Categories
Aircrack-ng aireplay airmon airodump BackTrack iwconfig kismet Linux macchanger Security WEP wifi WPA

Cracking WEP Using Backtrack: Beginner’s Guide

This tutorial is intended for user’s with little or no experience with Linux or wifi. BackTrack, from remote-exploit is a tool which makes it very easy to access any network secured by WEP encryption. This tutorial aims to guide you through the process of using it effectively.

Required Tools

  • You will need a computer with a wireless adapter listed here
  • Download BackTrack (4 Pre Release is the most recent as of this writing) and burn the ISO to a CD

OVERVIEW

BackTrack is a bootable live cd with a myriad of wireless and tcp/ip networking tools. This tutorial will only cover the included kismet and aircrack-ng suite of tools.

Tools Overview

  • Kismet – a wireless network detector and packet sniffer
  • airmon – a tool that can help you set your wireless adapter into monitor mode (rfmon)
  • airodump – a tool for capturing packets from a wireless router (otherwise known as an AP)
  • aireplay – a tool for forging ARP requests
  • aircrack – a tool for decrypting WEP keys
  • iwconfig – a tool for configuring wireless adapters. You can use this to ensure that your wireless adapter is in “monitor” mode which is essential to sending fake ARP requests to the target router
  • macchanger – a tool that allows you to view and/or spoof (fake) your MAC address

Glossary of Terms

  • AP: Access Point: a wireless router
  • MAC Address: Media Access Control address, a unique id assigned to wireless adapters and routers. It comes in hexadecimal format (ie 00:11:ef:22:a3:6a)
  • BSSID: Access Point’s MAC address
  • ESSID: Access Point’s Broadcast name. (ie linksys, default, belkin etc) Some AP’s will not broadcast their name but Kismet may be able to detect it anyway
  • TERMINAL: Command line interface. You can open this by clicking the black box icon next to the start key in BackTrack.
  • WEP: short for Wired Equivalency Privacy, it is a security protocol for Wi-Fi networks.
  • WPA: short for WiFi Protected Access. a more secure protocal than WEP for wireless networks. NOTE: this tutorial does not cover cracking WPA encryption

Since BackTrack is a live CD running off your cdrom, there is nowhere that you can write files to unless you have a Linux partition on your hard drive or a USB storage device. BackTrack has some NTFS support so you will be able to browse to your Windows based hard drive should you have one, but it will mount the partition as “read-only”.  To find your hard drive or USB storage device, just browse to the /mnt folder in the file manager. Typically a hard drive will appear named something like hda1 or hda2 if you have more than one partition on the drive. Alternately hdb1 could show if you have more than one hard disk. Having somewhere to write files that you can access in case you need to reboot makes the whole process a little easier.

DISCLAIMER

Hacking into someone’s wireless network without permission is probably against the law. Make sure you are using this to test your own system(s) or one that you have explicit permission to “test.”

IMPLEMENTATION

STEP 1

Monitoring Wireless Traffic With Kismet

Place the BackTrack CD into your cd-rom drive and boot into BackTrack. You may need to change a setting in your bios to boot from cd rom. During boot up you should see a message like “Hit ctrl+esc to change bios settings”. Changing your first boot device to cdrom will do the trick. Once booted into Linux, login as root with username: root password: toor. These are the default username and password used by BackTrack. A command prompt will appear. Type startx to start KDE (a ‘Windows’ like workspace for Linux).

Once KDE is up and running start kismet by clicking on the start key and browsing to BackTrack->Wireless Tools -> Analyzers ->Kismet. Alternatively you can open a Terminal and type:

kismet

Kismet will start running and may prompt you for your wireless adapter. Choose the appropriate adapter, most likely ‘ath0′, and sit back as kismet starts detecting networks in range.

