passwd,
and get encoded-password-data;
convert the first two bytes of encoded-password-data into salt;
adjust E-table in DES using salt;
data <- 64 bits of 0s;
repeat the following 25 times
data <- modified-DES(data, password as key);
computed-password-data <- base64encode(salt || data)
compare computed-password-data and encoded-password-data;
if failed, give some delay;Question
- The salt prevents duplicate passwords from being visible.
- The salt prevents the use of a mass-produced hardware implementation of DES in password cracking.
- Repeating DES 25 times makes the password cracking 25 times harder.
William Stallings claimed in Network and Internetwork Security (2ed), Prentice-Hall, 1995, p. 215 that
(4) UNIX crypt(3C)
The salt effectively increases the length of the password without requiring the user to remember two additional characters. Hence, the number of possible passwords is increased by a factor of 4,096, increasing the difficulty of guessing a password.Does his claim make sense to you?
UNIX library functionchar *crypt(const char *key, const char *salt);performs:adjust E-table in DES using salt;NOTE:
data <- 64 bits of 0s;
repeat the following 25 times
data <- modified-DES(data, password as key);
encoded-password-data <- base64encode(salt || data);
- crypt(1) is a command for encrypting/decrypting a file, which implements a one-rotor machine designed along the lines of the German Enigma, but with a 256-element rotor. Methods of attack on such machines are widely known, thus crypt(1) provides minimal security.
To encrypt a file:
crypt key < src-file > encrypted-dst-file
To decrypt a file:
crypt key < encrypted-dst-file > src-file
To find more about crypt(1):
man crypt
Or you may try reading a C source.
- To find more about crypt(3C):
man -s 3C crypt
Or you may try reading a C source.
The process works as follows:
Naturally, the more rules one
applies to the words, the longer the cracking process takes. However, more
rules also guarantee a higher likelihood of success.
CrackerJack is a renowned UNIX password cracker designed expressly for the DOS platform.
cracks the password on files generated with PKZIP.2. Decrypt by Gabriel Fineman (decrypt.zip)
breaks WordPerfect passwords.3. Glide (Author Unknown: http://www.iaehv.nl/users/rvdpeet/unrelate/glide.zip)
This program is used exclusively to crack PWL files, which are password files generated in Microsoft Windows for Workgroups and later versions of Windows.4. AMI Decode (Author Unknown: amidecod.zip)
The AMI Decode utility is designed expressly to grab the CMOS password from any machine using an American Megatrends BIOS. The factory-default CMOS password is often AMI.5. NetCrack by James O'Kane (netcrack.zip)
NetCrack is an interesting utility for use on the Novell NetWare platform. It applies a brute-force attack.6. PGPCrack by Mark Miller
Pretty Good Privacy (PGP) is probably the strongest and most reliable encryption utility available to the public sector. PGP uses (typically long) passphrases instead of passwords as encryption key. But, poor users often use very short passwords. That is when PGPCrack is of use.7. Password Cracker for Early Versions of HWP
unhwp.exe for HWP 1.5 Encryption code21.exe for HWP 2.1 Encryption
Other Attacks on Passwords
1. Sniffer
2. Virtual Memory System
3. WS_FTP