Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 13 Jan 2007 11:27:44 +0300
From: Danett song <danett18@...oo.com.br>
To: john-users@...ts.openwall.com
Subject: Re: OpenUnix 8 hash format is not the normal DES?

Hi Solar Designer,
  
  How are u?
  
  Since when I started this thread I had analyzed the OpenUnix 8 and  learned there is not strace, however is the truss command (similar to  strace in linux).
  
  I changed my password and "trussed" it, below are the output commented...
  
  
  execve("/usr/bin/passwd", 0x08047D50, 0x08047D58)  argc = 1
      *** SGID: rgid/egid/sgid = 102 / 3 / 3  ***
  open("/usr/lib/libcrypt.so.1", O_RDONLY, 01001075434) = 3
  fxstat(2, 3,  0x080475CC)                         = 0
  mmap(0x00000000, 4096, PROT_READ, MAP_SHARED, 3, 0) = 0x080D4000
  mmap(0x00000000, 19921, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x080D6000
  mmap(0x080DA000, 408, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3,
  12288) = 0x080DA000
  close(3)                                         = 0
  munmap(0x080D4000,  4096)                         = 0
  open("/usr/lib/libia.so", O_RDONLY, 01001075434) = 3
  fxstat(2, 3,  0x080475CC)                         = 0
  mmap(0x00000000, 4096, PROT_READ, MAP_SHARED, 3, 0) = 0x080D4000
  mmap(0x00000000, 34064, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x080DC000
  mmap(0x080E1000, 11324, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3
  , 16384) = 0x080E1000
  mmap(0x080E4000, 1296, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS
  , -1, 0) = 0x080E4000
  close(3)                                         = 0
  munmap(0x080D4000,  4096)                         = 0
  open("/usr/lib/libiaf.so", O_RDONLY, 01001075434) = 3
  fxstat(2, 3,  0x080475CC)                         = 0
  mmap(0x00000000, 4096, PROT_READ, MAP_SHARED, 3, 0) = 0x080D4000
  mmap(0x00000000, 36224, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x080E6000
  mmap(0x080EE000, 3432, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3,
   28672) = 0x080EE000
  close(3)                                         = 0
  munmap(0x080D4000,  4096)                         = 0
  mprotect(0x080E6000, 30177, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
  open("/usr/lib/libnsl.so.1", O_RDONLY, 01001075434) = 3
  fxstat(2, 3,  0x080475CC)                         = 0
  mmap(0x00000000, 4096, PROT_READ, MAP_SHARED, 3, 0) = 0x080D4000
  mmap(0x00000000, 328424, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x080F0000
  mmap(0x08139000, 8344, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3,
   294912) = 0x08139000
  mmap(0x0813C000, 17128, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOU
  S, -1, 0) = 0x0813C000
  close(3)                                         = 0
  munmap(0x080D4000,  4096)                         = 0
  open("/usr/lib/libsocket.so.2", O_RDONLY, 01001075434) = 3
  fxstat(2, 3,  0x080475CC)                         = 0
  mmap(0x00000000, 4096, PROT_READ, MAP_SHARED, 3, 0) = 0x080D4000
  mmap(0x00000000, 66908, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x08142000
  mmap(0x0814F000, 7940, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3,
   49152) = 0x0814F000
  mmap(0x08151000, 5468, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x08151000
  close(3)                                         = 0
  munmap(0x080D4000,  4096)                         = 0
  mprotect(0x080E6000, 30177, PROT_READ|PROT_EXEC) = 0
  access("/usr/lib/locale/C/.", 13)               = 0
  brk(0x0830A50C)                                  = 0
  ioctl(0, I_FIND,  "iaf")                          = 0
  getuid()                                         = 0  [ 0 ]
  open("/etc/default/passwd", O_RDONLY, 0666)     = 3
