Example: Crack Finds UNIX Passwords

A popular and important example of dictionary attacks isCrack, a free program by Alec D. E. Muffett (Great Britain). The program tries to find weak passwords in UNIX systems. A brief digression is necessary to better understand how it works.

How the UNIX Login Works

To log into a UNIX computer you have to enter a name and a password. If you forget the password, you can’t work at the computer. How does it work? Storing passwords in plaintext is extremely dangerous. Once upon a time, I saw this under the RSX-11 operating system on PDP11 computers, the precursor of VMS on VAX computers. Though RSX-11 had cleanly managed access privileges, which guaranteed that not everybody could access all files,1_{it would} have been easy to get hold of the passwords had I had bad intentions, since I was often alone at the computer at night, and as things are with hardware, it broke down suddenly now and then. Only restarting the computer helped. I could have interrupted the startup phase by (electric) switch to become a privileged user with access rights to all files.

UNIX developers recognized these risks and stored passwords in encrypted form. That’s said rather sloppily, for the plaintext was known (by the way: it consists only of bytes with the numerical values 0 and 1), and the key was the password itself. From the result, i.e., the short ciphertext, the key could no longer be revealed. You would have had to mount a plaintext attack to try and find the key. However, UNIX uses 24 rounds of a modified DES algorithm (see Section 4.3) for encryption, and by the officially known current state of the art, the only meaningful type of attack that remains to reveal the key is the brute-force method (in theory, there are other approaches, but I doubt whether they could be practically used).

This means that not even the UNIX superuser (i.e., the system administrator), who can read and change everything, knows the users’ passwords. If one of his sheep forgets its password, he can help out only in one way: he deletes the encrypted password, and the user has to think of a new one. There is nothing wrong with making the password file readable to all users, for it also contains 1_{MS-DOS systems and Windows systems up to Windows 98 hadn’t known such rights. You} could protect your files against unauthorized access only by encryption!

3.3. Example:Crack Finds UNIX Passwords 71

other information of general interest. And new users select their password themselves; taking some care nobody will know it.

All of this was thought out rather cleverly (not only for the level of the 1970s), but two vulnerabilities remain:

1. When two users—a good one and a bad one—accidentally use the same password, then each one of them can log in by the name of the other user and get unlimited access to that user’s files. The situation would certainly be noticed and removed soon, but then it would be too late: the bad user might have installed a Trojan horse, i.e., a program he can use to get unauthorized access to the files of the good user, even if he doesn’t know the password since it had been changed.

2. There are circuits that implement the DES algorithm at very high speed. This means that an attacker with appropriate hardware could mount a brute-force attack and guess the password.

Salt Salt known plaintext modif. 24- round DES modif. 24- round DES password as key password as key known plaintext enter password

password file /etc /password or /etc/shadow

# passwd snoopy New password: Re-enter new password:

login: snoopy Password: Login by password query search entry yes: login COMPARE entry for snoopy encrypted password no: deny encrypted password

These are the reasons why a little salt is strewn in: the UNIX login program (and also thepassword program used to change passwords) modifies the DES algorithm randomly in one of 4096 ways. This additional information is the

salt that is placed in front of an encrypted password. In the event that two users actually get the same entry in the password file, then thepassword program can select a different salt. But the main thing is that the DES ciphering hardware has become worthless since it cannot map the DES variants mentioned. HowCrack Works

UNIX password encryption is still cryptologically very secure. The only vul- nerability in the entire process is humans: people use the names of their friends as passwords, or the official names of their departments or subjects, if they have no sense of humor. Rumors have it that the password ‘fred’ has been used quite often. Have a look at Figure 3.5 and you’ll know why.

Crack exploits this fact. It basically runs a brute-force attack, though rather than doing this at random, it tries many possibilities with the help of a dictionary. It makes sense that the user of Crack is responsible for the dictionary (since he won’t initially find the names of work subjects or names of friends in it). The entries in the dictionary are selected and modified based on rules defined by the user. You can see some of these rules in Figure 3.6.

Depending on the planned computing power and the known peculiarities of the users (who select their passwords themselves!), theCrack user can individually build his search strategy. Once it has guessed the password, Crack tells the program operator about it. Upon request, it also sends an email to the person concerned!

What Crack Is For

The last sentence probably shows best the actual purpose ofCrack: the program is not intended to enable breaking a system, but to increase its security. When

W E R T Z Q A Y N H S D F G X C V B

Figure 3.5: Part of a computer keyboard—why the password ‘fred’ is so popular.

3.3. Example:Crack Finds UNIX Passwords 73

Some modification rules:

• Add characters to the beginning or end: xfred, freddy. • Convert to uppercase or lowercase letters: FRED, fred. • Use uppercase for the first letter of the word only: Fred.

• Write the word backwards: derF (or combine the last two possibilities: Derf). • Write the word twice: FredFred.

• Reflect the word: FredderF.

• Overwrite a certain position with a different character: Frxd. • Insert a character in a certain position: Fried.

• Replace a character by another one: Frad. • Use parts of the word: red.

• Use arbitrary combinations of the possibilities above and their negations. Some selection rules:

• State the minimum and/or maximum length.

• Select or exclude words that include certain characters.

• Select or exclude certain patterns or numbers of vocal-consonant changes.

Crack uses a special high-performing language for these things. The selection options can be formulated much more solidly than their equivalentregular expres- sions in UNIX tools (such as egrep).

Figure 3.6: Modification and selection rules of Crack.

a user learns that his password was guessed, he will hopefully select a better one. A security-aware system administrator will pay attention to these things, just as well as they will choose a good UNIX password program to be used to define or change passwords. (I can think ofgoodpasswd under SCO UNIX which rejects poor passwords. Unfortunately, it is not common to find such an important feature.)

This is a big deal. Imagine a situation where a company fires an employee. Maliciously, our ex-employee secretly copies the password file/etc/password.

At home, she letsCrack run on her PC for a couple of weeks until she finds a password. She logs into her former employer’s system over the network. Next, she looks for a vulnerability in the system (which is often easy for insiders), becomes a superuser, and eventually causes immense damage to that company. Don’t think things like this can’t happen, because 80 % of all known successful attacks to computers originate from current or former employees.

But carelessness dominates. When I got my first Internet access I looked at the password file of the Sun workstation just for fun. Using the UNIX toolgrep, I quickly found out that among the users who had no passwordat all, there were twenty professors. I knew one of them well. I accommodated a little script in his startup file (.profile) that generated the following output:

Dear Mr XYZ,

You have no password at all.

Just think of all the bad people out there!

When I ran into him the next day, he was all excited and told me: ‘Imagine what happened! I logged myself into the Sun yesterday, and this output pops up at me,’ and I said ‘Dear Mr XYZ, You have no. . .’. He has had a password ever since.

Some time later, the administrator ran Crack on this Sun and removed all faults. I was proud that Crack hadn’t guessed my password.

The successes of Crack are surprising. In general, about 20 % of all pass- words are guessed. This shows clearly how much a cryptologically excellent method (namely the UNIX password encryption) is worth when there’s some- thing wrong in the environment (in the above case, the key selection). The fact that a fast computer may have to work for a week changes nothing in what’s been said: such an effort is worthwhile for a criminal attacker.

Crack is popular and performs well. This issue actually belongs to Chapter 7, but it demonstrates very impressively how intelligently one can mount a mean- ingful brute-force attack.2

Current UNIX and Linux systems protect themselves against Crack attacks by storing the encrypted passwords in a separate file called/etc/shadow, which the regular user can’t read, and no longer in/etc/password. In addition, many login