HPE Community
Operating System - HP-UX
1823946 Members
3525 Online
109667 Solutions
New Discussion юеВ

HPUX 11.31 Trusted Systems Password File cracked

 
Aneesh Mohan
Honored Contributor

тАО01-04-2015 08:05 AM

тАО01-04-2015 08:05 AM

HPUX 11.31 Trusted Systems Password File cracked

Dears,

It was a shoking moment for me as UNIX admin , external Auditing team raised a audit finding for our HPUX 11.31 trusted systems that "UNIX accounts password encryption not stronger" and they provided screenshot of /etc/passwd file replaced "*" in password field with our real passwords.

Later I came to know they have cracked TCB enabled system /etc/passwd file using "KALI Linux " penetration testing OS.

Kindly let me know is there any way I can put more stronger encrption to my password file or any other suggestions to prevent this will be more helpfull.

Sincere Regards,
Aneesh

0 Kudos
Reply
12 REPLIES 12
Dennis Handly
Acclaimed Contributor

тАО01-04-2015 01:13 PM - edited тАО01-05-2015 03:50 AM

тАО01-04-2015 01:13 PM - edited тАО01-05-2015 03:50 AM

Re: HP-UX 11.31 Trusted Systems Password file cracked

I'm not sure how they could crack it.  In a Trusted System or SMSE, the hashed passwords are stored in a file that isn't readable.

 

>they provided screenshot of /etc/passwd file replaced "*" in password field with our real passwords.

 

On your system?  Or some other?  That file can only be modified by root.

0 Kudos
Reply
Aneesh Mohan
Honored Contributor

тАО01-04-2015 10:13 PM

тАО01-04-2015 10:13 PM

Re: HPUX 11.31 Trusted Systems Password File cracked

Hi

 

They have taken /etc/passwd file and and some other files ( many be including /tcb files) using Auditor scripts with the help of InfoSec  admin.

 

 

On your system?  Or some other?  That file can only be modified by root.

The have used our passwd files in their system (OS :- Kali Linux).

 

They used he command #john -show passwd    to crack the password.

 

From the below link I have got some inform about command John. 

 

http://linuxconfig.org/password-cracking-with-john-the-ripper-on-linux

http://www.openwall.com/john/doc/FAQ.shtml

 

I am not sure how I can protect Unix account password file from this attack ...:(

 

 

Sincere Regards,

Aneesh

0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО01-05-2015 03:50 AM

тАО01-05-2015 03:50 AM

Re: HP-UX 11.31 Trusted Systems Password file cracked

> many be including /tcb files

 

Well, if they don't have the /tcb files, they can't crack it or you should be notified of many many failed password attempts.

0 Kudos
Reply
Aneesh Mohan
Honored Contributor

тАО01-05-2015 05:09 AM

тАО01-05-2015 05:09 AM

Re: HP-UX 11.31 Trusted Systems Password file cracked

Dear Dennis,

 

They havent used our system live for cracking passwords, they obtained /etc/passwd and tcb files from our systems and using different linux server they cracked the passwords.

 

Sincere Regards,

Aneesh

0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО01-05-2015 05:47 AM

тАО01-05-2015 05:47 AM

Re: HP-UX 11.31 Trusted Systems Password file cracked

Since the /tcb directory and associated files are readable only by the root user, there is no need to crack the passwords...the auditors already have complete access to your system. As Dennis mentioned, the passwords for Trusted are hashed, which means that it is impossible to directy reverse the hash into a password. They could however, copy the Trusted password files to another system and then run a password guesser program which tries millions of common passwords to see which one produces a possible password.

 

NOTE: because it is a hash, there are several combinations of characters that will match the hashed value. For instance, a password: abc123 might hash to the same value as H6%e#3 and either string could be used to login. This is not a security issue simply because there is no way to guess the virtually random characters that match the hash.

 

The situation here is that the auditors gained access to your system as root. That's the problem. If you gave them access, then the test is meaningless. If you did NOT give them access (ie, a root login), then the real issue is how they obtained a copy of the /tcb files. That's the security issue.