  lseek64(3, 0,  0)                                 = 0
  ioctl(3, TCGETS,  0x08047BC0)                     Err#25 ENOTTY
  fxstat(2, 3,  0x08047C00)                         = 0
  brk(0x0830E508)                                  = 0
  read(3, " # i d e n t\t " @ ( # )".., 8192)     = 246
  read(3, 0x08308698,  8192)                        = 0
  lseek64(3, 0,  0)                                 = 0
  read(3, " # i d e n t\t " @ ( # )".., 8192)     = 246
  lseek64(3, 0,  0)                                 = 0
  read(3, " # i d e n t\t " @ ( # )".., 8192)     = 246
  lseek64(3, 0,  0)                                 = 0
  read(3, " # i d e n t\t " @ ( # )".., 8192)     = 246
  read(3, 0x08308698,  8192)                        = 0
  lseek64(3, 0,  0)                                 = 0
  read(3, " # i d e n t\t " @ ( # )".., 8192)     = 246
  lseek64(3, -36,  1)                               = 210
  close(3)                                         = 0
  getuid()                                         = 0  [ 0 ]
  seteuid(0)                                       = 0
  systeminfo(SI_HOSTNAME, "I0C801", 257)          = 7
  systeminfo(SI_SET_HOSTNAME, "I0C801", 7)        = 7
  seteuid(0)                                       = 0
  access("/etc/shadow",  10)                        = 0
  open("/usr/lib/ns.so.1", O_RDONLY, 01001076040) Err#2  ENOENT
  open("/etc/passwd", O_RDONLY, 0666)             = 3
  ioctl(3, TCGETS,  0x08047B74)                     Err#25 ENOTTY
  fxstat(2, 3,  0x08047BB4)                         = 0
  read(3, " r o o t : x : 0 : 3 : 0".., 8192)     = 4829
  lseek64(3, -3776,  1)                             = 1053
  close(3)                                         = 0
  open("/etc/passwd", O_RDONLY, 0666)             = 3
  ioctl(3, TCGETS,  0x08047B80)                     Err#25 ENOTTY
  fxstat(2, 3,  0x08047BC0)                         = 0
  read(3, " r o o t : x : 0 : 3 : 0".., 8192)     = 4829
  read(3, 0x08308760,  8192)                        = 0
  close(3)                                         = 0
  open("/usr/lib/locale/C/LC_MESSAGES/uxlibc", O_RDONLY, 01003117445) Err#2  ENOENT
  UX:passwd: write(2, " U X : p a s s w d :  ",  11)                = 11
  INFOwrite(2, " I N F O",  4)                              = 4
  : write(2, " :  ",  2)                            = 2
  open("/usr/lib/locale/C/LC_MESSAGES/uxcore.abi", O_RDONLY, 01001076110) Err#2  E
  NOENT
  Changing password for root
  write(2, " C h a n g i n g   p a s".., 27)      = 27
  xstat(2, "/etc/security/ia/index", 0x08047C6C)  = 0
  open("/etc/security/ia/index", O_RDONLY, 01014077444) = 3
  mmap(0x00000000, 2640, PROT_READ, MAP_SHARED, 3, 0) = 0x080D4000
  munmap(0x080D4000,  2640)                         = 0
  close(3)                                         = 0
  open("/etc/security/ia/master", O_RDONLY, 01014102450) = 3
  lseek(3, 0,  0)                                   = 0
  read(3, " r o o t\0\0\0\0\0\0\0\0".., 315)      = 315
  close(3)                                         = 0
  open("/dev/tty", O_RDONLY, 01014102410)         = 3
  sigfillset(0x080D2BD0)                           = 0
  sigaction(SIGINT, 0x08047A0C, 0x08047A54)       = 0
  sigaction(SIGINT, 0x08047A10, 0x00000000)       = 0
  ioctl(3, TCGETS,  0x08047A94)                     = 0
  ioctl(3, TCSETSF,  0x08047A94)                    = 0
  read(3, 0x08047AC3, 1)          (sleeping...)
  read(3, " t",  1)                                 = 1
  read(3, " e",  1)                                 = 1
  read(3, " s",  1)                                 = 1
  read(3, " t",  1)                                 = 1
  read(3, "\n",  1)                                 = 1
  ioctl(3, TCSETSW,  0x08047A94)                    = 0
  