NOTE: We are using kismet for two reasons:

  1. To find the bssid, essid, and channel number of the AP you are accessing.
  2. Kismet automatically puts your wireless adapter into monitor mode (rfmon). It does this by creating a VAP (virtual access point) or in other words, instead of only having ath0 as my wireless card it creates a virtual wifi0 and puts ath0 into monitor mode automatically. To find out your device’s name just type:

iwconfig

Which will look something like this:

While kismet detects networks and various clients accessing those networks you might want to type ’s’ and then ‘Q’ (case sensitive). This sorts all of the AP’s in your area by their signal strength. The default ‘autofit’ mode that kismet starts up in doesn’t allow you much flexibility. By sorting AP’s by signal strength you can scroll through the list with the arrow keys and hit enter on any AP you want more information on. (side note: when selecting target AP keep in mind this tutorial only covers accessing host AP’s that use WEP encryption. In kismet the flags for encryption are Y/N/0. Y=WEP N=Open Network- no encryption 0= other: WPA most likely.) Further reading on Kismet is available here.

Select the AP (access point) you want to access. Copy and paste the broadcast name (essid), MAC address (bssid), and channel number of your target AP into a text editor. BackTrack is KDE based so you can use kwrite. Just open a terminal and type in ‘kwrite’ or select it from the start button. In BackTrack’s terminal to copy and paste you use shift+ctrl+c and shift+control+v respectively. Leave kismet running to leave your wireless adapter in monitor mode. You can also use airmon to do this manually. airmon-ng -h for help.

STEP 2

Collecting Data With Airodump

Open a new terminal and start airodump to collect ARP replies from the target AP. Airodump is fairly straight forward, but for help you can type “airodump-ng -h” at the command prompt for additional options.

airodump-ng ath0 -w /mnt/hda2/home/admin/ap_dump 6 1

Breaking down this command:

  • ath0 is my wireless card
  • -w tells airodump to write the file to
    /mnt/hda2/admin/ap_dump
  • 6 is the channel 6 of my target AP
  • 1 tells airodump to only collect IVS – the data packets with the WEP key

STEP 3

Associate your wireless card with the AP you are accessing.

aireplay-ng -1 0 -e belkin -a 00:11:22:33:44:55 -h 00:11:22:AA:BB:CC ath0

  • -1 at the beginning specifies the type of attack. In this case we want fake authentication with AP. You can view all options by typing aireplay-ng -h
  • 0 specifies the delay between attacks
  • -e is the essid tag. belkin is the essid or broadcast name of my target AP. Linksys or default are other common names
  • -a is the bssid tag (MAC address). 00:11:22:33:44:55 is the MAC address of the target AP
  • -h is your wireless adapters MAC addy. You can use macchanger to view and change your mac address. macchanger -s ath0
  • ath0 at the end is my wireless adapters device name in Linux

STEP 4

Start packet injection with aireplay

aireplay-ng -3 -b 00:11:22:33:44:55 -h 00:11:22:AA:BB:CC ath0

NOTES:

  • -b requires the MAC address of the AP we are accessing.
  • -h is your wireless adapters MAC addy. You can use macchanger to view and change your mac address. macchanger -s ath0
  • if packets are being collected at a slow pace you can type iwconfig ath0 rate auto to adjust your wireless adapter’s transmission rate. You can find your AP’s transmission rate in kismet by using the arrow keys up or down to select the AP and hitting enter. A dialog box will pop up with additional information. Common rates are 11M or 54M.

As aireplay runs, ARP packets count will slowly increase. This may take a while if there aren’t many ARP requests from other computers on the network. As it runs however, the ARP count should start to increase more quickly. If ARP count stops increasing, just open up a new terminal and re-associate with the ap via step 3. There is no need to close the open aireplay terminal window before doing this. Just do it simultaneously. You will probably need somewhere between 200-500k IV data packets for aircrack to break the WEP key.

If you get a message like this:

Notice: got a deauth/disassoc packet. Is the source MAC associated ?
Just reassociate with the AP following the instructions on step 3.

STEP 5

Decrypting the WEP Key with Aircrack

Find the location of the captured IVS file you specified in step 2. Then type in a terminal:

aircrack-ng -s /mnt/hda2/home/ap_dump.ivs

Change /mnt/hda2/home/ap_dump.ivs to your file’s location.  Once you have enough captured data packets decrypting the key will only take a couple of seconds. If aircrack doesn’t find a key almost immediately, just sit back and wait for more data packets.

