パスワード解読と漏洩の危険性

以下のテキストは、執筆時当時の情報を元に書いたものであり、 現在の情勢にそぐわないことを含む場合があるので注意されたい。 また、テキストは最終提出原稿で校正を経る前のものなので、実際にOSM 本誌に記載されたものとは異なる。誤字脱字等そのままである。

致命的な誤り以外は加筆修正等は行なわないので情報の鮮度に気をつけつつ 利用して欲しい。

目次


======================================================================
Part 3
======================================================================









DESPC-UnixMD5



salt

 (1)DES
2

	UUCbbnGZajVFM

2salt


salt


 (2)MD5


	$1$cw5G3XZK$PkX/qp8oJQPvJRSIzGv4D1

$1MD5
$$(cw5G3XZK)salt

---[ ]--------------------------------------------------------------
(1)DES
open:UUCbbnGZajVFM:2006:4:OpenSourceMag.:/sbc:/bin/sh


(2)MD5
open:$1$cw5G3XZK$PkX/qp8oJQPvJRSIzGv4D1:2006:4:OpenSourceMag.:/sbc:/bin/sh
----------------------------------------------------------------------------

DES8

DES8(8
)  ctest.c 

	% gcc -o ctest ctest.c -lcrypt
	% ./ctest

DES8



---[ ]--------------------------------------------------------------
ctest.c
#include 
#include 
#include 
#define SIZE 27

int main()
{
  char pass[SIZE];
  int i;
  memset(pass, 0, SIZE);
  for (i=0; i
#include 

int doit(char *salt)
{
  time_t t;
  char pass[9] = "abcdefgh";
  int n;
  t = time(NULL);
  while (t==time(NULL)) ;
  for (n=0, t=time(NULL); t==time(NULL); n++) {
    pass[n%8] = 'A'+n%26;
    crypt(pass, salt);
  }
  return n;
    
}
int main()
{
  printf("DES: %7dtimes\n", doit("xx"));
  printf("MD5: %7dtimes\n", doit("$1$xx$"));
}
----------------------------------------------------------------------------

 

	DES:   60004times
	MD5:    1875times

1DES/MD5
DES160000
()
 

---[ ]------------------------------------------------------------------
Athlon XP 2600+(2088.23 MHz)  NetBSD 3.0_STABLE 

----------------------------------------------------------------------------


---[ ]------------------------------------------------------------------
{ } 


					 
                  5         6        7          8         9        10
--------------+---------+--------+---------+---------+----------+----
          0         0        0       0.02      0.19      1.93
(10)
        0      0.06     1.55      40.28   1047.36  27231.31
(26)
+    0.01      0.42    15.12      544.2  19591.04 705277.48
(36)
         0.07      3.81   198.32   10312.45 536247.28  2.79E+07
(52)	    
+    0.18     10.96   679.32   42118.08  2.61E+06  1.62E+08 
(62)
       0.72     58.64  4808.75   394317.3  3.23E+07  2.65E+09
(82)      
----------------------------------------------------------------------------

840
10CPU10
108
10
 100010000


	* 8
	* 910

MD5










root









 
PC
1


---[ ]------------------------------------------------------------------


----------------------------------------------------------------------------

SSH
FreeBSD/NetBSD
/var/log/auth*log FedoraCore  /var/log/secure SSH
 


---[ ]------------------------------------------------------------------
Feb 14 01:32:40 firestorm sshd[19141]: Invalid user andrew from 69.110.112.188
Feb 14 01:32:40 firestorm sshd[19141]: Failed password for invalid user andrew from 69.110.112.188 port 58104 ssh2
Feb 14 01:32:44 firestorm sshd[787]: Failed password for root from 69.110.112.188 port 58197 ssh2
Feb 14 01:32:48 firestorm sshd[2559]: Invalid user newsroom from 69.110.112.188
Feb 14 01:32:48 firestorm sshd[2559]: Failed password for invalid user newsroom from 69.110.112.188 port 58301 ssh2
Feb 14 01:32:52 firestorm sshd[218]: Failed password for root from 69.110.112.188 port 58400 ssh2
Feb 14 01:32:56 firestorm sshd[1755]: Invalid user magazine from 69.110.112.188
Feb 14 01:32:56 firestorm sshd[1755]: Failed password for invalid user magazine from 69.110.112.188 port 58507 ssh2
Feb 14 01:33:00 firestorm sshd[5566]: Failed password for root from 69.110.112.188 port 58616 ssh2
Feb 14 01:33:04 firestorm sshd[27823]: Invalid user research from 69.110.112.188
Feb 14 01:33:04 firestorm sshd[27823]: Failed password for invalid user research from 69.110.112.188 port 58716 ssh2
Feb 14 01:33:08 firestorm sshd[6503]: Failed password for root from 69.110.112.188 port 58822 ssh2
Feb 14 01:33:12 firestorm sshd[9719]: Invalid user cjohnson from 69.110.112.188
Feb 14 01:33:13 firestorm sshd[9719]: Failed password for invalid user cjohnson from 69.110.112.188 port 58926 ssh2
Feb 14 01:33:17 firestorm sshd[6334]: Failed password for root from 69.110.112.188 port 59031 ssh2
Feb 14 01:33:21 firestorm sshd[28873]: Invalid user export from 69.110.112.188
   :
   :
----------------------------------------------------------------------------