  write(2, "\n",  1)                                = 1
  close(3)                                         = 0
  sigaction(SIGINT, 0x080479F8, 0x00000000)       = 0
  open("/dev/tty", O_RDONLY, 01014102410)         = 3
  sigaction(SIGINT, 0x08047A0C, 0x08047A54)       = 0
  sigaction(SIGINT, 0x08047A10, 0x00000000)       = 0
  ioctl(3, TCGETS,  0x08047A94)                     = 0
  ioctl(3, TCSETSF,  0x08047A94)                    = 0
  Re-enter new password:write(2, " R e - e n t e r   n e w".., 22)        = 22
  read(3, 0x08047AC3, 1)          (sleeping...)
  read(3, " t",  1)                                 = 1
  read(3, " e",  1)                                 = 1
  read(3, " s",  1)                                 = 1
  read(3, " t",  1)                                 = 1
  read(3, "\n",  1)                                 = 1
  ioctl(3, TCSETSW,  0x08047A94)                    = 0
  
  write(2, "\n",  1)                                = 1
  close(3)                                         = 0
  sigaction(SIGINT, 0x080479F8, 0x00000000)       = 0
  getksym("hrestime", 0x08047BBC, 0x08047BB8)     = 0
  open("/dev/sysdat", O_RDONLY, 01003216040)      = 3
  mmap(0x00000000, 4096, PROT_READ, MAP_SHARED, 3, -36864) = 0x080D4000
  close(3)                                         = 0
  getpid()                                         = 9495  [ 9494 ]
  open("/etc/security/mac/ltf.alias", O_RDONLY, 0) Err#2  ENOENT
  xstat(2, "/etc/security/ia/.pwd.lock", 0x08047C50) = 0
  creat("/etc/security/ia/.pwd.lock", 0400)       = 3
  sigset(SIGALRM,  0x08096660)                      = SIG_DFL
  alarm(15)                                        = 0
  fcntl(3, F_SETLKW,  0x08047CD8)                   = 0
  alarm(0)                                         = 15
  sigset(SIGALRM,  SIG_DFL)                         = 0x08096660
  sigset(SIGHUP,  SIG_IGN)                          = SIG_DFL
  sigset(SIGINT,  SIG_IGN)                          = SIG_DFL
  sigset(SIGQUIT,  SIG_IGN)                         = SIG_DFL
  sigset(SIGILL,  SIG_IGN)                          = SIG_DFL
  sigset(SIGTRAP,  SIG_IGN)                         = SIG_DFL
  sigset(SIGABRT,  SIG_IGN)                         = SIG_DFL
  sigset(SIGEMT,  SIG_IGN)                          = SIG_DFL
  sigset(SIGFPE,  SIG_IGN)                          = SIG_DFL
  sigset(SIGKILL,  SIG_IGN)                         Err#22 EINVAL
  sigset(SIGBUS,  SIG_IGN)                          = SIG_DFL
  sigset(SIGSEGV,  SIG_IGN)                         = SIG_DFL
  sigset(SIGSYS,  SIG_IGN)                          = SIG_DFL
  sigset(SIGPIPE,  SIG_IGN)                         = SIG_DFL
  sigset(SIGALRM,  SIG_IGN)                         = SIG_DFL
  sigset(SIGTERM,  SIG_IGN)                         = SIG_DFL
  sigset(SIGUSR1,  SIG_IGN)                         = SIG_DFL
  sigset(SIGUSR2,  SIG_IGN)                         = SIG_DFL
  sigset(SIGPWR,  SIG_IGN)                          = SIG_DFL
  sigset(SIGWINCH,  SIG_IGN)                        = SIG_DFL
  sigset(SIGURG,  SIG_IGN)                          = SIG_DFL
  sigset(SIGPOLL,  SIG_IGN)                         = SIG_DFL
  sigset(SIGSTOP,  SIG_IGN)                         Err#22 EINVAL
  sigset(SIGTSTP,  SIG_IGN)                         = SIG_DFL
  sigset(SIGCONT,  SIG_IGN)                         = SIG_DFL
  sigset(SIGTTIN,  SIG_IGN)                         = SIG_DFL
  sigset(SIGTTOU,  SIG_IGN)                         = SIG_DFL
  sigset(SIGVTALRM,  SIG_IGN)                       = SIG_DFL
  sigset(SIGPROF,  SIG_IGN)                         = SIG_DFL
  sigset(SIGXCPU,  SIG_IGN)                         = SIG_DFL
  sigset(SIGXFSZ,  SIG_IGN)                         = SIG_DFL
  sigset(SIGWAITING,  SIG_IGN)                      = SIG_DFL
  sigset(SIGLWP,  SIG_IGN)                          = SIG_DFL
  sigset(SIGAIO,  SIG_IGN)                          = SIG_DFL