For more information or assistance you can access the BackTrack forums at remote-exploit.org.

Categories
Linux Rootkit Security WGET

Checking your Linux system for Rootkits

Chkrootkit is a tool to locally check for signs of a rootkit
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5
2) Check the md5checksum:

md5sum chkrootkit.tar.gz

3) Then extract and install:

tar -zxvf chkrootkit.tar.gz
cd chkrootkit
./configure
make sense

4) You can run it with the following command:

./chkrootkit

5) Now we are going to add it to contrab to schedule daily automatic scans in the system:

vi /etc/cron.daily/chkrootkit.sh

#!/bin/bash
# Enter the directory where the rootkit is installed
cd /root/chkrootkit/
# Enter your email address where you want to receive the report
./chkrootkit | mail -s “Daily chkrootkit from Server Name” your@email.com

6) Now change the file permissions so we can run it: chmod 755 /etc/cron.daily/chkrootkit.sh
7) To give it a try you can run the chkrootkit.sh file manually from /etc/cron.daily directory and you should receive a report to the email account you provided.
Categories
Linux scrub Security Ubuntu

Linux / UNIX Software that make retrieving the data more difficult with Department of Defense ( DoD 5520.22-M ) compliant disk / file wiping

Many programs exists for doing Department of Defense (DoD) compliant disk wipe program to remove files / disk securely. One of my favorite program is scrub, which writes patterns on special files (i.e. raw disk devices) or regular files to make retrieving the data more difficult. Scrub implements user-selectable pattern algorithms that are compliant with DoD 5520.22-M or NNSA NAP-14.x. The dod scrub sequence is compliant with the DoD 5220.22-M procedure for sanitizing removeable and non-removeable rigid disks which requires overwriting all address able locations with a character, its complement, then a random character, and verify.

Download scrub

You can download scrub here. The package is available in both source and binary releases for

  • Redhat Enterprise Linux (RHEL 4 / 5)
  • Debian / Ubuntu Linux
  • HP-UX UNIX
  • Mac OS etc

How to use scrub

Scrub operates in one of three modes:

  1. The special file corresponding to an entire disk is scrubbed and all data on it is destroyed. This mode is selected if file is a character or block special file. This is the most effective method.
  2. A regular file is scrubbed and only the data in the file (and optionally its name in the directory entry) is destroyed. The file size is rounded up to fill out the last file system block. This mode is selected if file is a regular file.
  3. file is created, expanded until the file system is full, then scrubbed as in 2). This mode is selected with the -X option.

Examples

Scrub mysensitive.file.txt file, enter:
$ scrub mysensitive.file.txt

Output:

scrub: using NNSA NAP-14.x patterns
scrub: padding mysensitive.file.txt with 3998 bytes to fill last fs block
scrub: scrubbing mysensitive.file.txt 4096 bytes (~4KB)
scrub: random |................................................|
scrub: random |................................................|
scrub: 0x0 |................................................|
scrub: verify |................................................|

To use patterns compliant with DoD 5220.22-M, enter:
$ scrub -p dod mysensitive.file.txt

Output:

scrub: using DoD 5220.22-M patterns
scrub: padding mysensitive.file.txt with 3998 bytes to fill last fs block
scrub: scrubbing mysensitive.file.txt 4096 bytes (~4KB)
scrub: 0x0 |................................................|
scrub: 0xff |................................................|
scrub: random |................................................|
scrub: 0x0 |................................................|
scrub: verify |................................................|

Erase /dev/sda1 – the special file corresponding to an entire disk is scrubbed and all data on it is destroyed, enter:
# scrub /dev/sda1 

Categories
AFP Firewall Linux Security WGET

Installing & Configuring Advanced Policy Firewall (APF)

Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system designed around the essential needs of today’s Internet deployed servers and the unique needs of custom deployed Linux installations. In this paper I will show you how to install and configure APF firewall to your system. It is one of the best open source firewalls available.
Download APF firewall:

wget http://www.r-fx.ca/downloads/apf-current.tar.gz

Extract & Install:

tar –zxvf apf-current.tar.gz
cd apf-0.9.6-2
./install.sh

After the installation is complete you will receive a message saying it has been installed.  Next we will have to configure the firewall:

vi /etc/apf/conf.apf

Here is the general configuration to make your firewall run and block/open default ports. The rest is up to you to read the README file.