root

45














COPS

Unix


	* //
	* 
	* passwd/group /
	* rccron
	* root setuid 
	* CRC
	* /

COPS

Tripwire

COPS


----[[[ COPS]]]-----------------------------

COPSshadow


# sh
# umask 077
# sort /etc/passwd > a
# sort /etc/shadow \
	| awk -F: '$2 != "!!" && $2 != "*"{print}' \
	| join -t : -o 1.1,2.2,1.3,1.4,1.5,1.6,1.7 a - \
	> b
# exit

# cc -O -o pass.chk pass.c -lcrypt
# ./pass.chk -P b -w ./pass.words -b -g -s -c -d -n

pass.chk 

	-v	
	-u	
	-w file  file 
	-b	
	-g	gecos
	-s	azAZ091
	-c	
	-d	2
	-n	
	-p	
	-P file	 file 



----------------------------------------------------------------------


Crack

Crack



Crack



Crack




	+------------------------------------------------------
	| 
	|
	| 
	| 
	| ()
	| 
	| 
	|
	| 
	| 
	+------------------------------------------------------









Crack5.0

Crackconfigure&&
make


 crack5.0.tar.gz 

  # wget ftp.ring.gr.jp:/pub/NetBSD/packages/distfiles/crack5.0.tar.gz
  # tar zxpf crack5.0.tar.gz
  # cd c50a
  # less manual.txt

manual.txt 



DES
libdes  FreeBSD/Linux/NetBSD 
MD5 crypt() 
manual.txt 279MD5
manual.txt FreeBSD
Linux(FedoraCore4)MD5

libdes src/libdes/ 

	# mv src/libdes{,.unused}

MD5src/util/elcid.c,bsd 
src/util/elcid.c 

	# cp src/util/elcid.c{\,bsd,}

 crypt()  -lcrypt 
Crack533


	# vi +533 Crack

	(533)
	#LIBS=-lcrypt # uncomment only if necessary ....
	
	LIBS=-lcrypt # uncomment only if necessary ....



Crack

	# ./Crack -makeonly

run/bin/ 
 libcrypt 
(DES)

	# ldd run/bin/*/cracker
        linux-gate.so.1 =>  (0x00ccf000)
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x0052e000)   
        libc.so.6 => /lib/libc.so.6 (0x003ad000)
        /lib/ld-linux.so.2 (0x0038f000)



/usr/dict/words* PC-Unix
/usr/share/dict/words* 
./conf/dictgrps.conf 

	# vi +/1: conf/dictgrps.conf
	()
	1:/usr/dict/*words* dict/1/*

	()
	1:/usr/share/dict/*words* dict/1/*



	# ./Crack -makedict

./run/dict 

	# ls -l run/dict
	total 3080
	-rw-------  1 yuuji yuuji 1392531 Feb 19 14:04 1.dwg.gz
	-rw-------  1 yuuji yuuji  359527 Feb 19 14:04 2.dwg.gz
	-rw-------  1 yuuji yuuji 1387759 Feb 19 14:04 3.dwg.gz






Crack
SPF(Standard Password Format)
/etc/passwd 
SPF

Linux(SysV /etc/shadow)

/etc/passwd  /etc/shadow SPF
./scripts/shadmrg.sv 

	# umask 077
	# sh scripts/shadmrg.sv |egrep -vw '!!|\*' > hoge

 Crack 

	# ./Crack hoge


FreeBSD/NetBSD

/etc/master.passwd SPF
Crack


	# ./Crack -fmt bsd /etc/master.masswd

 master.passwd  scripts/bsd2spf 





./run/ 
 Reporter 

	# ./Reporter


()