  sigset(SIGMIGRATE,  SIG_IGN)                      = SIG_DFL
  sigset(SIGCLUSTER,  SIG_IGN)                      = SIG_DFL
  sigset(SIG#37,  SIG_IGN)                          = SIG_DFL
  sigset(SIG#38,  SIG_IGN)                          = SIG_DFL
  sigset(SIG#39,  SIG_IGN)                          = SIG_DFL
  sigset(SIG#40,  SIG_IGN)                          = SIG_DFL
  sigset(SIG#41,  SIG_IGN)                          = SIG_DFL
  sigset(SIG#42,  SIG_IGN)                          = SIG_DFL
  sigset(SIG#43,  SIG_IGN)                          = SIG_DFL
  sigset(SIG#44,  SIG_IGN)                          = SIG_DFL
  sigset(SIG#45,  SIG_IGN)                          = SIG_DFL
  sigset(SIG#46,  SIG_IGN)                          = SIG_DFL
  sigset(SIG#47,  SIG_IGN)                          = SIG_DFL
  sigset(SIG#48,  SIG_IGN)                          = SIG_DFL
  sigset(SIG#49,  SIG_IGN)                          = SIG_DFL
  sigset(SIG#50,  SIG_IGN)                          = SIG_DFL
  sigset(SIG#51,  SIG_IGN)                          = SIG_DFL
  sigset(SIG#52,  SIG_IGN)                          = SIG_DFL
  sigset(SIG#53,  SIG_IGN)                          = SIG_DFL
  sigset(SIG#54,  SIG_IGN)                          = SIG_DFL
  sigset(SIG#55,  SIG_IGN)                          = SIG_DFL
  sigset(SIG#56,  SIG_IGN)                          = SIG_DFL
  sigset(SIG#57,  SIG_IGN)                          = SIG_DFL
  sigset(SIG#58,  SIG_IGN)                          = SIG_DFL
  sigset(SIG#59,  SIG_IGN)                          = SIG_DFL
  sigset(SIG#60,  SIG_IGN)                          = SIG_DFL
  sigset(SIG#61,  SIG_IGN)                          = SIG_DFL
  sigset(SIG#62,  SIG_IGN)                          = SIG_DFL
  sigset(SIG#63,  SIG_IGN)                          = SIG_DFL
  sigset(SIG#64,  SIG_IGN)                          = SIG_DFL
  lvlfile("/etc/shadow", 1, 0x08047CF4)           = 0
  xstat(2, "/etc/shadow", 0x08047C5C)             = 0
  unlink("/etc/stmp")                              Err#2  ENOENT
  creat("/etc/stmp",  0600)                         = 4
  close(4)                                         = 0
  open("/etc/stmp", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 4
  open("/etc/shadow", O_RDONLY, 0666)             = 5
  ioctl(5, TCGETS,  0x08047AE8)                     Err#25 ENOTTY
  fxstat(2, 5,  0x08047B28)                         = 0
  read(5, " r o o t : x V 4 w 1 p p".., 8192)     = 1459
  ioctl(4, TCGETS,  0x08047A8C)                     Err#25 ENOTTY
  fxstat(2, 4,  0x08047ACC)                         = 0
  write(4, " r o o t : 8 t f K n V x".., 31)      = 31
  write(4, " d a e m o n : N P : 6 4".., 21)      = 21
  write(4, " b i n : N P : 6 4 4 5 :".., 18)      = 18
  write(4, " s y s : N P : 6 4 4 5 :".., 18)      = 18
  write(4, " a d m : N P : 6 4 4 5 :".., 18)      = 18
  write(4, " u u c p : N P : 6 4 4 5".., 19)      = 19
  write(4, " m a i l : N P : 6 4 4 5".., 19)      = 19
  write(4, " n u u c p : N P : 6 4 4".., 20)      = 20
  write(4, " n o b o d y : N P : 6 4".., 21)      = 21
  write(4, " n o a c c e s s : N P :".., 23)      = 23
  /* Many entrys with contents of my user/passwords */
  read(5, 0x08308DE8,  8192)                        = 0
  close(5)                                         = 0
  close(4)                                         = 0
  chmod("/etc/stmp",  0100400)                      = 0
  chown("/etc/stmp", 0,  3)                         = 0
  fork()                                           = 9412
      Received signal #18, SIGCLD, in wait() [default]
        siginfo: SIGCLD CLD_EXITED pid=9412 uid=0 status=0x0000
  wait()                                           = 9412  [ 0x0000 ]
  fcntl(3, F_SETLK,  0x08047CDC)                    = 0
  close(3)                                         = 0
  auditctl(2, 0x08047CD0,  20)                      Err#65 ENOPKG
  _exit(0)
  
