HPE Community
Operating System - HP-UX
1753416 Members
6000 Online
108793 Solutions
New Discussion юеВ

HPUX 11.31 Trusted Systems Password File cracked

 
Aneesh Mohan
Honored Contributor

тАО01-04-2015 08:05 AM

тАО01-04-2015 08:05 AM

HPUX 11.31 Trusted Systems Password File cracked

Dears,

It was a shoking moment for me as UNIX admin , external Auditing team raised a audit finding for our HPUX 11.31 trusted systems that "UNIX accounts password encryption not stronger" and they provided screenshot of /etc/passwd file replaced "*" in password field with our real passwords.

Later I came to know they have cracked TCB enabled system /etc/passwd file using "KALI Linux " penetration testing OS.

Kindly let me know is there any way I can put more stronger encrption to my password file or any other suggestions to prevent this will be more helpfull.

Sincere Regards,
Aneesh

0 Kudos
Reply
12 REPLIES 12
Dennis Handly
Acclaimed Contributor

тАО01-04-2015 01:13 PM - edited тАО01-05-2015 03:50 AM

тАО01-04-2015 01:13 PM - edited тАО01-05-2015 03:50 AM

Re: HP-UX 11.31 Trusted Systems Password file cracked

I'm not sure how they could crack it.  In a Trusted System or SMSE, the hashed passwords are stored in a file that isn't readable.

 

>they provided screenshot of /etc/passwd file replaced "*" in password field with our real passwords.

 

On your system?  Or some other?  That file can only be modified by root.

0 Kudos
Reply
Aneesh Mohan
Honored Contributor

тАО01-04-2015 10:13 PM

тАО01-04-2015 10:13 PM

Re: HPUX 11.31 Trusted Systems Password File cracked

Hi

 

They have taken /etc/passwd file and and some other files ( many be including /tcb files) using Auditor scripts with the help of InfoSec  admin.

 

 

On your system?  Or some other?  That file can only be modified by root.

The have used our passwd files in their system (OS :- Kali Linux).

 

They used he command #john -show passwd    to crack the password.

 

From the below link I have got some inform about command John. 

 

http://linuxconfig.org/password-cracking-with-john-the-ripper-on-linux

http://www.openwall.com/john/doc/FAQ.shtml

 

I am not sure how I can protect Unix account password file from this attack ...:(

 

 

Sincere Regards,

Aneesh

0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО01-05-2015 03:50 AM

тАО01-05-2015 03:50 AM

Re: HP-UX 11.31 Trusted Systems Password file cracked

> many be including /tcb files

 

Well, if they don't have the /tcb files, they can't crack it or you should be notified of many many failed password attempts.

0 Kudos
Reply
Aneesh Mohan
Honored Contributor

тАО01-05-2015 05:09 AM

тАО01-05-2015 05:09 AM

Re: HP-UX 11.31 Trusted Systems Password file cracked

Dear Dennis,

 

They havent used our system live for cracking passwords, they obtained /etc/passwd and tcb files from our systems and using different linux server they cracked the passwords.

 

Sincere Regards,

Aneesh

0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО01-05-2015 05:47 AM

тАО01-05-2015 05:47 AM

Re: HP-UX 11.31 Trusted Systems Password file cracked

Since the /tcb directory and associated files are readable only by the root user, there is no need to crack the passwords...the auditors already have complete access to your system. As Dennis mentioned, the passwords for Trusted are hashed, which means that it is impossible to directy reverse the hash into a password. They could however, copy the Trusted password files to another system and then run a password guesser program which tries millions of common passwords to see which one produces a possible password.

 

NOTE: because it is a hash, there are several combinations of characters that will match the hashed value. For instance, a password: abc123 might hash to the same value as H6%e#3 and either string could be used to login. This is not a security issue simply because there is no way to guess the virtually random characters that match the hash.

 

The situation here is that the auditors gained access to your system as root. That's the problem. If you gave them access, then the test is meaningless. If you did NOT give them access (ie, a root login), then the real issue is how they obtained a copy of the /tcb files. That's the security issue.



Bill Hassell, sysadmin
0 Kudos
Reply
Patrick Wallek
Honored Contributor

тАО01-05-2015 06:36 AM

тАО01-05-2015 06:36 AM

Re: HP-UX 11.31 Trusted Systems Password file cracked

>>They have taken /etc/passwd file and and some other files ( many be including /tcb files) using Auditor scripts with the help of InfoSec  admin.

 

That is your first problem right there.  I refused to give the encryped password information to the auditors.  My reasoning was that I as the system admin.  I am responsible for the systems.  If the auditor happened to lose the password information from my systems and it fell into the hands of someone else, then ultimately I was responsible because I gave it out in the first place.

 

If you are required to give out the encrypted password information make sure you have an e-mail from the CIO requesting that you give it out and also indemnifying you in case anything happens.

 

Now, as far as your original question goes -- No there really isn't any way to use other encryption/hashing  methods with the /tcb/ file structure.  Unfortunately HP-UX does not have the option that some other systems do select anything stronger.

0 Kudos
Reply
Aneesh Mohan
Honored Contributor

тАО01-05-2015 07:22 AM

тАО01-05-2015 07:22 AM

Re: HP-UX 11.31 Trusted Systems Password file cracked

Patrick.,

>>That is your first problem right there.  I refused to give the encryped password information to the auditors.

 

They have got the information from the system through our InfoSec department ( they keep root login password) , we were not in the initial communication.

 

 

Sincere Regards,

Aneesh

0 Kudos
Reply
Patrick Wallek
Honored Contributor

тАО01-05-2015 08:55 AM

тАО01-05-2015 08:55 AM

Re: HP-UX 11.31 Trusted Systems Password file cracked

>>They have got the information from the system through our InfoSec department ( they keep root login password)

 

Why do they have the root login information?  Are they system administrators?  Do they need root access to do their job?

 

Access to the root password should be severely restricted.  If someone needs to do something as root then tools like sudo can provide access on a per command basis.

 

 

0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО01-05-2015 09:38 AM - edited тАО01-05-2015 09:40 AM

тАО01-05-2015 09:38 AM - edited тАО01-05-2015 09:40 AM

Re: HP-UX 11.31 Trusted Systems Password file cracked

>They haven't used our system live for cracking passwords, they obtained /etc/passwd and tcb files from our systems and using different linux server they cracked the passwords.

 

Yes, I suspected that.

 

> then the real issue is how they obtained a copy of the /tcb files.

 

About the only possible benefit for someone to have a copy of the /tcb files is to check for easily guessable passwords.

But it seems they went far beyond that?

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.