To experiment with some network security topics.
To explore the correct way that passwords should be stored, we will look at how they are stored under Linux.
In Linux, passwords are stored in the file called /etc/shadow.
Open that file and take a look at it. You will see a number of lines, one for
each user of the system. Most of these are built-in things and not actual
users.
Below is an excerpt from a shadow file:
root:!*:17673:0:99999:7::: daemon:*:17673:0:99999:7::: bin:*:17673:0:99999:7::: sys:*:17673:0:99999:7::: sync:*:17673:0:99999:7::: games:*:17673:0:99999:7::: man:*:17673:0:99999:7::: lp:*:17673:0:99999:7::: mail:*:17673:0:99999:7:::
Each line is broken into multiple fields, separated by colons. The first field is the user name. The first line username is "root" which is the administrative account under Linux.
The second field is the hashed and salted password field. All of these have "*" for this field. This indicates that there is no password for these accounts. There is no password you can put in for the root, daemon, bin, etc. accounts that will work. This is a security practice to protect the system. Every Linux machine has an account called "root", so that is what password crackers will target. Having no password makes it impossible to brute force the root password.
The other fields are not so important here, but include things like the time stamp of the password being changed, the time the password expires, whether the account is locked, etc.
Accounts that do have passwords look like this:
bob:$6$jv1uRpFv$nxxYMjMHsT87ghoFoFEhnYbtpDImbm02LbYzGMwnPmuWaftJOQZbv4f5jZhXP.dZ60GUxsz72CKCCcJSncT.f0:17941:0:99999:7:::
The password part is three fields separated with $:
| Number | Algorithm |
|---|---|
| 1 | MD5 |
| 2 | Blowfish |
| 5 | SHA-256 |
| 6 | SHA-512 |
You can create a hashed password with an arbitrary salt with the following Python program.
import crypt
pw = input("Enter password: ")
salt = input("Enter salt: ")
hashed = crypt.crypt(pw, "$6$" + salt)
print(hashed)
Notice that this crypt library uses the same format as the Linux password file, with the hash algorithm chosen by
Questions:
The most popular port scanner is called "nmap". It can be installed on your VM with:
$ sudo apt install nmap
The basic usage is to pass nmap the domain or IP address you want to scan. It will then test a set of common ports and report on whether they are open or not. For example, using google.com:
$ nmap google.com Starting Nmap 7.60 ( https://nmap.org ) at 2019-04-18 08:20 EDT Nmap scan report for google.com (172.217.164.174) Host is up (0.0075s latency). Other addresses for google.com (not scanned): 2607:f8b0:4004:815::200e rDNS record for 172.217.164.174: iad23s69-in-f14.1e100.net Not shown: 994 filtered ports PORT STATE SERVICE 80/tcp open http 135/tcp closed msrpc 139/tcp closed netbios-ssn 443/tcp open https 445/tcp closed microsoft-ds 593/tcp closed http-rpc-epmap
"open" means that the server is listening on these ports. Here we can see the only open ports nmap found are 80 (HTTP) and 443 (HTTPS).
"closed" means that the port has no application listening on it. Another option, not shown here is "filtered" which means that a firewall is preventing the connection from being made, so nmap can't tell if it's open or closed.
If a port is "closed" it means the firewall allows it, but it's not currently used. If one is "filtered" it means the firewall does not allow it. Likely it is not being used, but it could possibly be used internally.
We can also test a specific port with the -p flag:
$ nmap -p 22 cs.umw.edu Starting Nmap 7.60 ( https://nmap.org ) at 2019-04-18 08:35 EDT Nmap scan report for cs.umw.edu (172.17.20.11) Host is up (0.0018s latency). PORT STATE SERVICE 22/tcp open ssh Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds
Here we can see that the CS server is listening on port 22.
Questions:
When you're finished, email your answers to ifinlay@umw.edu.
Copyright © 2024 Ian Finlayson | Licensed under a Creative Commons BY-NC-SA 4.0 License.