  
  As we can see, the most relevant parts in my opinion is:
  
  - The library strings /usr/lib/libcrypt.so.1, and it doesn't contain relevant information.
  
  # strings /usr/lib/libcrypt.so.1
  :2*"
  <4,$
  >6.&
  @80(
  91)!
  ;3+#
  =5-%
  ?7/'
  91)!
  :2*"
  ;3+#
  <4,$?7/'
  >6.&
  =5-%
  (3-!0,1'8"5.*2$
  exec /usr/bin/crypt -p 2>/dev/null
  /sbin/sh
  
  - The library /usr/lib/libia.so, it contain some suspicious files like /etc/security/ia/master....
  
  # strings /usr/lib/libia.so
  uxcore:710:unable to allocate space
  /etc/security/audit/classes
  uxcore:711:unable to obtain event class information
  alias
  uxcore:712:syntax error in <%s>, line <%d>
  uxcore:713:event type or class "%s" exceeds <%d> characters
  uxcore:714:event type or class "%s" contains non-printable characters
  /etc/security/audit/classes
  uxcore:711:unable to obtain event class information
  none
  uxcore:721:keyword "%s" may not be used in conjunction with event types or classes
  uxcore:719:event type "%s" is a fixed event and may not be manipulated
  uxcore:720:event type "%s" is not valid for object-level auditing
  uxcore:715:event type "%s" is not currently audited
  uxcore:716:invalid event type or class "%s" specified
  /etc/security/ia/audit
  /etc/security/ia/index
  /etc/security/ia/master
  /etc/security/ia/mastmp
  /etc/security/ia/omaster
  /etc/security/ia/indextmp
  /etc/security/ia/oindex
  /etc/security/ia/level/
  /etc/security/audit/classes
  /etc/security/audit/classes
  NULL
  access
  acct_off
  acct_on
  acct_sw
  add_grp
  add_usr
  add_usr_grp
  assign_lid
  assign_nm
  audit_buf
  audit_ctl
  audit_dmp
  audit_evt
  audit_log
  audit_map
  bad_auth
  bad_lvl
  cancel_job
  chg_dir
  chg_nm
  chg_root
  chg_times
  cov_chan_1
  cov_chan_2
  cov_chan_3
  cov_chan_4
  cov_chan_5
  cov_chan_6
  cov_chan_7
  cov_chan_8
  create
  cron
  dac_mode
  dac_own_grp
  date
  deactivate_lid
  def_lvl
  del_nm
  disp_attr
  exec
  exit
  fcntl
  file_acl
  file_lvl
  file_priv
  fork
  init
  iocntl
  ipc_acl
  kill
  link
  login
  lp_admin
  lp_misc
  misc
  mk_dir
  mk_mld
  mk_node
  mod_grp
  mod_usr
  mount
  msg_ctl
  msg_get
  msg_op
  open_rd
  open_wr
  page_lvl
  passwd
  pipe
  pm_denied
  proc_lvl
  prt_job
  prt_lvl
  recvfd
  rm_dir
  sched_lk
  sched_fp
  sched_ts
  sem_ctl
