topic Re: Checking password entry for common patter in Operating System - HP-UX

Checking password entry for common patter

Stuart Powell — Tue, 16 May 2006 12:19:01 GMT

We are running HP-UX 11i without password shadowing on a non-trusted system. I would like to be able to review the encrypted password entry for each user to see if they are using an unsafe password string. When the systems were first brought on-line we normally set each users password to a common string. We have since discarded that practice when a user calls in, but since we cannot restrict the password string by age a savvy user can change their password back to the common string.
I have loaded crack 5.0 and have run it, but I haven't figured out how to add that common string to a dictonary.
Any help on accomplishing my objectives would be appreciated.

Stuart

Re: Checking password entry for common patter

Steven E. Protter — Tue, 16 May 2006 12:36:07 GMT

Shalom,

crack is a dangerous thing to have on a system, easily abused.

On the other hand,Linux uses exactly that library to check passwords.

Not knowing how the integration is done, I'd suggest looking at a Linux machine to see how its done. Since Linux is open source, it may provide you a solution you can use on HP-UX.

Do share if you figure it out.

SEP

Re: Checking password entry for common patter

A. Clay Stephenson — Tue, 16 May 2006 17:26:19 GMT

A better and safer approach is to use Perl because it has all the routines you need to extract the passwd fields getpwent() and also evaluate the password hash (crypt).

The fundamental idea is to use the crypt() function to compare the plaintext password to the hash. If crypt() produces an identical hash then the same plaintext key was used. You actually pass the current passwd hash to the crypt function because the 1st 2 characters of the hash are the "salt" which is used to perturb the hashing algorithm.

#!/usr/bin/perl

my $plaintext = "secret";
my $currentpwhash = "wCNuEoWfzgPJ.";

if (crypt($plaintext,$currentpwhash) eq $currentpwhash)
{
print "$plaintext was used; bad password\n";
}
else
{
print "OK\n";
}

Re: Checking password entry for common patter

James R. Ferguson — Tue, 16 May 2006 19:02:49 GMT

Hi Stuart:

As Clay notes, Perl makes life easy. You can use the following script to examine your password database.

#!/usr/bin/perl
#@(#)defpws $ Find default passwords - JRF $

use strict;
use warnings;
use File::Basename;

my $defpass = shift or die "Usage: ".basename($0)." Default_Password\n";
my ($name, $passwd, $uid);

while (($name, $passwd, $uid) = getpwent) {
if (crypt ($defpass, $passwd) eq $passwd) {
print $name, "(id=", $uid, ") is using default password\n";
}
}
1;

...Name the script "defpws" (or anything you want) and do:

# ./defpws sillypw

...This will examine your password database and report any and all users using a password of "sillypw". The output would look like:

dummy(id=1001) is using default password
dummy2(id=1002) is using default password

Regards!

...JRF...

Re: Checking password entry for common patter

Stuart Powell — Wed, 17 May 2006 06:58:06 GMT

Thanks Clay and James. We have perl on our systems, so I'll take your scripts and try to develop something that works.

I appreciate the head start.

Stuart