First we will enable the firewall to use the DShield.org block list of networks that are suspicious.  You can change in the config file the option that says: USE_DS=”0” to USE_DS=”1”

Here two configuration ways for firewall to work with: General & CPanel. CPanel configuration is the most well known web hosting package for servers nowadays.

Refer here for a list of ports.

General Configuration: (DNS, Mail, Web, FTP)

Common ingress (inbound) ports # Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD IG_TCP_CPORTS=”21,22,25,53,80,110,143,443,995″ # # Common ingress (inbound) UDP ports IG_UDP_CPORTS=”53″
# Egress filtering [0 = Disabled / 1 = Enabled] EGF=”1″ # Common egress (outbound) TCP ports EG_TCP_CPORTS=”21,25,80,443,43″ # # Common egress (outbound) UDP ports EG_UDP_CPORTS=”20,21,53″

CPanel Configuration

Common ingress (inbound) ports # Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD IG_TCP_CPORTS=”21,22,25,53,80,110,143,443,2082,2083, 2086,2087, 2095, 2096,3000_3500″ # # Common ingress (inbound) UDP ports IG_UDP_CPORTS=”53″ Common egress (outbound) ports # Egress filtering [0 = Disabled / 1 = Enabled] EGF=”1″ # Common egress (outbound) TCP ports EG_TCP_CPORTS=”21,25,80,443,43,2089″ # # Common egress (outbound) UDP ports EG_UDP_CPORTS=”20,21,53″

Now start the firewall:

/etc/apf/apf –s

After verifying everything is working fine and without any problem go back to the configuration file to change the DEVM=”1” to DEVM=”0”

Now its time to configure the AntiDos options of APF Firewall:

vi /etc/apf/ad/conf.antidos

You can configure lot of things there but we will just enable the send email option.

Find the following lines and replace them with your details:
# Organization name to display on outgoing alert emails
CONAME=”Your Company”
# Send out user defined attack alerts [0=off,1=on]
USR_ALERT=”0″
#
# User for alerts to be mailed to
USR=you@yourco.com

You should replace USR_ALERT from “0” to “1”
Save and restart the firewall:

/etc/apf/apf –r

To make the firewall start with the Operating System:

chkconfig –level 2345 apf on

Tips:
To deny an ip use:

/etc/apf/apf –d ip notes

You can do that also from vi /etc/apf/deny_hosts.rules to deny hosts
To allow an ip use:

/etc/apf/apf –a ip notes

You can do that also from vi /etc/apf/allow_hosts.rules to allow hosts.

Categories
Linux Security shred SSH

Securely remove multiple files so they cannot be recovered

Shred utility overwrites a file to hide its contents, and optionally delete it if needed. The idea is pretty simple as it overwrites the specified FILE(s) repeatedly, in order to make it harder for even very expensive hardware probing to recover the data. By default file is overwritten 25 times. I’ve seen cases where law enforcement agencies had successfully recovered data from 5 year old *not so* working hard disk as evidence. Also when you move your rented server you should consider running file shredding; otherwise new owner can get data including passwords.

Shred a single file

Securely delete a file called /home/vivek/login.txt:
$ shred -u ~/login.txt

You can add a final overwrite with zeros to hide shredding:
$ shred -u -x ~/login.txt
Where,

  • -u : Remove file after overwriting
  • -x : Add a zero to hide shredding
  • -n NUM : Overwrite NUM times instead of the default 25

Shred a multiple files

Let us say you have 100 subdirectories and just wanted to get rid of all files:
$ find -t f . -exec shred -u '{}' ;

If you have many files consider a running job in background using nohup – (execute commands after you exit from a shell prompt over ssh session):
$ nohup find -t f /var/www/ -exec shred -n30 -u '{}' ; &

Shred drawbacks

  • Shred doesn’t go well with log-structured or journaled file systems, such as JFS, ReiserFS, XFS, Ext3, etc.
  • Compressed file systems
  • RAID-based file systems
  • NETApps (Network Appliance’s) NFS server

So how do I wipe on journaling file systems?

