Path: utzoo!mnetor!uunet!lll-winken!lll-lcc!ames!umd5!uvaarpa!mcnc!rti!tijc02!pjs269 From: pjs269@tijc02.UUCP (Paul Schmidt ) Newsgroups: sci.crypt Subject: Re: Unix Password Hacker Message-ID: <203@tijc02.UUCP> Date: 19 Feb 88 14:52:43 GMT References: <731@ddsw1.UUCP> Distribution: na Organization: Texas Instr., Johnson City TN Lines: 59 > > Many people left me mail about this (simple) program that brute force hacks > at the /etc/passwd file on about any compiling unix using the /usr/dict/words > or any other type of dictionary file. Take a look at the source, as it is > quite simple, yet very effective: > The program ... > > ...as you can see, it is quite simple, but amazingly effective. Compiles on > just about anything. I would imagine you could use 'nohup' if needed and > envoke it as a process and pipe output to a text file and run it overnight, ie: > > $ nohup hpw root /usr/dict/words > pass.txt & > > > > I'm always welcoming any private mail discussions on this type of thing! > > > -Doug > > > ------------------ > Douglas Nelson > dnelson@ddsw1.UUCP > ------------------ Our company has had the policy of assigning passwords and making them unchangeable to the employees. These passwords are totally random so that this technique will not work. When I first started working here I did not understand this philosophy. But, now I do. But, I rewrote the program to find the password by trying every combination of passwords that would be assigned by our company. After some quick benchmarks, I estimated it would take the program 28 years to find a single password on the system. The company changes the password every year so there is not much danger. But there may be a danger still. The danger may exist where there are alot of users on a UNIX system. Each encrypted password has a "salt" which is fed back into crypt. There are only 4096 different salt values. On a system that has a large number of users there may be a good possibility that more than one user has the same salt! Therefore a crypt hacker would be hacking at two passwords rather than one. This would reduce the expected time to find the password. The chances of breaking a password are small but they would still have the chance of being broken ( less than 1% but greater than 0.01% ). As computers get faster this will make them more and more vulnerable to this kind of attack. There are obvious ways for system administrators to detect crypt hackers. All they have to look for is CPU hogs. (That is, unless the hacker uses his own machine (PC) which will probably run alot slower and he needs the crypt() routine on that machine). Therefore, properly chosen passwords will currently almost gaurantee security on this brute force type attack. Paul Schmidt Texas Instruments