لطفا منتظر باشید ...
Recipe 9.1 Testing Login Passwords (John the Ripper)
9.1.1 Problem
You want to check that all login passwords in your system
password database are strong.
9.1.2 Solution
Use John the Ripper, a password-cracking utility from the
Openwall Project (http://www.openwall.com). After the software
is installed, run:
# cd /var/lib/john
# umask 077
# unshadow /etc/passwd /etc/shadow > mypasswords
# john mypasswords
Cracked passwords will be written into the file
john.pot. Cracked username/password pairs can be
shown after the fact (or during cracking) with the
-show option:
# john -show mypasswords
You can instruct john to crack the passwords of
only certain users or groups with the options
-users:u1,u2,... or
-groups:g1,g2,..., e.g.:
# john -users:smith,jones,akhmed mypasswords
Running john with no options will print usage
information.
9.1.3 Discussion
SuSE distributes John the Ripper, but Red Hat does not. If
you need it, download the software in source form for Unix from
http://www.openwall.com/john,
together with its signature, and check the signature before
proceeding. [Recipe 7.15]Unpack the source:
$ tar xvzpf john-*.tar.gz
Prepare to compile:
$ cd `ls -d john-* | head -1`/src
$ make
This will print out a list of targets for various systems; choose the
appropriate one for your host, e.g.:
linux-x86-any-elf Linux, x86, ELF binaries
and run make to build your desired target, e.g.:
$ make linux-x86-any-elf
Install the software, as root:
# cd ../run
# mkdir -p /usr/local/sbin
# umask 077
# cp -d john un* /usr/local/sbin
# mkdir -p /var/lib/john
# cp *.* mailer /var/lib/john
Then use the recipe we've provided.By default, Red Hat 8.0 uses MD5-hashed passwords
stored in /etc/shadow, rather than the
traditional DES-based crypt(
) hashes stored in /etc/passwd; this
is effected by the md5 and
shadow directives in
/etc/pam.d/system-auth:
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
The unshadow command gathers the account and hash
information together again for cracking. This information should not
be publicly available for security reasons
that's why it is split up in the first
placeso be careful with this re-integrated file. If your
passwords change, you will have to re-run the
unshadow command to build an up-to-date password
file for cracking.In general, cracking programs use
dictionaries of common words when attempting to crack a password,
trying not only the words themselves but also permutations,
misspellings, alternate capitalizations, and so forth. The default
dictionary (/var/lib/john/password.lst) is
small, so obtain larger ones for effective cracking. Also, add words
appropriate to your environment, such as the names of local projects,
machines, companies, and people. Some available dictionaries are:
- directive in
/var/lib/john/john.ini.john operates on a file of account records, so you
can gather the password data from many machines and process them in
one spot. You must ensure, however, that they all use the same
hashing algorithms compiled into the version you built on your
cracking host. For security, it might be wise to gather your account
databases, then perform the cracking on a box off the network, in a
secure location.There are other crackers available, notably Crack by Alec Muffet.
[Recipe 9.2] We feature John the Ripper here not
because it's necessarily better, but because
it's simpler to use on Red Hat 8.0, automatically
detecting and supporting the default MD5 hashes.9.1.4 See Also
See the doc directory of the John the Ripper
distribution for full documentation and examples.Learn about Alec Muffet's Crack
utility at http://www.cryptcide.org/alecm/security/c50-faql.The Red Hat Guide to Password
Security is at http://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/security-guide/s1-wstation-passl .
