Wednesday, 13 February 2013

User Authentication In Linux

                                                                                                                               

INTRODUCTION

How does the OS identify if the user has supplied the correct password each time he logs in? Is the actual password present in the hard disk?
Lets take a look at this, the password supplied by the user is hashed and is stored at some location, irreversible functions are used to convert the password to hashes (Actually hashing is the process of converting data into something rubbish). ie the passwords cannot be retrieved directly from the hash even if we manage to hack out the file, storing hashes. At the time the user supplies the password the OS hashes the supplied passwords and compare it with the stored hashes and will find out whether it is the correct password.

I said there is no direct method to crack the hashes, but there are indirect ones.  
So one of the methods to crack the password will be to use a pre-calculated hash table to search for, and find the hash and the corresponding passwords.
Those tables are called rainbow tables. They contain passwords and the corresponding hashes. This method will be feasible only if the user uses dictionary words or its modifications as their passwords. As it is not possible to store the hash of every possible random code.
 Another method would be to hash every possible combination of characters one by one and compare it with the hash to crack. This is called Brute-forcing. This method will be feasible only if the user uses small passwords, long passwords can take years to crack, number and speed of processors is an important parameter.

                                                                    THE LINUX OS

In almost every modern linux distro the password is hashed and stored in the /etc/shadow file. You need root permissions to open it. It would look something like this.



Let us analyse the entry
Each field is separated by columns, some of them are empty.

root:$6$7gPuSkeH$jZjYFagMRWDnxx1sDkaRHSX/PO.tzE9F7eaKG8ezVPiAoWuOmxcjIvJ985svUFqXNfOzS2w744bkpWMaZNnB6.:15590:0:99999:7:::

The first entry is the user-name here it is "root"

The next one is the password information  "$6$7g......NnB6."

The next entries are related to password expiration and is less important and we wont cover it here.

Now let us look at the password information, the password information itself divided into 3, delimited by $.

First one is encryption method used here it is $6$, the 6 represents sha-512 encryption. Other possible values are.
            
              $1$      -- Denotes MD5 algorithm being used
              $2a$    -- Blowfish algorithm
              $5$      -- SHA-256 algorithm


Next field contains the salt generated by the OS at the time of encryption. The salt is a string (here it is 7gPuSkeH). The salt is simply appended to the supplied password and the combination is hashed. The salt is used because hash obtained will be that of hash-password combination which is a long, out of dictionary, word and hence the hash will not be vulnerable to brute-forcing and dictionary attacks.

The next field is a long hash of the password-salt combination obtained by any one of the above encryption algorithms, the function crypt() is used to generate it. In terminal use the command man crypt for more information about it.

So when you create a an account, the system generates a random salt and stores along with it the above information into shadow file (\etc\shadow). When a user supplies a password at the login screen the system hashes using the encryption algorithm and salt stored in the shadow file and compares the obtained password with the stored hash (in shadow file), if the hashes match the user is allowed to log in, else not.

Understanding these techniques now we will hack into any linux account that too undetectable, wait for the next post.



tags:- ubuntu, linux, shadow, /etc/shadow, brute, forcing, dictionary, attack, salt, crypt, crypt(), encryption, sha-512, sha-256, md-5, hash, username, password, information

Saturday, 2 February 2013

Changing Windows Admin Password

             So now you have a usb with live linux in it (If not then go here and learn how to make one http://greyhatsspeak.blogspot.in/2013/01/creating-live-linux-usb.html).
I have tried this method upto windows 7 and found it working. Remember dont use this for unethical activities, breaking into somebodies computer without permission is simply 'illegal'.

INTRODUCTION
Have you ever pressed shift key a few times and noticed such a window



What happens is a program called sethc.exe gets executed. It is located at c://WINDOWS/system32/sethc.exe(If 'c' is root directory).

There is another program cmd.exe at the same location which will get executed when we open command prompt. What we are going to do is rename cmd.exe to sethc.exe and access command prompt at at login screen (by pressing shift key five times). Now we will get a command prompt with administrative privileges. And we can simply reset password with a dos command.
The thing is that with a live linux usb you can access the filesystem of windows with administrative privileges, so that we can rename cmd.exe.

THE ATTACK

Boot from the linux-live usb in the system you want to reset password. Go to the drive where windows is installed, then go to the folder  WINDOWS/system32. Now rename the file sethc.exe to some other name (say sethc1.exe). Then rename cmd.exe to sethc.exe. Now restart the machine and boot from the hard disk. At the login screen press sift key 5 times. This will now give you the command prompt.

Now type

net user "username" "new_password"




Here the password of the user buser is resetted to a.

Replace username with the one whose password you want to crack  and password with the new password you want to set. Now close the prompt and login using the new password!!



Tags:- hack, windows, 7, xp, vista, sethc, method, cmd, reset, admin, password, live, linux, usb, sticky, keys, vulnerability, net, user, hacking