Difference between pages "NetworkMiner" and "Operating System Password Encryption"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(Salts)
 
Line 1: Line 1:
{{Infobox_Software |
+
==Unix/Linux Password File==
  name = NetworkMiner |
+
Unix and its various clones have traditionally used the /etc/passwd file to store user account information, including passwords. Because the /etc/password file needs to be world-readable in order for utilities such as `ls` and `finger` to work modern Unix operating systems store the encrypted passwords in 'shadow' file named /etc/shadow.
  maintainer = Erik Hjelmvik |
+
  os = {{Windows}} |
+
  genre = Network forensics |
+
  license = {{GPL}} |
+
  website = [http://networkminer.sourceforge.net/ networkminer.sourceforge.net] |
+
}}
+
  
[http://networkminer.sourceforge.net/ NetworkMiner] is a Network Forensic Analysis Tool (NFAT) for Windows. [http://sourceforge.net/apps/mediawiki/networkminer/index.php?title=NetworkMiner NetworkMiner] can be used as a passive network [[sniffer]]/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.
+
{| class="wikitable" border="1"
 +
|-
 +
!Username
 +
|The user's username
 +
|-
 +
!Password
 +
|Older Unixes store the password crypt here, more modern ones use an 'x' character to denote that a shadow file is in use.
 +
|-
 +
!UID
 +
|The numeric user ID of the user
 +
|-
 +
!GID
 +
|The primary numeric group ID of the user
 +
|-
 +
!GECOS Field
 +
|This is a text field which may contain information about the user such as name and contact details
 +
|-
 +
!Home directory
 +
|The user's home directory
 +
|-
 +
!Shell
 +
|The user's Unix shell
 +
|}
 +
<pre>
 +
user1:x:600:600:User 1:/home/user1:/bin/bash
 +
user2:x:601:601:User 2:/home/user2:/bin/bash
 +
admin:x:602:602:Admin Account:/home/admin:/bin/bash
 +
apache:x:603:603:Apache HTTP User:/var/www:/bin/bash
 +
someguy:x:604:604:Someguy:/home/someguy:/bin/bash
 +
</pre>
  
The purpose of NetworkMiner is to collect data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network. The main view is host centric (information grouped per host) rather than packet centric (information showed as a list of packets/frames).
+
The password is stored as an encrypted one-way hash of the original password. When a user attempts to authenticate the password supplied is encrypted using the same algorithm and compared to the stored password crypt.
  
NetworkMiner performs [[OS fingerprinting]] based on TCP SYN and SYN+ACK packet by using [[OS fingerprinting]] databases from p0f (by Michal Zalewski) and Ettercap (by Alberto Ornaghi and Marco Valleri). NetworkMiner can also perform [[OS fingerprinting]] based on DHCP packets (which usually are broadcast packets) by making use of the Satori (by Eric Kollmann) [[OS fingerprinting]] database from FingerBank. NetworkMiner also uses the MAC-vendor list from Nmap (by Fyodor).
+
===Unix Crypt===
 +
The most commonly used password encryption in Unix for many year was crypt(). The Unix crypt command can be used to generate the Unix crypt value for a given string.
  
NetworkMiner can extract files and certificates transferred over the network by parsing a PCAP file or by sniffing traffic directly from the network. This is a neat function that can be used to extract and [http://networkminer.wiki.sourceforge.net/save+media+files save media files] (such as audio or video files) which are streamed across a network. Supported protocols for file extraction are FTP, HTTP and SMB.
+
<pre>
 +
jim@localhost ~
 +
$ crypt hello
 +
S84xRArsM.gtk
 +
</pre>
  
User credentials (usernames and passwords) for supported protocols are extracted by NetworkMiner and displayed under the "Credentials" tab. Please be considerate when displaying the contents of this tab to the public.
+
In modern computing Unix crypt is severly limited. Passwords are restricted to 8 character passwords, and any trailing character as ignored. This puts brute force attacks on Unix crypts well within the realms of possibility.
  