There is no simple solution. I’ve tried different techniques.
You can store sensitive data on ext2 or fat32 file system and easily delete files. According to shred man page:

In the case of ext3 file systems, the above disclaimer applies (and shred is thus of limited effectiveness) only in data=journal mode, which journals file data in addition to just metadata. In both the data=ordered (default) and data=writeback modes, shred works as usual. Ext3 journaling modes can be changed by adding the data=something option to the mount options for a particular file system in the /etc/fstab file, as documented in the mount man page (man mount).

Someone suggested to use disk encryption to store data that needs to be wiped.
Run shred on entire partition:
# shred -n 30 -vz /dev/hdb2

On remote computer, use nohup:
# nohup shred -n 30 -vz /dev/sdb1 &

Output:

shred: /dev/sdb1: pass 1/26 (random)...
shred: /dev/sdb1: pass 1/26 (random)...1013MiB/234GiB 0%
shred: /dev/sdb1: pass 1/26 (random)...1014MiB/234GiB 0%
shred: /dev/sdb1: pass 1/26 (random)...1.9GiB/234GiB 0%
shred: /dev/sdb1: pass 1/26 (random)...2.0GiB/234GiB 0%
shred: /dev/sdb1: pass 1/26 (random)...3.0GiB/234GiB 1%
shred: /dev/sdb1: pass 1/26 (random)...3.1GiB/234GiB 1%
shred: /dev/sdb1: pass 1/26 (random)...4.0GiB/234GiB 1%
shred: /dev/sdb1: pass 1/26 (random)...4.1GiB/234GiB 1%
shred: /dev/sdb1: pass 1/26 (random)...5.0GiB/234GiB 2%
shred: /dev/sdb1: pass 1/26 (random)...5.1GiB/234GiB 2%
shred: /dev/sdb1: pass 1/26 (random)...6.1GiB/234GiB 2%
......
..
...

And finally you can always destroy hard disk physically, perhaps through a hard drive in hot melting metal.  If you just need to securely wipes the hard disks use dban – Derik’s Boot and Nuke.

Categories
Anti-Spyware Encryption Firewall Internet Linux Passwords Security Spyware SSL Virus Scan WEP wifi Windows Windows Update WPA

Internet Safety: How to keep your computer safe on the Internet

Here are some things you can, and should, do to stay safe.

  • Stay Up-To-Date – Most virus infections don’t have to happen. Software vulnerabilities that the viruses exploit usually already have patches available by the time the virus reaches a computer. The problem? The user simply failed to install the latest patches and updates that would have prevented the infection in the first place. The solution is simple: enable automatic updates, and visit Windows Update periodically. Keeping Windows and other software up-to-date is the most important (and easiest) thing you can do to protect your computer.
  • Get Educated – To be blunt, all the protection in the world won’t save you from yourself. Don’t open attachments that you aren’t positive are okay. Don’t fall for phishing scams. Don’t click on links in email that you aren’t positive are safe. Don’t install “free” software without checking it out first – many “free” packages are free because they come loaded with spyware, adware and worse. When visiting a web site, did you get a pop-up asking if it’s ok to install some software you’re not sure of because you’ve never heard of it? Don’t say “OK”. Not sure about some security warning you’ve been given? Don’t ignore it. Choose strong passwords, and don’t share them with others.
  • Use a Firewall – A firewall is a piece of software or hardware that sits between your computer and the Internet and only allows certain types of traffic to crossl. For example, a firewall may allow checking email and browsing the web, but disallow things that are commonly not as useful such as RPC or “Remote Procedure Calls”.
  • Virus Scan – Sometimes, typically via email, virii are able to cross the firewall and get to your computer anyway. A virus scanner will locate and remove them from your hard disk. A real time virus scanner will notice them as they arrive, even before they hit the disk, but at the cost of slowing down your machine a little. Important: because new virii are arriving every day, it’s important to keep your virus definitions up-to-date. Be sure to enable the scanning software’s automatic-update feature and have it do so every day.
  • Kill Spyware – Spyware is similar to virii in that they arrive unexpected and unannounced and proceed to do something undesired. Normally spyware is relatively benign from a safety perspective, but it can violate your privacy by tracking the web sites you visit, or add “features” to your system that you didn’t ask for. The worst offenders are spyware that hijack normal functions for themselves. For example, some like to redirect your web searches to other sites to try and sell you something. Of course some spyware is so poorly written that it might as well be a virus, given how unstable it can make your system. The good news is that, like virus scanners, there are spyware scanners that will locate and remove the offending software. 
  • Secure Your Mobile Connection – if you’re traveling and using internet hot spots, free Wifi or internet cafes, you must take extra precautions. Make sure that your web email access is via secure (https) connections, or that your regular mail is over an encrypted connection as well. Don’t let people “shoulder surf” and steal your password by watching you type it in a public place. Make sure your home Wifi has WEP or, preferably WPA security enabled if anyone can drive or walk within range.
  • Don’t forget the physical – an old computer adage is that “if it’s not physically secure, it’s not secure.” All of the precautions I’ve listed above are pointless if other people can get at your computer. They may not follow the safety rules I’ve laid out. A thief can easily get at all the unencrypted data on your computer if they can physically get to it. The common scenario is a laptop being stolen, but there are many reports of people who’ve been burned because a family member or roommate accessed their computer without their knowledge. 

