Scribd Logo
Hochladen

Willkommen bei Scribd!

  • Lab 4a-Securing Passwords-Secknitkit

    Hochgeladen von

    hmk
    162 Ansichten8 Seiten
    Network Security

    Originaltitel

    Lab 4a-Securing Passwords-secknitkit (1)

    Copyright

    © © All Rights Reserved

    Verfügbare Formate

    DOCX, PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    Network Security

    Copyright:

    © All Rights Reserved
    Als DOCX, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    162 Ansichten8 Seiten

    Lab 4a-Securing Passwords-Secknitkit

    Hochgeladen von

    hmk
    Network Security

    Copyright:

    © All Rights Reserved
    Als DOCX, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 8

    Lab 4a

    Due Date: Fri, Mar 8, 2019, 11:59pm Total Points: 7

    Securely Storing Network Passwords (5 points)

    Objectives:
    • To understand how Linux uses and manages passwords for authentication.

    Assumption:
    • User can import a virtual machine.

    Pre-condition:
    • User has VirtualBox or equivalent.

    Expected Outcomes:
    • Student understands how Linux manages authentication with passwords
    • Student understands purpose and use of shadow files in Linux.

    Software used:
    • Virtual box. (https://www.virtualbox.org/wiki/Downloads)
    • An imported Debian virtual machine.
    (http://www.secknitkit.org/vms/asdh5t5s2ty451h3drtf5h25/SecKnitKit_V1.0.ova)
    • Start the virtual machine. The password is “secknitkit”

    Early Linux systems stored user account information in the /etc/passwd file. Other utilities could access
    this file to get information such as username to user-id mappings. Passwords were hashed and stored in
    this file as well.

    Hashes are one way algorithms and therefore cannot be reversed to discover the original password.
    Hashes are useful anytime you want to verify something like passwords or files but not needing to
    reverse them. An attacker could still try to guess and match password hashes with a pre-computed table
    of common password hashes for common hash algorithms.

    To thwart this, Linux uses another common technique known as “salting.” Salting inserts randomness
    in creating hashes out of 4096 possible ways. This adds an extra layer of protection against brute-force
    attacks.

    Even though anyone could read the hash file, it was assumed that the hashes would be too difficult to
    crack/analyze with concurrent computing capabilities. With advances in computing, it became feasible
    for attackers to break the password hashes using optimized brute force attacks.

    To address this situation, instead of forbidding global read access to the passwd file, which would cause
    disruption in other utilities, a secondary file “shadow file”, was created to hold the password hashes.
    Getting Started:

    Page 1 of 8

    Copyright © Tennessee Tech NSF SecKnitKit Project: Award# DUE-1140864


    1. Start Virtual Box.
    2. Within Virtual Box, start the Secknitkit virtual machine.
    3. When prompted, enter the password for secknitkit: secknitkit.

    Linux shadow files allows for flexibility as well as additional layer of security. The /etc/shadow file
    holds information separated by a colon in the following order: username, hashed password including
    salt and algorithm used, password expiration, user ID, group ID, full name, home directory path, and
    login shell.

    Step 1:

    First let us look at the passwd file. Open the terminal by double clicking on its icon on the
    desktop. It looks like this:

    Type the following in terminal. When prompted, type in “secknitkit” as the password for sudo.

    $ sudo cat /etc/passwd

    You should see output similar to the following:

    Page 2 of 8

    Copyright © Tennessee Tech NSF SecKnitKit Project: Award# DUE-1140864


    Locate the row in the password output containing the secknitkit user.

    Take a screen shot focused on this row of output. (It is fine to capture 1 or 2 rows surrounding this
    row, but not the entire password output.)

    The passwd file contains several fields separated by colons. The fields are as follows: username,
    encrypted password (on a modern system this field is marked with ‘x’ which means that the actual
    password hash is stored in the /etc/shadow file), user ID, group ID, user info, home directory, and a
    path to the shell (interpreter) or program to execute when a login event takes place.

    Here is a diagram of a typical passwd file entry.

    One of the lines of the file is our username (secknitkit). Take a note of the field following our
    username. The x tells the system that the password hash is in the shadow file. Let us look it up.

    Page 3 of 8

    Copyright © Tennessee Tech NSF SecKnitKit Project: Award# DUE-1140864


    Step 2:
    Type the following in terminal.

    sudo cat /etc/shadow

    Like the passwd file, the shadow file has a lot of entries. But we only care about the first few fields for
    this exercise. Again we see “secknitkit” as the username with a huge string that seemingly does not
    make any sense. This is the hash that represents our password.