  sem_get
  sem_op
  set_attr
  set_gid
  set_grps
  set_lvl_rng
  set_pgrps
  set_sid
  set_uid
  setrlimit
  shm_ctl
  shm_get
  shm_op
  status
  sym_create
  sym_status
  tfadmin
  trunc_lvl
  ulimit
  umount
  unlink
  modpath
  modadm
  modload
  moduload
  lwp_create
  lwp_bind
  lwp_unbind
  p_online
  logoff
  sched_fc
  lwp_exit
  lwp_kill
  keyctl
  fd_acl
  /etc/security/ia/master
  /etc/security/ia/index
  /etc/security/ia/mastmp
  /etc/security/ia/mastmp
  /etc/security/ia/mastmp
  /etc/security/ia/mastmp
  /etc/security/ia/mastmp
  /etc/security/ia/mastmp
  /etc/security/ia/omaster
  /etc/security/ia/omaster
  /etc/security/ia/mastmp
  /etc/security/ia/mastmp
  /etc/security/ia/mastmp
  /etc/security/ia/mastmp
  /etc/security/ia/indextmp
  /etc/security/ia/indextmp
  /etc/security/ia/indextmp
  /etc/security/ia/indextmp
  /etc/security/ia/indextmp
  /etc/security/ia/indextmp
  /etc/security/ia/indextmp
  /etc/security/ia/indextmp
  /etc/security/ia/oindex
  /etc/security/ia/oindex
  /etc/security/ia/indextmp
  /etc/security/ia/indextmp
  /etc/security/ia/indextmp
  /etc/security/ia/indextmp
  /etc/security/ia/mastmp
  /etc/security/ia/mastmp
  /etc/security/ia/mastmp
  /etc/security/ia/mastmp
  /etc/security/ia/mastmp
  /etc/security/ia/mastmp
  /etc/security/ia/mastmp
  /etc/security/ia/indextmp
  /etc/security/ia/mastmp
  /etc/security/ia/indextmp
  /etc/security/ia/mastmp
  /etc/security/ia/indextmp
  /etc/security/ia/mastmp
  /etc/security/ia/indextmp
  /etc/security/ia/mastmp
  /etc/security/ia/indextmp
  /etc/security/ia/mastmp
  /etc/security/ia/indextmp
  /etc/security/ia/mastmp
  /etc/security/ia/indextmp
  /etc/security/ia/mastmp
  /etc/security/ia/indextmp
  /etc/security/ia/mastmp
  /etc/security/ia/omaster
  /etc/security/ia/omaster
  /etc/security/ia/mastmp
  /etc/security/ia/indextmp
  /etc/security/ia/mastmp
  /etc/security/ia/indextmp
  /etc/security/ia/mastmp
  /etc/security/ia/mastmp
  /etc/security/ia/indextmp
  /etc/security/ia/oindex
  /etc/security/ia/oindex
  /etc/security/ia/mastmp
  /etc/security/ia/indextmp
  /etc/security/ia/mastmp
  /etc/security/ia/indextmp
  /etc/security/ia/indextmp
  /etc/security/ia/mastmp
  /etc/security/ia/indextmp
  :tmp
  
  - The librarys /usr/lib/libnsl.so.1 and /usr/lib/libsocket.so.2 doesn't contain relevant information.
  