It all might seem overwhelming, but it’s not nearly as overwhelming as an actual security problem if and when it happens to you. While we might want it to be otherwise, the practical reality of the internet, and computing today, is that we each must take responsibility for our own security online.

Categories
Linux Security

Understanding the Linux /etc/shadow file

Can you explain /etc/shadow file used under Linux or UNIX?

/etc/shadow file stores actual password in encrypted format for user’s account with additional properties related to user password i.e. it stores secure user account information. All fields are separated by a colon (:) symbol. It contains one entry per line for each user listed in /etc/passwd file Generally, shadow file entry looks as follows (click to enlarge image):

/etc/shadow file fields


(Fig.01: /etc/shadow file fields)

  1. User name : It is your login name
  2. Password: It your encrypted password. The password should be minimum 6-8 characters long including special characters/digits
  3. Last password change (lastchanged): Days since Jan 1, 1970 that password was last changed
  4. Minimum: The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password
  5. Maximum: The maximum number of days the password is valid (after that user is forced to change his/her password)
  6. Warn : The number of days before password is to expire that user is warned that his/her password must be changed
  7. Inactive : The number of days after password expires that account is disabled
  8. Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used

The last 6 fields provides password aging and account lockout features (you need to use chage command to setup password aging). According to man page of shadow – the password field must be filled. The encrypted password consists of 13 to 24 characters from the 64 character alphabet a through z, A through Z, 0 through 9, . and /. Optionally it can start with a “$” character. This means the encrypted password was generated using another (not DES) algorithm. For example if it starts with “$1$” it means the MD5-based algorithm was used.

Categories
Grep Linux Security

Understanding Linux /etc/passwd File Format

/etc/passwd file stores essential information, which is required during login i.e. user account information.
/etc/passwd is a text file, that contains a list of the system’s accounts, giving for each account some useful information like user ID, group ID, home directory, shell, etc. It should have general read permission as many utilities, like ls use it to map user IDs to user names, but write access only for the superuser (root).

Understanding fields in /etc/passwd

The /etc/passwd contains one entry per line for each user (or user account) of the system. All fields are separated by a colon (:) symbol. Total seven fields as follows.
Generally, passwd file entry looks as follows:

  1. Username: It is used when user logs in. It should be between 1 and 32 characters in length.
  2. Password: An x character indicates that encrypted password is stored in /etc/shadow file.
  3. User ID (UID): Each user must be assigned a user ID (UID). UID 0 (zero) is reserved for root and UIDs 1-99 are reserved for other predefined accounts. Further UID 100-999 are reserved by system for administrative and system accounts/groups.
  4. Group ID (GID): The primary group ID (stored in /etc/group file)
  5. User ID Info: The comment field. It allow you to add extra information about the users such as user’s full name, phone number etc. This field use by finger command.
  6. Home directory: The absolute path to the directory the user will be in when they log in. If this directory does not exists then users directory becomes /
  7. Command/shell: The absolute path of a command or shell (/bin/bash). Typically, this is a shell. Please note that it does not have to be a shell.