Crack
OSCrack
jargon(dict/1/jargon.dwg)(dict/3/words.japanese.dwg)
 conf/rules* o
0()




pubdic+() kihon.u 


 http://www.remus.dti.ne.jp/~endo-h/wnn/

	()
	% cut -d ' ' -f 1 kihon.u | sort -u > hiragana.txt


KAKASI

	% nkf -e hiragana.txt | kakasi -Ha -Ka \
		sed 's/\^/-/g' | sort -u > roman.dic

 Crack 

	(Crack)
	# vi conf/dictgrps.conf
	(3)
	1:/usr/share/dict/*words* dict/1/*
	2:dict/2/*
	3:dict/3/*

	()
	4:roman.dic/roman.dic



	# rm -rf run
	# ./Crack -makedict

./run/dict 4

	# ls -l run/dict
	-rw-------  1 yuuji  yuuji   752564 Feb 19 16:01 1.dwg.gz
	-rw-------  1 yuuji  yuuji   427480 Feb 19 16:01 2.dwg.gz
	-rw-------  1 yuuji  yuuji  1250033 Feb 19 16:01 3.dwg.gz
	-rw-------  1 yuuji  yuuji    13177 Feb 19 16:01 4.dwg.gz 

 Crack 

pubdic+




















	
	





  (1)
  vipw 
  (*)

	# vipw
	()
	()
	taro:$1$xxx$uKStHT7az8bAkhzbLDrJ00:2000:10::0:0::/home/taro:/bin/zsh

	(*)
	taro:*$1$xxx$uKStHT7az8bAkhzbLDrJ00:2000:10::0:0::/home/taro:/bin/zsh

  (2)
  
  
  
  















	* 
	* 10

8
8
8






	* 








	(1)
	!

	(2)
	!

	(3)
	Orebusa ha 1ban!

	(4)10
	ORbs ha1ban!

	(5)
	OR2s 1ban!

	(6)
	OR2s,1ban!













!






Emacs
 michadameyon! 


---[ ]------------------------------------------------------------------
APOP password (yuuji@pop.gentei.org): ...........
............
%s%s
APOP password (yuuji@pop.gentei.org): ............
 p      
michadameyon!
     
.............
%s%s
...
APOP password (yuuji@pop.gentei.org): .............
chop
<4cf0.43f83375@pop.gentei.org>michadameyon!
----------------------------------------------------------------------------




	% ulimit -c unlimited (sh/bash)
	
	% unlimit coredumpsize (csh/tcsh/zsh)


 kill -QUIT  kill -ABRT 
strings

	% strings  | less




	% /bin/rm 


Emacs

OpenSSH
 

 



 

Emacs
  eshell.el 
 str 
 eshell Emacs-Lisp



---[ ]--------------------------------------------------------------
(defun eshell-send-invisible (str)
  "Read a string without echoing.
Then send it to the process running in the current buffer."
  (interactive "P")                     ; Defeat snooping via C-x ESC
  ESC
  (let ((str (read-passwd
              (format "%s Password: "
                      (process-name (eshell-interactive-process))))))
    (if (stringp str)
        (process-send-string (eshell-interactive-process)
                             (concat str "\n"))
      (message "Warning: text will be echoed"))))
----------------------------------------------------------------------------

---[ ]------------------------------------------------------------------
 ssh-agent 

----------------------------------------------------------------------------

---[ ]------------------------------------------------------------------
&

----------------------------------------------------------------------------

---[ ]------------------------------------------------------------------

[2]
----------------------------------------------------------------------------

Emacs

Emacs-Lisp
Emacs


Emacs




PC


PC










HDD


Part2

swapon















	
	OS
	  










Part2



---[ ]------------------------------------------------------------------
----------------------------------------------------------------------------
---[ ]------------------------------------------------------------------
----------------------------------------------------------------------------
---[ ]------------------------------------------------------------------
----------------------------------------------------------------------------





[1] http://eprint.iacr.org/2004/199.pdf

[2] : 
     Vol 45, No.8 pp1823-1832


yuuji@gentei.org
Fingerprint16 = FF F9 FF CC E0 FE 5C F7 19 97 28 24 EC 5D 39 BA
HIROSE Yuuji - ASTROLOGY / BIKE / EPO / GUEST BOOK / YaTeX [Tweet]