LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Help using Crack for testing password strength (https://www.linuxquestions.org/questions/linux-security-4/help-using-crack-for-testing-password-strength-69400/)

dai 07-01-2003 06:33 PM
Help using Crack for testing password strength
 
Hi all Ive configured and installed Crack to work with Tara however as Im using Shadow passwords Tara isnt checking /etc/shadow only /etc/passwd

Ive tried running Crack /etc/Shadow manually then I try running ./Reporter

and get output similar to following: -

---- passwords cracked as of Tue Jul 1 23:57:37 UTC 2003 ----


---- errors and warnings ----

bad format: /etc/shadow: adm:*:9797:0:::::
bad format: /etc/shadow: bin:*:9797:0:::::
bad format: /etc/shadow: chroot:$dfgregjpij454r0ffegr4tg4
bad format: /etc/shadow: rpc:*:9797:0:::::
bad format: /etc/shadow: shutdown:*:9797:0:::::
bad format: /etc/shadow: smmsp:*:9797:0:::::
bad format: /etc/shadow: sync:*:9797:0:::::
bad format: /etc/shadow: uucp:*:9797:0:::::
bad format: /etc/shadow: webuser:!:15y5y5y5y54yy:7thytrh453:::

---- done ----


Obviously Ive edited the posted output so no real passwords are included but does this bad format mean that I have chosen a weak password or is there a problem with Crack???? (I am checking /etc/shadow as root).

Just wondering because I tried a password similar to follows: -

1Q_3=+de£_r£3:;[pY&(grcN?><+G|\¬`@fEWQ%C"_eFyT

and it only took like 1 minute for Crack to end and for it to be added to the above list.

Can Anybody help??? Ive tried searching for help with the Reporter tool but cant fibnd anything

iainr 07-02-2003 05:24 AM
Hi Dai,

I haven't tried crack on Linux, but I have run it a lot on AIX. As far as I know, it only works on traditional (i.e. no shadow) format /etc/passwd style files.

In AIX there's a command to merge the shadow and passwd files and get this popping out, which makes life very easy. There should be some similar utility you can run to merge the two. Then you put the merged version in a new file and run crack against that.

Iain.

Edited to add To test this theory, copy /etc/passwd and paste in an encrypted password string for an easily crackable password. Run crack and it should crack it within a few seconds.

dai 07-02-2003 03:34 PM
Cheers, Ive now downloaded Jack the Ripper and Apparrently after using the unshadow utility from this it appears that my passwords are actually MD5 hash's, I thought they were Des based.

From what I can see Crack on ly works (by default) on Des based encryption which would seem to be one of the problems that I have.

Jack has been running non-stop since 10 this morning and still hasnt cracked all of my passwords (only 3) So I think I can safely assume that thier relatively strong.

Thanks


Dai


All times are GMT -5. The time now is 01:18 PM.