Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20120806182653.GA21949@debian>
Date: Mon, 6 Aug 2012 22:26:53 +0400
From: Aleksey Cherepanov <aleksey.4erepanov@...il.com>
To: john-dev@...ts.openwall.com
Subject: one could hinder loading hash mimicing pwdump format

FYI investigating pwdump format loading in john I noticed that john
always consider a string as lm format if third field is 32 hex digits
(a-f0-9).

On unix'es (at least on my Debian GNU/Linux) third field of shadow
file is date of last password change.

So if administrator does not change passwords he could pad his date
with zeros or just put 00000000000000000000000000000001 as third field
(the right way is to patch libc(?) to do it always). My system works
after that but john could load this line only as lm.

So if administrator wants to hinder lame attacker he could go this
way.

Though unshadow drops this field. But we could pad third field in
passwd with zeros too.

So some patching of system's core could make attacker need to use `cut
-f : -d 1-2`. It does not seem reasonable.

-- 
Regards,
Aleksey Cherepanov

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.