Home CPSC 414

Lab 10: Security Exercise

 

Objective

To experiment with some network security topics.


 

Part 1: Passwords

To explore the correct way that passwords should be stored, we will look at how they are stored under Linux.

In Linux, passwords are stored in the file called /etc/shadow. Open that file and take a look at it. You will see a number of lines, one for each user of the system. Most of these are built-in things and not actual users.

Below is an excerpt from a shadow file:

root:!*:17673:0:99999:7:::
daemon:*:17673:0:99999:7:::
bin:*:17673:0:99999:7:::
sys:*:17673:0:99999:7:::
sync:*:17673:0:99999:7:::
games:*:17673:0:99999:7:::
man:*:17673:0:99999:7:::
lp:*:17673:0:99999:7:::
mail:*:17673:0:99999:7:::

Each line is broken into multiple fields, separated by colons. The first field is the user name. The first line username is "root" which is the administrative account under Linux.

The second field is the hashed and salted password field. All of these have "*" for this field. This indicates that there is no password for these accounts. There is no password you can put in for the root, daemon, bin, etc. accounts that will work. This is a security practice to protect the system. Every Linux machine has an account called "root", so that is what password crackers will target. Having no password makes it impossible to brute force the root password.

The other fields are not so important here, but include things like the time stamp of the password being changed, the time the password expires, whether the account is locked, etc.

Accounts that do have passwords look like this:

bob:$6$jv1uRpFv$nxxYMjMHsT87ghoFoFEhnYbtpDImbm02LbYzGMwnPmuWaftJOQZbv4f5jZhXP.dZ60GUxsz72CKCCcJSncT.f0:17941:0:99999:7:::

The password part is three fields separated with $:

  1. The hash algorithm being used (6 here). The algorithms are:
    NumberAlgorithm
    1MD5
    2Blowfish
    5SHA-256
    6SHA-512
  2. The salt value (jv1uRpFv here).
  3. The actual hashed password, which is the longest part.

You can create a hashed password with an arbitrary salt with the following Python program.


import crypt

pw = input("Enter password: ")
salt = input("Enter salt: ")
hashed = crypt.crypt(pw, "$6$" + salt)
print(hashed)

Notice that this crypt library uses the same format as the Linux password file, with the hash algorithm chosen by

Questions:

  1. Using the password "password", and the salt "rjZwKrEs", what hashed password do you get?
  2. Using the password "password" and the salt "8Tp2OKg2", what hashed password do you get?
  3. Compare the lengths of the hashed passwords with the different algorithms. How long are the hashes created by MD5, SHA-256 and SHA-512? What does the length have to do with security?

 

Part 2: Port Scanning

The most popular port scanner is called "nmap". It can be installed on your VM with:

$ sudo apt install nmap

The basic usage is to pass nmap the domain or IP address you want to scan. It will then test a set of common ports and report on whether they are open or not. For example, using google.com:

$ nmap google.com      

Starting Nmap 7.60 ( https://nmap.org ) at 2019-04-18 08:20 EDT
Nmap scan report for google.com (172.217.164.174)
Host is up (0.0075s latency).
Other addresses for google.com (not scanned): 2607:f8b0:4004:815::200e
rDNS record for 172.217.164.174: iad23s69-in-f14.1e100.net
Not shown: 994 filtered ports
PORT    STATE  SERVICE
80/tcp  open   http
135/tcp closed msrpc
139/tcp closed netbios-ssn
443/tcp open   https
445/tcp closed microsoft-ds
593/tcp closed http-rpc-epmap

"open" means that the server is listening on these ports. Here we can see the only open ports nmap found are 80 (HTTP) and 443 (HTTPS).

"closed" means that the port has no application listening on it. Another option, not shown here is "filtered" which means that a firewall is preventing the connection from being made, so nmap can't tell if it's open or closed.

If a port is "closed" it means the firewall allows it, but it's not currently used. If one is "filtered" it means the firewall does not allow it. Likely it is not being used, but it could possibly be used internally.

We can also test a specific port with the -p flag:

$ nmap -p 22 cs.umw.edu

Starting Nmap 7.60 ( https://nmap.org ) at 2019-04-18 08:35 EDT
Nmap scan report for cs.umw.edu (172.17.20.11)
Host is up (0.0018s latency).

PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

Here we can see that the CS server is listening on port 22.

Questions:

  1. What common ports does nmap list fs open or "en.wikipedia.org"?
  2. How about the domain "towel.blinkenlights.nl"?
  3. Most servers nowadays support as few applications as possible, so most results you will find list only one or two ports. What's the motivation for a server to do one or two tasks?

 

Submitting

When you're finished, email your answers to ifinlay@umw.edu.

Copyright © 2019 Ian Finlayson | Licensed under a Creative Commons Attribution 4.0 International License.