passwds and crypt(3)...

P E Smee exspes at gdr.bath.ac.uk
Thu Jan 4 22:19:40 AEST 1990 

In article <1990Jan3.204103.9684 at athena.mit.edu> jik at athena.mit.edu (Jonathan I. Kamens) writes:
>In article <1990Jan3.103141.9903 at gdt.bath.ac.uk>, exspes at gdr.bath.ac.uk
>(P E Smee) writes:
>> Unstated, but implicit, is the fact that it is even worse if the perpetrator
>> just wants to break *some* password(s), not necessarily yours.  Having
>> encrypted a 'trial' password once, it can then be checked against all
>> encrypted passwords in /etc/passwd to see if it gets any hits.
>
>  (I'm not sure if you already know this, but it sounds like you don't
>-- I may just be understanding what you're trying to say wrong.)
>
>  No, that's the whole point of the seed.  The seed is *different* for
>each encrypted password in the /etc/passwd file (or, at the very least,
>there are a number of different seeds), so trial passwords must be
>encrypted in each possible seed before they can be compared to encrypted
>passwords.

Yep, I know that but chose to ignore it in interests of simplicity.  It
is (still) much faster (and very effective) to encrypt each potential
password (say, the spell-check dictionary plus a list of common first
names) with each possible seed, and check against all encrypted
passwords in /etc/passwd to see if you get any hits, than to try to
crack a particular password.  (There are, as I recall, only a small
number of seeds -- 4k-ish, maybe?)  And (as our crackers did on
Multics) each time you acquire a new password, you can use that userid
to take over part of the list of words to check, so you get
multi-tasking cracking, without imposing a suspicious increase in
resource use on any userid.  (You can also somewhat cover your tracks
by putting the 'smoking gun' files into the filespace of some innocent
bystander whose account you've subverted.)

What I'm not aware of is how the seed is chosen for a user.  If it is
anything other than random, then you can actually put some subtlety in
the trawling algorithm to speed it up.  (Multics used the password as
both data-to-encrypt, and as the seed for encryption.  This was
*claimed* to make it harder to decrypt a particular encrypted password
that you'd found, but actually made the trawling method easier.)

Whether a trawl is 'acceptable' depends on why you want to crack the
system.  Our crackers were registered users who wanted more resources
than we had allocated them.  So, cracking a privileged id wasn't
necessary.  *Any* cracked ID would let them at more CPU and disk
space.  Any cracked 'academic staff' ID would get them network access.
By checking 'last login date' in the greetings message each time they
first logged into a newly cracked account, they could make an educated
judgement as to whether the person was a frequent user, and so as to
how likely he or she was to notice the illicit use.

I'd add in passing that I question the wisdom of putting 'last logged
in at' into the startup greeting.  My experience is that (as above) it
can be useful for crackers, and that it gains you next to nothing in
security terms, as the vast majority of legitimate users don't pay any
attention to it at all -- just part of the noise the machine spits at
you when you log on, to be ignored.
-- 
Paul Smee, Univ of Bristol Comp Centre, Bristol BS8 1TW, Tel +44 272 303132
 Smee at bristol.ac.uk  :-)  (..!uunet!ukc!gdr.bath.ac.uk!exspes if you MUST)

More information about the Comp.unix.questions mailing list