/etc/passwd is only used for local users only. To see list of all users, enter:
$ cat /etc/passwd

To search for a username called tom, enter:
$ grep tom /etc/passwd

/etc/passwd file permission

The permission on the /etc/passwd file should be read only to users (-rw-r–r–) and the owner must be root:
$ ls -l /etc/passwd
Output:

-rw-r--r-- 1 root root 2659 Sep 17 01:46 /etc/passwd

Your password is stored in /etc/shadow file

Your encrpted password is not stored in /etc/passwd file. It is stored in /etc/shadow file. In the good old days there was no great problem with this general read permission. Everybody could read the encrypted passwords, but the hardware was too slow to crack a well-chosen password, and moreover, the basic assumption used to be that of a friendly user-community.

Almost, all modern Linux / UNIX line operating systems use some sort of the shadow password suite, where /etc/passwd has asterisks (*) instead of encrypted passwords, and the encrypted passwords are in /etc/shadow which is readable by the superuser only.

Categories
Linux Security SSH

Linux Security Practices

Protect the root account
The root, or superuser, account on a Linux system allows access to anything and everything. For this reason, it’s well worth taking extra steps to protect it. Start by setting a hard-to-guess password for this account with the passwd command and change it on a regular basis.

Next, restrict the terminals that can be used for root access, by editing the file /etc/securetty. To avoid users leaving a root terminal “open”, set a timeout for inactive root logins by setting the TMOUT local variable, and ensure that the root command history file (which might contain sensitive information) is disabled by setting the HISTFILESIZE local variable to 0. Finally, enforce a policy of using this account only to perform specific administrative tasks, and discourage users from logging in as root by default.

Next, require that every normal user account must have a password and ensure that passwords do not use easily-recognisable heuristics such as birthdays, user names or dictionary words.

Install a firewall
A firewall lets you filter data packets moving in and out of your server and ensures that only those packets matching pre-defined rules are permitted to enter or exit. A number of excellent firewalls are available for Linux, and firewall code can even be compiled directly into the kernel. Begin by defining input, output and forwarding rules for packets leaving and entering your network, using the ipchains or iptables commands. Rules may be specified on the basis of IP addresses, network interfaces, ports, protocols or combinations of these attributes; these rules also specify what action (accept, reject, forward) to take when a match occurs. Once the rules are installed, test the firewall extensively to ensure that no holes exist in it. A good firewall is your first line of defense against common attacks like distributed denial of service (DDoS).

Use OpenSSH for network transactions
If network transactions take place in plain text, it is possible for a hacker to “sniff” the data packets being transmitted and thus gain access to sensitive information. You can close this hole by using a secure shell utility like OpenSSH to create a secure encrypted “tunnel” for your data to pass through. Encrypting your connections in this manner makes it extremely hard for unauthorized users to read your data over the network.

Disable unwanted services
Most Linux systems are installed with a wide variety of services enabled, such as FTP, telnet, UUCP, etc. In most cases, these services are not used. You can disable these services by commenting them out in the /etc/inetd.conf or /etc/xinetd.conf files and then restarting the inetd or xinetd daemon. Additionally, some services (for example, database servers) may start up by default during the boot process; you can disable these by editing the /etc/rc.d/* directory hierarchy. Many experienced administrators disable all system services, leaving only SSH ports open.

Install an intrusion detection system
Intrusion detection systems (IDS) are early warning systems that let you know if changes occur on your network. They’re a great way to identify (and even prove) attempts to break into your system, although at the cost of increased resource consumption and potential red herrings. There are two fairly well-known IDS’ you could use: tripwire, which tracks file signatures to detect modifications; and snort, which use rules-based directives to perform real-time packet analysis and search and identify attempts to probe or attack your system. Both programs can generate e-mail alerts (among other actions) and are useful when you suspect your network is being compromised but need definitive proof.

