Date: Mon, 6 Aug 2012 22:26:53 +0400 From: Aleksey Cherepanov <aleksey.4erepanov@...il.com> To: john-dev@...ts.openwall.com Subject: one could hinder loading hash mimicing pwdump format FYI investigating pwdump format loading in john I noticed that john always consider a string as lm format if third field is 32 hex digits (a-f0-9). On unix'es (at least on my Debian GNU/Linux) third field of shadow file is date of last password change. So if administrator does not change passwords he could pad his date with zeros or just put 00000000000000000000000000000001 as third field (the right way is to patch libc(?) to do it always). My system works after that but john could load this line only as lm. So if administrator wants to hinder lame attacker he could go this way. Though unshadow drops this field. But we could pad third field in passwd with zeros too. So some patching of system's core could make attacker need to use `cut -f : -d 1-2`. It does not seem reasonable. -- Regards, Aleksey Cherepanov
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.