Bill Hassell, sysadmin
0 Kudos
Reply
Patrick Wallek
Honored Contributor

тАО01-05-2015 06:36 AM

тАО01-05-2015 06:36 AM

Re: HP-UX 11.31 Trusted Systems Password file cracked

>>They have taken /etc/passwd file and and some other files ( many be including /tcb files) using Auditor scripts with the help of InfoSec  admin.

 

That is your first problem right there.  I refused to give the encryped password information to the auditors.  My reasoning was that I as the system admin.  I am responsible for the systems.  If the auditor happened to lose the password information from my systems and it fell into the hands of someone else, then ultimately I was responsible because I gave it out in the first place.

 

If you are required to give out the encrypted password information make sure you have an e-mail from the CIO requesting that you give it out and also indemnifying you in case anything happens.

 

Now, as far as your original question goes -- No there really isn't any way to use other encryption/hashing  methods with the /tcb/ file structure.  Unfortunately HP-UX does not have the option that some other systems do select anything stronger.

0 Kudos
Reply
Aneesh Mohan
Honored Contributor

тАО01-05-2015 07:22 AM

тАО01-05-2015 07:22 AM

Re: HP-UX 11.31 Trusted Systems Password file cracked

Patrick.,

>>That is your first problem right there.  I refused to give the encryped password information to the auditors.

 

They have got the information from the system through our InfoSec department ( they keep root login password) , we were not in the initial communication.

 

 

Sincere Regards,

Aneesh

0 Kudos
Reply
Patrick Wallek
Honored Contributor

тАО01-05-2015 08:55 AM

тАО01-05-2015 08:55 AM

Re: HP-UX 11.31 Trusted Systems Password file cracked

>>They have got the information from the system through our InfoSec department ( they keep root login password)

 

Why do they have the root login information?  Are they system administrators?  Do they need root access to do their job?

 

Access to the root password should be severely restricted.  If someone needs to do something as root then tools like sudo can provide access on a per command basis.

 

 

0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО01-05-2015 09:38 AM - edited тАО01-05-2015 09:40 AM

тАО01-05-2015 09:38 AM - edited тАО01-05-2015 09:40 AM

Re: HP-UX 11.31 Trusted Systems Password file cracked

>They haven't used our system live for cracking passwords, they obtained /etc/passwd and tcb files from our systems and using different linux server they cracked the passwords.

 

Yes, I suspected that.

 

> then the real issue is how they obtained a copy of the /tcb files.

 

About the only possible benefit for someone to have a copy of the /tcb files is to check for easily guessable passwords.

But it seems they went far beyond that?

0 Kudos
Reply
Laurent Menase
Honored Contributor

тАО01-14-2015 10:19 AM

тАО01-14-2015 10:19 AM

Re: HP-UX 11.31 Trusted Systems Password file cracked

Hi,

There is an optional product to have sha512 encryption for shadow passwds ( doesn't work with nis)

https://h20392.www2.hp.com/portal/swdepot/displayInstallInfo.do?productNumber=PHI11i3

 

Best regards,

 

0 Kudos
Reply
RJHall
Frequent Advisor

тАО01-20-2015 10:36 AM

тАО01-20-2015 10:36 AM

Re: HPUX 11.31 Trusted Systems Password File cracked

It's for circumstances like these that I wished HP-UX 11i v3 supported PAM libcrack. About all one can do to force stronger local passwords is to use the security(4) features, such as PASSWORD_MIN_type_CHARS.

0 Kudos
Reply
James Calfas
Advisor

тАО03-21-2019 02:58 PM

тАО03-21-2019 02:58 PM

Re: HPUX 11.31 Trusted Systems Password File cracked

First of all, I would never give a root password to any outside party - even an auditor.  My belief is that just because someone works for an auditing firm doesn't automatically mean that they are trustworthy.  If they need information about the system, they can tell me what they need and I will give it to them.  

As for the issue of cracked passwords, it is important to have rules about password strength.  e.g. minimum length, upper and lower case characters, numeric and special characters, etc.  There is a Wikipedia article "Password Strength" that goes in to the issue in extreme detail.    Perhaps the best way to know that passwords are secure is to periodically copy them into an offline Linux machine and try to crack them with John the Ripper.  Any passwords that get cracked would need to be changed.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.