This semester, as a TA, I prepared several course laboratories for security courses. This is the first one called Password Security to examine common password-related technologies under both Linux and Windows platforms.
At first, it is to examine the password files on both systems. Then, to run password cracking tools on provided password files in order to familiarize them with this threat. A common saying is that if you are an administrator of a system, you should be the first one to run such tools on your system! (i.e. proactively detect any weak passwords for all your users and disable such accounts). To provide more secure password system, an administrator should know how the password policy works and how to provide such policy on both systems. Finally, it is to examine the password cracking tools on oracle database system.
1. Password Files
1.1) Windows XP Passwords
- Open the Windows Image in Virtual PC
- Download and run LCP (http://www.lcpsoft.com/english/download.htm)
- Import the local password list: Import > Import from local computer
- Observe the fields.
o What is LM Hash?
o What is NT Hash?
1.2) Linux Passwords
- Open the FC6 Linux image in VMWare Player
- Using any text editor (e.g. vim, kate, gedit), open /etc/passwd
- Compare the fields in that file with what was learned in class
- Now, open /etc/shadow
o Which users have passwords?
o What does it mean if there is none?
o If there is a star/exclamation mark?
- Login as root and create two users, ‘alice’ and ‘bob’ (use the command useradd)
- Set them with exactly the same passwords, ‘abcd’ (#passwd alice, #passwd bob)
- Check /etc/shadow for Alice and Bob’s encrypted password fields, are they the same? Why or why not?
2. Password Cracking Exercise
2.1) Cracking Windows Passwords
- Download the sample Windows passwords from http://insecure.org/stf/lc15src.tgz the archive contains sample pwfile*.txt files with sample passwords used by this particular L0pht cracker that we can also use. (You can also use the temporary accounts you can create in the image)
- Open it in LCP
- Select Hybrid mode, and run the cracker over it
- Keep on working on the other exercises while it runs.
2.2) Cracking Linux Passwords
- Download John-the-Ripper (http://www.openwall.com/john/) and compile it following the INSTALL documentation file
- Compile example Linux password file from your FC6 system (following the EXAMPLES documentation file of John-the-Ripper)
- Open a shell and run #john PASSWORDFILE
- Let it run while you do the rest of this exercise (it should recover the passwords you created earlier for Alice and Bob). Try with more user accounts and their passwords of different strength.
3. Password Policies and Tools
3.1) Windows:
In Virtual PC:
- Click Start > Run and type in mmc, enter
- Do File > Add/Remove Snap-in
- Add Security Configuration and Analysis and Security Templates
- Click on OK
- Right-Click on Security Configuration and Analysis
- Create a new database and import ‘securews’
- Right-Click on Security Configuration and Analysis and run an analysis
- Observe the results in the Password Policy section
- Right-Click on Security Configuration and Analysis and configure based on the template
- Right-Click on Security Configuration and Analysis and run an analysis
- Observe the results in the Password Policy section
You have just implemented this default policy. Feel free to modify the policy template.
3.2) Linux:
Still in VMWare Player:
Fedora Core comes with an integrated Cracklib PAM module. Its password policy is pretty relaxed though, so we need to improve it.
- Edit the file /etc/pam.d/system-auth, comment the line that says password requisite pam_cracklib.so retry=3 and add new line specify password requisite pam_cracklib.so dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8, save and exit.
(other options are available at http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_cracklib.html)
- Create a new user alice if you haven’t done it earlier (adduser alice)
- Switch to alice account (su – alice), try to change alice’s password in a way that is not compliant with those rules (e.g. passwordpassword). This should fail.
4. Oracle Password
· In virtual PC, download and install Oracle Database 11g if necessary
· Download Oracle Password Cracker from http://www.petefinnigan.com/cracker-v2.0(1.3).zip and unzip to a new folder
- Connect as system in SQL*Plus and create new oracle user with weak password
SQL>create user alice identified by PASSWORD;
- Running the cracker
SQL>@cracker-v2.0.sql; (you should specify the full path of this sql file)
- Observe the output to check which account password it has cracked
Read the website http://www.petefinnigan.com/oracle_password_cracker.htm to see what it all means
- Change the password for user alice to a really strong according to previous policy
SQL>alter user alice identified by NEW_PASSWORD;
- Running the cracker again
