Re: "Proactive" Password Checking

[Eric Budke <budke () budke com>]

At 03:23 AM 11/16/99 , axnsrv wrote:
> PPL,
>
> I want to know how the dictionary attack is carried out.. Its done
> offline.. so that necessitates that u have the /etc/passwd file in case of
> UNIX, and the PWL files in case of NT..

On a P/BDC (which shouldn't be running anything other than authentication 
services anyway...but should and are are two very different things) the 
repair directory because you are being sure to make sure you have something 
to recover from. Those directories are typically read-all by default.

On UNIX only a few of them place password hashes into directories readable 
only by root. The latest Solaris and AIX do. I believe the BSD's do as 
well, but HPUX and some versions of Linux don't. (I haven't seen IRIX or an 
Alpha in a while...anyone care to comment.) Any user can read /etc/password 
and they have no shadowing mechanism in place.

Running NIS guessing the right domain name, you can grab a whole network's 
worth of passwords w/o ever logging onto a box.

It is usually easier to do dictionary attacks offline.  More efficient in 
most cases, less likelihood of getting caught, and depending on the 
environment, you may have more processing power.

> Running the dictionary cracker to get the passwords is okay.. but how do
> you get access to these files in the first place???

See above, and one poorly guarded account. How many people have used/seen 
oracle/oracle ?

> Most networks dont permit users to any other directory oth than their
> own home..
>
> Will someone explain???
>
> Thank U,
>
> axnsrv
> -------------------------------------------------------------------------

--
PGP Key can be found at http://www.budke.com/pgp/budke_budke_com.txt