Use spam and anti-virus filters
Linux is quite resistant to viruses, but client machines running Windows are likely more susceptible. Therefore, it’s a good idea to install a spam and virus filter on your mail server itself, to “defang” suspicious messages and reduce the risk of a chain of collapses.
Begin by installing SpamAssassin, a leading open-source tool that uses a combination of different techniques to identify and flag spam; the program also supports user-based whitelisting and graylisting for greater accuracy. Next, install procmail for user-level filtering based on regular expressions; this tool allows automatic filtering of received email into mailboxes, at both a user and system level. Finally, install Clam Anti-Virus, a free anti-virus toolkit that integrates with sendmail and SpamAssassin and supports on-access scanning of email attachments.
Perform regular security audits
When it comes to securing your network, this step may be the most important. Here, you put on a black hat and do your best to circumvent the defenses you erected in the previous steps. Doing this provides you with an immediate and objective assessment of how hard your systems really are, and identifies potential vulnerabilities that you should fix.
A number of tools are available to help you in this audit: you can attempt to hack your password files using password crackers like Crack and John the Ripper; you can use nmap or netstat to look for open ports; you can sniff the network using tcpdump; and you can try exploiting publicised holes in your installed programs (Web server, firewall, Samba) to see if they offer a way in. If you do manage to find a way past your obstacles, rest assured that others will too; take immediate measures to close the openings.
Protecting your Linux system is an ongoing task, and so you shouldn’t rest easy once you’ve done the steps above. Visit the Linux security forums for more security tips, and be proactive in monitoring and updating the security of your system.
Categories
Linux Security SSH Ubuntu

Linux Password Cracking: Explain unshadow and john commands ( john the ripper tool )

Can you tell me more about unshadow and john command line tools? How does it protect my server from crackers?

Both unshadow and john distributed with – John the Ripper security software or fast password cracker software. It is free and Open Source software. It runs on Windows, UNIX and Linux operating system. Use this tool to find out weak users passwords on your own server.

John cracking modes

John can work in the following modes:
[a] Wordlist : John will simply use a file with a list of words that will be checked against the passwords. See RULES for the format of wordlist files.
[b] Single crack : In this mode, john will try to crack the password using the login/GECOS information as passwords.
[c] Incremental : This is the most powerful mode. John will try any character combination to resolve the password. Details about these modes can be found in the MODES file in john’s documentation, including how to define your own cracking methods.

Install John the Ripper Password Cracking Tool

John the ripper is not installed by default. If you are using Debian / Ubuntu Linux, enter:
$ sudo apt-get install john

Note: RHEL, CentOS, Fedora, Redhat Linux user can grab john the ripper here. Once downloaded use rpm command:
# rpm -ivh john*

How do I use John the ripper to check weak passwords / crack passwords?

First use the unshadow command to combines the /etc/passwd and /etc/shadow files so John can use them. You might need this since if you only used your shadow file, the GECOS information wouldn’t be used by the “single crack” mode, and also you wouldn’t be able to use the -shells option. On a normal system you’ll need to run unshadow as root to be able to read the shadow file. So login as root or use old good sudo / su command under Debian / Ubuntu Linux:
$ sudo /usr/sbin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db
RHEL / CentOS / Fedora Linux user type the following command:
# /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db

To check weak password (crack password), enter the following command:

WARNING! These examples uses brute-force ~ CPU-time consuming password cracking techniques.

To use John, you just need to supply it a password file created using unshadow command along with desired options. If no mode is specified, john will try “single” first, then “wordlist” and finally “incremental” password cracking methods.
$ john /tmp/crack.password.db

Output:

john  /tmp/crack.password.db
Loaded 1 password (FreeBSD MD5 [32/32])

This procedure will take its own time. To see the cracked passwords, enter:
$ john -show /tmp/crack.password.db

test:123456:1002:1002:test,,,:/home/test:/bin/bash
didi:abc123:1003:1003::/home/didi:/usr/bin/rssh

2 passwords cracked, 1 left

Above output clearly indicates – user test has 123456 and didi has abc123 password.