    Take a screen shot showing the hash for secknitkit in the shadow file.

    Not only does the shadow file contain the hash but it also has other relevant information separated
    by $ symbols. From left to right the information that it gives us, is: the hash algorithm id (in this case 6
    for SHA-512), the salt for our hash (identifying which seed was used to generate the particular hash),
    and the actual hash of the password.

    As you can see, with access to the shadow file, an attacker can cause a lot of damage by launching
    brute force attack to generate all possible hashes for all possible passwords and to find just one match
    in the hash file. And if that match is for root, then the damage is unlimited. That is why shadow
    password files are owned by and only accessible by the super user or root.

    In Linux, users are even allowed to change the hash algorithm to be used to generate the hashes for
    passwords. This setting is stored in /etc/pam.d/common-password.

    Step 3:

    Type the following into the terminal and press ENTER. You may be prompted for a password.
    The password is “secknitkit”.

    sudo gedit /etc/pam.d/common-password

    Page 4 of 8

    Copyright © Tennessee Tech NSF SecKnitKit Project: Award# DUE-1140864


    Most of this file contains comments, but about 10 lines up from the bottom we can see that the current
    algorithm being used is in fact SHA-512. Let us change this to something less secure but one that gives
    us a smaller result.

    Step 4:

    In order to use MD5 instead of SHA-512, change the following line:

    password [success=1 default=ignore] pam_unix.so obscure sha512


    to
    password [success=1 default=ignore] pam_unix.so obscure md5

    Page 5 of 8

    Copyright © Tennessee Tech NSF SecKnitKit Project: Award# DUE-1140864


    Save once finished. There are other options such as SHA-256 and blowfish available as well. Once we
    have changed the algorithm, let us change our password to see the new algorithm at work.

    Step 5:

    Open a new terminal window and type the following command and press ENTER.

    passwd secknitkit (here, secknitkit refers to the userID)

    Type in the current password (secknitkit) and change it to: weakerhash_yourFirstName,


    replacing “yourFirstName” with your actual first name.

    Step 6:

    Again view the shadow file by typing the following command and pressing ENTER.
    Remember that we just changed the password, so you will have to enter the one you used in the
    previous command!

    sudo cat /etc/shadow

    Take a screen shot that contains user secknitkit and the new hash for that user.
    Page 6 of 8

    Copyright © Tennessee Tech NSF SecKnitKit Project: Award# DUE-1140864


    As you can see the new hash is much smaller in length and the hash algorithm ID has changed to 1
    which represents MD5.

    With write access to the common-password file, an attacker can downgrade hash algorithm to be used
    for future passwords, just like we did. Therefore this file also needs extra protection. Just as with the
    shadow file, the common-password file requires super user or root permissions in order to edit.

    Now open the common-password file again and replace the line we changed earlier to

    password [success=1 default=ignore] pam_unix.so obscure sha512

    Take a screen shot that shows the hash algorithm set to sha512 in the common-password file.

    Change the password back to “secknitkit,” since we will be using other SecKnitKit labs in the future.

    passwd secknitkit

    Type in the current password (weakerhash_yourFirstName) and change it to: secknitkit.

    Take a screen shot that shows the password was successfully changed.

    Power off the SecKnitKit virtual machine and exit Virtual Box.

    Sources:
    http://www.cyberciti.biz/faq/understanding-etcshadow-file/
    http://www.cyberciti.biz/faq/understanding-etcpasswd-file-format/
    http://en.wikipedia.org/wiki/Shadow_password

    Page 7 of 8

    Copyright © Tennessee Tech NSF SecKnitKit Project: Award# DUE-1140864


    Post Assignment Questions (2 points)

    Answers to the following questions can be found in the lab narrative.

    1. What does an X indicate in a password file?

    2. What is the value of the salt for the secknitkit entry in the shadow file?

    3. Based on the information provided in this lab, which files need extra protection for securing
    passwords and why?

    Additional question:

    4. As demonstrated in class, password hashes that were cracked with John the Ripper were ‘not’
    salted. In what way does adding salt to password hashes provide greater security for passwords?

    Page 8 of 8

    Copyright © Tennessee Tech NSF SecKnitKit Project: Award# DUE-1140864

    Das könnte Ihnen auch gefallen