Another very useful feature is that the user can [http://sourceforge.net/apps/mediawiki/networkminer/index.php?title=Keyword_Search search sniffed or stored data for keywords]. NetworkMiner allows the user to insert arbitrary string or byte-patterns that shall be searched for with the keyword search functionality.
+
<pre>
 +
jim@localhost ~
 +
$ crypt xx hellohel
 +
xxiHMKqoMTDuc
  
Version 0.84 (and newer) of NetworkMiner support [http://sourceforge.net/apps/mediawiki/networkminer/index.php?title=WiFi_Sniffing sniffing and parsing of WLAN (IEEE 802.11) traffic]. NetworkMiner does however currently only support WiFi sniffing with AirPcap adapters.
+
jim@localhost ~
 +
$ crypt xx hellohello
 +
xxiHMKqoMTDuc
 +
</pre>
  
A feature which is planned to be included in future versions of NetworkMiner is to use [http://sourceforge.net/apps/mediawiki/spid/index.php?title=Main_Page statistical methods to do protocol identification] (protocol fingerprinting) of a TCP session or UDP data. This means that instead of looking at the port number to guess which protocol is used on top of the TCP/UDP packet NetworkMiner will identify the correct protocol based on the TCP/UDP packet content. This way NetworkMiner will be able to identify protocols even if the service is run on a non-standard port. Richard Bejtlich calls this type of functionality [http://taosecurity.blogspot.com/2006/09/port-independent-protocol.html "Port Independent Protocol Identification" (PIPI)].
+
===Salts===
 +
Unix passwords usually use what is know as a salt to help make pre-computation of password hashes more difficult. A salt is a string which is prepended to the password before it is encrypted and stored along with the password in /etc/passwd. You cannot simply pre-compute crypt() values for a list of dictionary words, you would need to pre-compute the hash for each word along with every possible salt to produce a rainbow table of Unix password hashes. The result is a number of different hashes for any given password.
  
[[Category:Network Forensics]]
+
If we use the Unix crypt command to encrypt a password and do not specify a salt then a random salt value is chosen.
 +
 
 +
<pre>
 +
jim@localhost ~
 +
$ crypt hello
 +
YnxINyIeMlKCM
 +
 
 +
jim@localhost ~
 +
$ crypt hello
 +
v3njh4QHNjoWk
 +
</pre>
 +
 
 +
The first two characters of the resulting hash are the salt and must be used when subsequently comparing a supplied password with the stored crypt.
 +
 
 +
<pre>
 +
jim@localhost ~
 +
$ crypt v3 hello
 +
v3njh4QHNjoWk
 +
</pre>
 +
 
 +
Salts can be of any length
 +
 
 +
===MD5/SHA1===
 +
 
 +
NIS

Revision as of 06:05, 19 June 2008

Unix/Linux Password File

Unix and its various clones have traditionally used the /etc/passwd file to store user account information, including passwords. Because the /etc/password file needs to be world-readable in order for utilities such as `ls` and `finger` to work modern Unix operating systems store the encrypted passwords in 'shadow' file named /etc/shadow.

Username The user's username
Password Older Unixes store the password crypt here, more modern ones use an 'x' character to denote that a shadow file is in use.
UID The numeric user ID of the user
GID The primary numeric group ID of the user
GECOS Field This is a text field which may contain information about the user such as name and contact details
Home directory The user's home directory
Shell The user's Unix shell
user1:x:600:600:User 1:/home/user1:/bin/bash
user2:x:601:601:User 2:/home/user2:/bin/bash
admin:x:602:602:Admin Account:/home/admin:/bin/bash
apache:x:603:603:Apache HTTP User:/var/www:/bin/bash
someguy:x:604:604:Someguy:/home/someguy:/bin/bash

The password is stored as an encrypted one-way hash of the original password. When a user attempts to authenticate the password supplied is encrypted using the same algorithm and compared to the stored password crypt.

Unix Crypt

The most commonly used password encryption in Unix for many year was crypt(). The Unix crypt command can be used to generate the Unix crypt value for a given string.

jim@localhost ~
$ crypt hello
S84xRArsM.gtk

In modern computing Unix crypt is severly limited. Passwords are restricted to 8 character passwords, and any trailing character as ignored. This puts brute force attacks on Unix crypts well within the realms of possibility.

jim@localhost ~
$ crypt xx hellohel
xxiHMKqoMTDuc

jim@localhost ~
$ crypt xx hellohello
xxiHMKqoMTDuc

Salts

Unix passwords usually use what is know as a salt to help make pre-computation of password hashes more difficult. A salt is a string which is prepended to the password before it is encrypted and stored along with the password in /etc/passwd. You cannot simply pre-compute crypt() values for a list of dictionary words, you would need to pre-compute the hash for each word along with every possible salt to produce a rainbow table of Unix password hashes. The result is a number of different hashes for any given password.

If we use the Unix crypt command to encrypt a password and do not specify a salt then a random salt value is chosen.

jim@localhost ~
$ crypt hello
YnxINyIeMlKCM

jim@localhost ~
$ crypt hello
v3njh4QHNjoWk

The first two characters of the resulting hash are the salt and must be used when subsequently comparing a supplied password with the stored crypt.

jim@localhost ~
$ crypt v3 hello
v3njh4QHNjoWk

Salts can be of any length

MD5/SHA1

NIS