  - The file /etc/security/ia/master is not a text file as we can see
  
  # file /etc/security/ia/master
  /etc/security/ia/master:        data
  
  The intersing is that via strings I can see parts of my hashs, that also exist in my /etc/shadow...
  
  root
  8tfKnVxS5re  - The same seen in "write(4, " r o o t : 8 t f K n V x".., 31)   = 31"
  /sbin/sh
  daemon*5v21dw01yuPiGDVreR5kDDvT
  *5v21dw01yuPiGDVreR5kDDvT
  /usr/bin
  *5v21dw01yuPiGDVreR5kDDvT
  *5v21dw01yuPiGDVreR5kDDvT
  /var/adm
  uucp
  *5v21dw01yuPiGDVreR5kDDvT
  /usr/lib/uucp
  mail
  *5v21dw01yuPiGDVreR5kDDvT
  /etc/mail
  nuucp
  *5v21dw01yuPiGDVreR5kDDvT
  /var/spool/uucppublic
  /usr/lib/uucp/uucico
  nobody
  *5v21dw01yuPiGDVreR5kDDvT
  noaccess
  
  If we check it against entrys in /etc/shadow file...
  
# cat /etc/shadow |grep 8tfKnV (If whe look for a part of the first  string that appear a hash against shadow file ,it doesn't exist)
  #
  # cat /etc/shadow |grep uPiG (if we look for a part of the second string that appear a hash against shadow file, it exist).
  root:*LK*5v21dw01yuPiG:11576::::::
  
  Looks intersting that a part of the sencod string (*5v21dw01yuPiG) match the shadow entry... 
  
  Solar, for you the entire string (*5v21dw01yuPiGDVreR5kDDvT) looks like  some algorithm ? Also we yet have the first string that doesn't  mismatch? Maybe it also is combinated in the full hash?
  
  Any idea how to convert this file to text file, like the /etc/shadow (in a fashion we can read this)? 
  
  - The file /etc/default/passwd only have password policys...
  
  # cat /etc/default/passwd
  #ident  "@...unixsrc:usr/src/common/cmd/passwd/passwd.dfl /main/uw7_uk/1"
  #ident "$Header: /sms/sinixV5.4es/rcs/s19-full/usr/src/cmd/passwd/passwd.dfl,v 1.1 91/02/28 19:24:04 ccs Exp $"
  PASSLENGTH=3
  MAXWEEKS=-1
  PASSLENGTH=3
  MINWEEKS=0
  MAXWEEKS=-1
  
  - This entrys are the new password i typed...
  
  read(3, " t",  1)                                 = 1
  read(3, " e",  1)                                 = 1
  read(3, " s",  1)                                 = 1
  read(3, " t",  1)                                 = 1
  read(3, "\n",  1)                                 = 1
  
  - the file /etc/security/ia/.pwd.lock is just used to lock the password file...
  
  - the /etc/stmp is a kind of temporary file created during the passwd  process execution, it have some hashs inside it, however when passwd  program finish it's deleted (maybe copied to new password file?)...
  
  Well, that't most I could get... Solar Designer do you also belive that  /etc/security/ia/master can be the real password file? Any idea how to  parse it to use in John The Ripper?
  
  Thank you
  
  Cheers
  
Solar Designer <solar@...nwall.com> escreveu:  On trying to locate the "real" password hashes (for passwords of more
than 8 characters long):

On Sat, Dec 09, 2006 at 01:02:01AM -0300, Danett song wrote:
> Files having the string root I looked without sucess. Any other trick for what look?

Well, I would either trace the syscalls that the "passwd" program is
making (when run by root as "passwd username") or reverse-engineer parts
of it (or, more likely, of a library that it uses).  Alternatively, the
same approaches may be applied to any daemon that does password
authentication or to the "login" program.  Running "strings" on some
program binaries or library files might be enough.

I haven't touched a SCO'ish system for many years, so I simply don't
know what changes they have made to password hash storage since then.

-- 
Alexander Peslyak 
GPG key ID: 5B341F15  fp: B3FB 63F4 D7A3 BCCC 6F6E  FC55 A2FC 027C 5B34 1F15
http://www.openwall.com - bringing security into open computing environments

Was I helpful?  Please give your feedback here: http://rate.affero.net/solar

-- 
To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.



 __________________________________________________
Fale com seus amigos  de gra?a com o novo Yahoo! Messenger 
http://br.messenger.yahoo.com/ 

-- 
To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